[Pkg-sysvinit-devel] Bug#330592: sysvinit: init panic after
creating directory /selinux/
James Westby
jw+debian at jameswestby.net
Sun Oct 22 16:11:17 CEST 2006
Hi,
I have managed to get some more information on this bug. I have included
my findings below, but the short story is that I think it might be
somewhat fixed.
Can you still reproduce this bug? If so it would be interesting to get a
bit more information, for instance a full log of the crashing startup.
It would also be good to have some information about your system when it
is running normally. For instance all the information in /selinux and
/etc/selinux/.
> A few days ago, during boot, just before init startup, I too noticed the
> same message which claimed directory /selinux/ was not found.
>
> thinking selinux was badly installed I created that directory... and
> forgot about it. Tonight, because of a change in my system, I rebooted,
> to have Init scream this message to me :
>
> INIT: PANIC: segmentation violation! sleeping for 30 seconds. INIT:
> PANIC: segmentation violation! sleeping for 30 seconds. etc ...
>
> Obviously it took me while to link the 2 events together: I thought my
> disk was corrupt, except the lockup was always happenning at the same
> place, and also I noticed that the message which claimed /selinux/ was
> missing, had changed to:
>
> Can't open '/etc/security/selinux/policy.19': no such file or directory.
This is the interesting part. I believe this is where Fedora keeps their
configuration, on Debian it is
/etc/selinux/<policy-name>/policy.<version>
However the above location is considered the "compat" location by
libselinux. The relevant bit of code is in
libselinux1-1.30.28/src/selinux_config.c:169
if (access(SELINUXDIR, F_OK) != 0) {
selinux_policyroot = SECURITYDIR;
selinux_rootpath = SECURITYDIR;
use_compat_file_path = 1;
return;
}
where SECURITYDIR is /etc/security/
so insysvinit-2.86.ds1/src/init.c:189 (after ./debian/rules patch-stamp)
snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version);
fd = open(policy_file, O_RDONLY);
if (fd < 0) {
/* Check previous version to see if old policy is available
*/
snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1);
fd = open(policy_file, O_RDONLY);
if (fd < 0) {
printf( "Can't open '%s.%d': %s\n",
selinux_binary_policy_path(),policy_version,strerror(errno));
goto UMOUNT;
}
}
which you can see creates the above message.
So I managed to get the above message (for policy version 20) by
# rm -rf /etc/selinux
However it did not cause a segfault, and I got a completed boot. I did
however get
*** glibc detected *** free(): invalid pointer: 0x0804feb5 ***
*** glibc detected *** free(): invalid pointer: 0x0804feb5 ***
so maybe this is what was the segfault before.
I have looked for relevant code changes in bith sysvinit and libselinux
since your report and I can't see anything that seems like it would have
fixed it. However I can't see anything that would cause a segfault
either.
>
> Once I removed the offending directory, and rebooted, I noticed the
> normal :
>
> INIT : Entering run level 2
>
> where juste before init panicked.
This is due to the fact that if /selinux can't be mounted it bails out a
lot earlier.
>
> So, the 'solution' was easy, but the reason this might be a more serious
> bug is because normal users would not be able to restart from a system
> without a functioning init.
>
> Final note : this crash might happen because I have a custom kernel. I
> did include selinux in the build, though.
I used fresh etch install in a qemu VM, with stock .17 kernel. I
installed selinux-basics and selinux-policy-refpolicy-targeted, did a
couple of reboots, and then did rf -rf /etc/selinux/, and rebooted with
selinux=1 on the kernel command line. I am using
libselinux1 1.30.28-2
sysvinit 2.86.ds1-20
libc6 2.3.6.ds1-4
libsepol1 1.12.26-2
So, as I said above it seems this bug might have been fixed along the
way, but I'm not totally convinced that I have matched your setup. It
also seems as if it requires a very broken setup to trigger it
(/etc/selinux/ unreadable).
I have also just noticed that you are on a different arch, so here is a
list of possible candidates for why I cannot reproduce,
amd64 vs i386
Kernel 2.6.13 vs 2.6.17
version of libselinux1
version of sysvinit
different setup
Any information you could provide would be useful,
Thanks,
James
--
James Westby -- GPG Key ID: B577FE13 -- http://jameswestby.net/
seccure key - (3+)k7|M*edCX/.A:n*N!>|&7U.L#9E)Tu)T0>AM - secp256r1/nistp256
More information about the Pkg-sysvinit-devel
mailing list