# boot stops [boot goes]

## idella4

This is a vm I prepared along the lines of the other post in here at this time re preparing a hardened xen guest.

I decided to so as to run a parallel prep in sync, but not turned out.  

The gentoo guest is stopping booting.  I suspect it's to do with the gentoo startup scripts.

I posted another along the same lines a couple of days ago.

Rather than a hardened profile gentoo guest, I decided on using the selinux-2007 profile.

I've made a kernel in the guest, a 2.6.34 hardened kernel.  I've booted it with pv-grub.

It stops.

This is a matter of getting the system tuned into selinux.  From the guide, I've run rlpkg -a -r which does the labeling.

It seems to  be missing some content.  What is the kernel command to get it to re-label all at boot. That might let it complete.

This just needs some finishing off.

```

Done.

Done.

Begin: Running /scripts/init-bottom ...

Begin: Starting AppArmor profiles ...

chroot: cannot execute /etc/apparmor/initramfs: No such file or directory

Failure: AppArmor profiles failed to load

```

AppArmor is std in Suse.  This selinux profile seems to expect it However.

```

idella@genny ~ $ sudo emerge -s Armor

Password: 

Searching...    

[ Results for search key : Armor ]

[ Applications found : 0 ]

```

I boot into it paravirt with a generic guest kernel not equipped with selinuxfs or such hardened components, it skips past them.

```

gentoo_pristine ~ # uname -r

2.6.31.6

gentoo_pristine ~ # rlpkg -a -r

Relabeling filesystem types: btrfs ext2 ext3 ext4 jfs xfs

Scanning for shared libraries with text relocations...

0 libraries with text relocations, 0 not relabeled.

Scanning for PIE binaries with text relocations...

0 binaries with text relocations detected.

```

Booting with an selinux aware xen kernel

```

[    8.504002] VFS: Mounted root (ext3 filesystem) readonly on device 202:2.

[    8.504002] Freeing unused kernel memory: 416k freed

[    8.682402] Warning: unable to open an initial console.

[    9.013929] SELinux:  class kernel_service not defined in policy

[    9.014007] SELinux:  class tun_socket not defined in policy

[    9.014007] SELinux:  permission open in class sock_file not defined in policy

[    9.014007] SELinux:  permission module_request in class system not defined in policy

[    9.014007] SELinux:  permission nlmsg_tty_audit in class netlink_audit_socket not defined in policy

[    9.014007] SELinux: the above unknown classes and permissions will be denied

[    9.014007] SELinux: (dev xvda2, type ext3) has no xattr support

```

More indications of  the labeling not complete.  Is xattr a USE flag or is attibutes in the kernel file system?

While I'm perusing the gentoo selinux docs, I enter the problems en route.  On booting the generic xen kernel, it stops for a login right at the point where it stops with the other kernels.  This seems related to the local script.  I'm going to remove it from boot and see its effect.  I added login to the local script to invoke a login since the booting was without login.  It stoos for login, then after a 560 sec timeout period it continues booting to the next init level.

Booting with pv-grub which boots the hardened kernel,

```

[    4.984051] EXT3-fs (xvda2): recovery required on readonly filesystem

[    4.984067] EXT3-fs (xvda2): write access will be enabled during recovery

[    4.986727] kjournald starting.  Commit interval 5 seconds

[    4.986750] EXT3-fs (xvda2): recovery complete

[    4.986899] EXT3-fs (xvda2): mounted filesystem with ordered data mode

[    4.986928] VFS: Mounted root (ext3 filesystem) readonly on device 202:2.

[    4.986994] Freeing unused kernel memory: 436k freed

[    5.035489] SELinux:  Permission module_request in class system not defined in policy.

[    5.035543] SELinux:  Permission open in class sock_file not defined in policy.

[    5.035634] SELinux:  Permission nlmsg_tty_audit in class netlink_audit_socket not defined in policy.

[    5.035669] SELinux:  Class kernel_service not defined in policy.

[    5.035677] SELinux:  Class tun_socket not defined in policy.

[    5.035685] SELinux: the above unknown classes and permissions will be denied

[    5.039166] type=1403 audit(1282176428.940:2): policy loaded auid=4294967295 ses=4294967295

[    5.664633] kbd_mode used greatest stack depth: 6524 bytes left

[    5.664973] init-early.sh used greatest stack depth: 5844 bytes left

[    5.686604] grep used greatest stack depth: 5436 bytes left

[    6.901736] EXT3-fs (xvda2): using internal journal

```

How on earth are you supposed to know what module_request & class sock_file & netlink_audit_socket belong to?

Are they just more of the selinux policy packages that aren't yet in?  Do I have to systematically emerge them all 1 by 1?

I have finished following the guide which just says to install the related packages listed in selinux in portage.

It needs an update, it looks about 3 years old, cites device-mapper which is out of vogue.

----------

## idella4

yay

```

Thanks for using Gentoo ! :)

http://bugs.gentoo.org/show_bug.cgi?id=40987

-----------------------------------------------------

gentoo_pristine login: root

Password: 

Last login: Wed Aug 18 21:44:15 CDT 2010 on console

root@gentoo_pristine:~gentoo_pristine ~ # uname -r

2.6.34-hardened-r1

```

in.  pv-grub     :Cool:   :Razz:   In fact it may have been those inittab entries that allowed it in.  Still without an selinuxfs !!

```

gentoo_pristine ~ # ls /selinux

access        commit_pending_bools  enforce           null                 user

avc           context               initial_contexts  policy_capabilities

booleans      create                load              policyvers

checkreqprot  deny_unknown          member            reject_unknown

class         disable               mls               relabel

```

Done.  A hardend kernel booting a gentoo vm of selinux profile.

----------

