Not booting with kernel 2.6.34.1 but works with 2.6.33.6

Not booting with kernel 2.6.34.1 but works with 2.6.33.6

Postby dvdmeer » Wed Jul 14, 2010 2:39 pm

Hi,

I tried to use the latest version (lids-2.2.3rc11-2.6.34.patch) but the kernel will not boot correctly. It cannot mount the root file system as soon as LIDS is started.
Has something fundamental been changed compared to the old version (lids-2.2.3rc10-2.6.33.patch)?
I get a "mount: permission denied" and then a whole text about attempting to remount root device as read-write failed.
For both kernels I use the same LIDS rules set and I copy the old kernel config to the new kernel so they should be the same.
I will copy my rules set here below (notice the -1 recursive permissions. I will change them later when things are working perfectly).
But adding lids=0 to the boot parameters to turn off lids works perfectly and I am able to boot after this so I know the problem is LIDS.

Code: Select all
#!/bin/sh

LIDSCONF="/sbin/lidsconf"

# Clear all entries
echo -n "Clearing old entries...................................."
$LIDSCONF -Z
$LIDSCONF -Z BOOT
$LIDSCONF -Z POSTBOOT
$LIDSCONF -Z SHUTDOWN
echo "OK"

# Write protect default folders
echo -n "Protect default folders with read-only permissions......"
$LIDSCONF -A -o /etc/lids                        -j DENY      1>/dev/null 2>/dev/null
$LIDSCONF -A -o /bin                           -j READONLY   1>/dev/null 2>/dev/null
$LIDSCONF -A -o /sbin                           -j READONLY   1>/dev/null 2>/dev/null
$LIDSCONF -A -o /usr/bin                        -j READONLY    1>/dev/null 2>/dev/null
$LIDSCONF -A -o /usr/sbin                        -j READONLY   1>/dev/null 2>/dev/null
$LIDSCONF -A -o /usr/local/bin                        -j READONLY   1>/dev/null 2>/dev/null
$LIDSCONF -A -o /usr/local/sbin                        -j READONLY   1>/dev/null 2>/dev/null
$LIDSCONF -A POSTBOOT -o /lib                        -j READONLY   1>/dev/null 2>/dev/null
$LIDSCONF -A -o /usr/lib                        -j READONLY   1>/dev/null 2>/dev/null
$LIDSCONF -A -o /usr/local/lib                        -j READONLY   1>/dev/null 2>/dev/null
$LIDSCONF -A -o /usr/libexec                        -j READONLY   1>/dev/null 2>/dev/null
$LIDSCONF -A -o /boot                           -j READONLY   1>/dev/null 2>/dev/null
echo "OK"

# Setup configuration folders
echo -n "Protect configuration folders..........................."
#$LIDSCONF -A -o /etc                           -j READONLY   1>/dev/null 2>/dev/null
$LIDSCONF -A -o /etc/rc.d                        -j READONLY   1>/dev/null 2>/dev/null
#$LIDSCONF -A -o /etc/shadow                        -j READONLY   1>/dev/null 2>/dev/null
#$LIDSCONF -A -o /etc/shadow-                        -j READONLY   1>/dev/null 2>/dev/null
#$LIDSCONF -A POSTBOOT -o /etc/shadow                     -j DENY      1>/dev/null 2>/dev/null
#$LIDSCONF -A POSTBOOT -o /etc/shadow-                     -j DENY      1>/dev/null 2>/dev/null
$LIDSCONF -A -o /etc/lilo.conf                        -j DENY      1>/dev/null 2>/dev/null
echo "OK"

# Enable system authentication
echo -n "Enable system authentication............................"
$LIDSCONF -A POSTBOOT -s /bin/su -o /etc/shadow                  -j READONLY   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /bin/su -o CAP_SETUID                     -j GRANT   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /bin/su -o CAP_SETGID                     -j GRANT   1>/dev/null 2>/dev/null

$LIDSCONF -A POSTBOOT -s /bin/login -o /etc/shadow               -j READONLY   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /bin/login -o CAP_SETUID                  -j GRANT   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /bin/login -o CAP_SETGID                  -j GRANT   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /bin/login -o CAP_CHOWN                     -j GRANT   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /bin/login -o CAP_FSETID                  -j GRANT   1>/dev/null 2>/dev/null
echo "OK"

# Protect root folder, but allow bash history
echo -n "Protect root folder....................................."
$LIDSCONF -A -o /root                           -j READONLY   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /bin/bash -o /root/.bash_history                -j WRITE   1>/dev/null 2>/dev/null
echo "OK"

