Re: dracut: ordering of modules

From: Roberto Sassu
Date: Mon Feb 13 2012 - 05:20:21 EST

Next message: Meelis Roos: "Re: OF-related boot crash in 3.3.0-rc3-00188-g3ec1e88"
Previous message: Konstantin Khlebnikov: "[PATCH v2] HID: use generic driver for Logitech Unifying receivers ifCONFIG_HID_LOGITECH_DJ=n"
In reply to: Harald Hoyer: "Re: dracut: ordering of modules"
Next in thread: Harald Hoyer: "Re: dracut: ordering of modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 02/13/2012 10:59 AM, Harald Hoyer wrote:

Am 10.02.2012 16:01, schrieb Mimi Zohar:
Hi Harald,

Originally, 98integrity/ima-policy-load.sh didn't start executing before
98selinux/selinux-loadpolicy.sh finished, but unfortunately it now does.

inst_hook pre-pivot 50 "$moddir/selinux-loadpolicy.sh"
inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh"

As the IMA policy could be dependent on LSM runtime info, this is a
problem.

[ 10.040574] type=1805 audit(1328865524.387:2): action="dont_measure" fsmagic="0x9fa0" res=0
[ 10.040663] type=1805 audit(1328865524.387:3): action="dont_appraise" fsmagic="0x9fa0" res=0
[ 10.040729] type=1805 audit(1328865524.387:4): action="dont_measure" fsmagic="0x62656572" res=0
[ 10.040792] type=1805 audit(1328865524.387:5): action="dont_appraise" fsmagic="0x62656572" res=0
[ 10.040857] type=1805 audit(1328865524.387:6): action="dont_measure" fsmagic="0x64626720" res=0
[ 10.040921] type=1805 audit(1328865524.387:7): action="dont_appraise" fsmagic="0x64626720" res=0
[ 10.040985] type=1805 audit(1328865524.387:8): action="dont_measure" fsmagic="0x01021994" res=0
[ 10.041047] type=1805 audit(1328865524.387:9): action="dont_appraise" fsmagic="0x01021994" res=0
[ 10.041113] type=1805 audit(1328865524.387:10): action="dont_measure" fsmagic="0x73636673" res=0
[ 10.041177] type=1805 audit(1328865524.387:11): action="dont_appraise" fsmagic="0x73636673" res=0
[ 11.898956] SELinux: Completing initialization.

I've tried adding a depend for selinux, but it doesn't seem to resolve
the problem, nor does delaying 98integrity to later. Any suggestions
would be appreciated.

thanks,

Mimi

In Fedora the selinux dracut module is disabled by default. You have to enable
it manually.

Hi Harald

this functionality seems to be broken in dracut due to a change in the
SELinux load_policy tool.
After enabling the selinux module in dracut, i obtain:

[ 3.369059] dracut: Loading SELinux policy
[ 3.449850] dracut: /sbin/load_policy: Can't load policy: No such file or directory
[ 3.659899] dracut: Switching root

echo 'add_dracutmodules+=" selinux "'>> /etc/dracut.conf.d/99-my.conf

although, this also should do the thing:

$ git diff modules.d/98integrity/module-setup.sh
diff --git a/modules.d/98integrity/module-setup.sh
b/modules.d/98integrity/module-setup.sh
index 7d5771c..ff1b4aa 100755
--- a/modules.d/98integrity/module-setup.sh
+++ b/modules.d/98integrity/module-setup.sh
@@ -7,7 +7,7 @@ check() {
}

depends() {
- echo masterkey securityfs
+ echo masterkey securityfs selinux
return 0
}

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Meelis Roos: "Re: OF-related boot crash in 3.3.0-rc3-00188-g3ec1e88"
Previous message: Konstantin Khlebnikov: "[PATCH v2] HID: use generic driver for Logitech Unifying receivers ifCONFIG_HID_LOGITECH_DJ=n"
In reply to: Harald Hoyer: "Re: dracut: ordering of modules"
Next in thread: Harald Hoyer: "Re: dracut: ordering of modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]