SELinux and compiling new kernel

Support for security such as Firewalls and securing linux
Post Reply
algol
Posts: 1
Joined: 2006/03/22 11:55:57
Contact:

SELinux and compiling new kernel

Post by algol » 2006/03/22 16:06:26

Hi!

I'm searching for help SELinux and working with a new compiled kernel.
I'm installing CentOS x86_64 smp in a AMD 64 dual core. As its motherboard's BIOS has a bug, chipset nForce4 and newer then 2.6.14 kernels can't use more then 2Gb of RAM. So I had to compile and install a newer kernel then those in the RPM repositorys. I've used 2.6.16.
Now I can use all 4Gb of RAM but can't boot with SELinux enabled cause when I try to do so I get de flowing msg:

[code]Enforcing mode requested but no policy loaded. Halting now.
Kernel panic - not syncing: Attempted to kill init![/code]

I can't get any other error msg or anything that could give me any clue to what to do. So, I really need help...
I've relabeld he file system. But I' think that's not the problem cause I had to do it by hand (using [code]fixfiles relabel[/code])
since [code]touch /.autorelabel[/code] didn't work.
I've installed selinux-policy-targeted-sources-1.17.30-2.126 and selinux-policy-targeted-sources-1.17.30-2.126 and ran 'make' and 'make install' and problem remains.
checkpolicy detects no problem...
I don't kown what to do and I really need this setup ready for production soon.
Is there any one who can help?

Wolf-R1
Posts: 22
Joined: 2005/09/16 18:38:28

SELinux and compiling new kernel

Post by Wolf-R1 » 2006/06/27 13:47:21

This is not encouraging. I just ran into this same problem. I have compiled a new kernel for CentOS 4.3 and it works fine as long as SELinux is not set to enforcing. Once it's set to enforcing I get the same errors as you got. However I cannot find any way to fix this. :(

Lenard
Posts: 2283
Joined: 2005/11/29 02:35:25
Location: Indiana

Re: SELinux and compiling new kernel

Post by Lenard » 2006/06/27 15:32:09

Since your running a custom kernel you need to updated the selinux policy packages, get the sources and build;

http://download.fedora.redhat.com/pub/fedora/linux/core/5/source/SRPMS/checkpolicy-1.29.4-1.src.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/5/source/SRPMS/policycoreutils-1.29.26-6.src.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/5/source/SRPMS/selinux-policy-2.2.23-15.src.rpm

Note other packages may be reqired to satify the build requirements........

Wolf-R1
Posts: 22
Joined: 2005/09/16 18:38:28

Re: SELinux and compiling new kernel

Post by Wolf-R1 » 2006/06/27 17:00:01

I'm curious as to why I would need to build RPM packages from the source files? Can't I just use the RMP packages from the FC5 core repository instead?

Lenard
Posts: 2283
Joined: 2005/11/29 02:35:25
Location: Indiana

Re: SELinux and compiling new kernel

Post by Lenard » 2006/06/27 18:40:16

Sometimes yes you can, some of the time no.............

My mistake (no needed to build packages) all you need are (for example);

$ rpm -qa --qf="%{n}-%{v}-%{r}.%{arch}.rpm\n" 'check*' 'sel*' 'libse*' 'policy*' | sort
checkpolicy-1.23.1-1.x86_64.rpm
libselinux-1.27.23-1.i386.rpm
libselinux-1.27.23-1.x86_64.rpm
libselinux-devel-1.27.23-1.x86_64.rpm
libsepol-1.11.7-1.i386.rpm
libsepol-1.11.7-1.x86_64.rpm
libsepol-devel-1.11.7-1.x86_64.rpm
libsetrans-0.1.8-1.x86_64.rpm
policycoreutils-1.23.10-2.x86_64.rpm
selinux-policy-targeted-1.23.16-6.noarch.rpm
selinux-policy-targeted-sources-1.23.16-6.noarch.rpm

Hint: look in the FC4 downloads

To answer your question, sometimes the packages are built with new versions of the libs and may not work with the older versions. In addition many changes are taking place within the packages and the requirements (other packages) sometimes change.

Post Reply

Return to “CentOS 4 - Security Support”