# Set boot script permissions
echo -n "Set boot script permissions............................."
$LIDSCONF -A -s /etc/rc.d/rc.M -i -1 -o CAP_SYS_ADMIN               -j GRANT   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /etc/rc.d/rc.S -i -1 -o CAP_SYS_ADMIN               -j GRANT   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /etc/rc.d/rc.inet1 -i -1 -o CAP_SYS_MODULE            -j GRANT   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /etc/rc.d/rc.inet2 -i -1 -o CAP_SYS_MODULE            -j GRANT   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /etc/rc.d/rc.modules -i -1 -o CAP_SYS_MODULE             -j GRANT   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/rsyslogd -i -1 -o CAP_SYS_MODULE            -j GRANT   1>/dev/null 2>/dev/null
echo "OK"

# Set permissions for ssh
echo -n "Set ssh permissions....................................."
$LIDSCONF -A -s /usr/sbin/sshd -o /etc/shadow                  -j READONLY   1>/dev/null 2>/dev/null
$LIDSCONF -A -o /etc/ssh                        -j DENY      1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/sshd -o /etc/ssh                  -j READONLY   1>/dev/null 2>/dev/null
#$LIDSCONF -A -s /usr/sbin/sshd -o /var/log/wtmp               -j WRITE
#$LIDSCONF -A -s /usr/sbin/sshd -o /var/log/lastlog               -j WRITE
$LIDSCONF -A -s /usr/sbin/sshd -o CAP_SETUID                  -j GRANT   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/sshd -o CAP_SETGID                  -j GRANT   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/sshd -o CAP_FOWNER                  -j GRANT   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/sshd -o CAP_CHOWN                  -j GRANT   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/sshd -o CAP_DAC_OVERRIDE               -j GRANT   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/sshd -o CAP_NET_BIND_SERVICE 22-22            -j GRANT   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/sshd -o CAP_SYS_CHROOT               -j GRANT   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/sshd -o CAP_SYS_RESOURCE               -j GRANT   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/sbin/sshd -o CAP_SYS_TTY_CONFIG               -j GRANT   1>/dev/null 2>/dev/null
echo "OK"

# HALD
#$LIDSCONF -A -s /usr/libexec/hald-probe-storage -o CAP_SYS_RAWIO -j GRANT
$LIDSCONF -A -s /usr/sbin/hald -o CAP_SYS_RAWIO -i 2                -j GRANT   1>/dev/null 2>/dev/null

# Set permissions for QMail
echo -n "Protect QMail..........................................."
$LIDSCONF -A -o /var/qmail/bin                        -j READONLY   1>/dev/null 2>/dev/null
$LIDSCONF -A -o /var/qmail/supervise                     -j READONLY   1>/dev/null 2>/dev/null
$LIDSCONF -A -o /package/admin/daemontools/command               -j READONLY   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /package/admin/daemontools/command/supervise -o /var/qmail/supervise   -j WRITE   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/local/bin/multilog -o /var/qmail/supervise          -j WRITE   1>/dev/null 2>/dev/null
echo "OK"

# Dovecot
echo -n "Set up rules for dovecot................................"
$LIDSCONF -A -s /usr/sbin/dovecot -o CAP_SETPCAP               -j GRANT   1>/dev/null 2>/dev/null
echo "OK"


# Spamassassin
echo -n "Set up rules for spamassassin..........................."
$LIDSCONF -A -s /usr/bin/spamd -o /etc/shadow -i -1               -j READONLY   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /usr/bin/spamc -o /etc/shadow -i -1               -j READONLY   1>/dev/null 2>/dev/null
$LIDSCONF -A -s /package/admin/daemontools/command/supervise -o /etc/shadow -i -1   -j READONLY   1>/dev/null 2>/dev/null
echo "OK"

# Other files and folders
echo -n "Protect remaining folders/apps.........................."
$LIDSCONF -A -s /usr/local/sbin/arno-iptables-firewall -i -1 -o CAP_SYS_MODULE      -j GRANT   1>/dev/null 2>/dev/null
$LIDSCONF -A -o /usr/src                        -j DENY      1>/dev/null 2>/dev/null
echo "OK"

# Compiling LIDS rules
echo -n "Compiling LIDS rules...................................."
$LIDSCONF -C                                    1>/dev/null 2>/dev/null
echo "OK"


#$LIDSCONF -A -s /var/qmail/supervise/maildrop-logger/maildrop-pipe-watcher -i -1 -o /etc/shadow -j READONLY
#$LIDSCONF -A -s /var/qmail/supervise/qmail-updater/qmail-pipe-watcher -i -1 -o /etc/shadow -j READONLY
dvdmeer
 
Posts: 7
Joined: Wed Mar 03, 2010 3:02 pm

Re: Not booting with kernel 2.6.34.1 but works with 2.6.33.6

Postby dvdmeer » Thu Jul 15, 2010 10:02 am

Well, it seems the same happens with 2.2.3rc10 and kernel version 2.6.32.16. The file system I am using is ext4 but this
should be irrelevant.
The reason I am using a different version than 2.6.33.6 is because this one, together with LIDS, is having a different problem.
I am unable to ssh into the system from remote or local (with no messages in the logs afterwards indicating why it fails):

# ssh -vvv 10.0.0.1
OpenSSH_5.5p1, OpenSSL 0.9.8n 24 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.0.0.1 [10.0.0.1] port 22
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/rsa-cert type -1
debug1: identity file /root/.ssh/dsa type -1
debug1: identity file /root/.ssh/dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5
debug1: match: OpenSSH_5.5 pat OpenSSH
debug1: Enabling compativility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
Connection closed by UNKNOWN
dvdmeer
 
Posts: 7
Joined: Wed Mar 03, 2010 3:02 pm

Re: Not booting with kernel 2.6.34.1 but works with 2.6.33.6

Postby dvdmeer » Tue Jul 27, 2010 2:36 pm

Is there nobody who can help me with this?

I also found out that it goes wrong even before LIDS is loaded. When I check the kernel messages this what I notice:

Code: Select all
Write protecting the kernel text: 7112k
Write protecting the kernel read-only data: 2056k
INIT: version 2.86 booting
grep: /proc/filesystems: No such file or directory
grep: /proc/mounts: No such file or directory
grep: /proc/filesystems: No such file or directory
Loading fuse module failed!
grep: /proc/ioports: No such file or directory
Setting system time from the hardware clock (localtime).
hwclock is unable to get I/O port access:  the iopl(3) call failed.
Testing root filesystem status:  read-only filesystem
Checking root filesystem:
fsck from util-linux-ng 2.17.2
/dev/sda1: clean, 344457/524288 files, 1634286/2097136 blocks
Remounting root device with read-write enabled.
LIDS: Initializing sysctl
LIDS: LIDS creating securityfs...
LIDS: creating lidsfs
LIDS: Initializing LIDS ACLs
LIDS: user space is 32 bit
LIDS: lidsadm inode 0x788e3 dev 0x8:1
LIDS: ACL Discovery: ON,
Effective Capability: 7ffcfeff,
Total ACLs Count: 41
LIDS: GLOBAL and BOOT state configuration files loaded
LIDS: Entering BOOT state
LIDS: Linux Intrusion Detection System 2.2.3rc10 started
mount: permission denied

Attempt to remount root device as read-write failed!  This is going to
cause serious problems.

If you're using the UMSDOS filesystem, you **MUST** mount the root partition
read-write!  You can make sure the root filesystem is getting mounted
read-write with the 'rw' flag to Loadlin:

loadlin vmlinuz root=/dev/hda1 rw   (replace /dev/hda1 with your root device)

Normal bootdisks can be made to mount a system read-write with the rdev command:

rdev -R /dev/fd0 0

You can also get into your system by using a boot disk with a command like this
on the LILO prompt line:  (change the root partition name as needed)

LILO: mount root=/dev/hda1 rw

Please press ENTER to continue, then reboot and use one of the above methods to
get into your machine and start looking for the problem.


And also the configure script for the lidstools package does not recognize the Linux
kernel version and so it cannot compile. I had to edit it manually to make it work.

Can anyone help me get my kernel to boot properly? Am I doing something wrong
and if so, what? And also note that when I load the kernel with lids=0 then it will
load perfectly.


Thanks,

Dennis
dvdmeer
 
Posts: 7
Joined: Wed Mar 03, 2010 3:02 pm

Re: Not booting with kernel 2.6.34.1 but works with 2.6.33.6

Postby dvdmeer » Mon Aug 16, 2010 8:14 am

Hi,

Unfortunately it seems there is not much development going on at the moment. Maybe this forum is not being read
a lot (since there is more spam in this forum than legitimate posts) so if my assumptions are wrong then I'm sorry
for that but after more than a month of trying to get LIDS working with several kernel versions without much success
it seems I will have to give up on this. AppArmor seems to be included in the next kernel and looks like it is very well
maintained so I am going for this then.

Hopefully in the future there will be a LIDS version that will work but until then no LIDS for me since I'm unable to get
something to work properly and I am not much of a kernel hacker to fix the code myself.
dvdmeer
 
Posts: 7
Joined: Wed Mar 03, 2010 3:02 pm


Return to lids-2

Who is online

Users browsing this forum: No registered users and 2 guests

cron