Discussion:
system failing to boot with SMACK/IMA enabled.
(too old to reply)
Martin Townsend
2018-03-14 23:05:19 UTC
Permalink
Raw Message
Hi,

I'm getting the following log when booting with IMA/EVM and SMACK
enabled. Before I start delving into IMA and SMACK does anyone know
of any fixes that have gone into systemd that would fix the problem
I'm seeing below. I've not seen anything by looking through git log
or on the internet but may have missed something.

I'm using systemd 229 with a 4.9 kernel. The SMACK policy is pretty
much the default. If I boot with just IMA/EVM enabled it's fine and I
can check signatures etc with evmctl. If I boot with an image that
hasn't been signed and just SMACK then it's fine. If I do both I get
the following:

...
Security Framework initialized
Smack: Initializing.
Smack: IPv6 port labeling enabled.
Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
CPU: Testing write buffer coherency: ok
Setting up static identity map for 0x80100000 - 0x80100058
devtmpfs: initialized
evm: security.SMACK64
evm: security.SMACK64EXEC
evm: security.SMACK64TRANSMUTE
evm: security.SMACK64MMAP
evm: security.ima
evm: security.capability
...
Loading compiled-in X.509 certificates
Loaded X.509 cert 'IMA-EVM Root CA: cc972d25acf7c1efaa5329a48104efa303f0833a'
...
UBIFS (ubi0:0): FS size: 201764864 bytes (192 MiB, 1589 LEBs), journal
size 9023488 bytes (8 MiB, 72 LEBs)
UBIFS (ubi0:0): reserved for root: 0 bytes (0 KiB)
UBIFS (ubi0:0): media format: w4/r0 (latest is w4/r0), UUID
F6EA70A5-1931-4049-89CB-93B82F37F6A4, small LPT model
VFS: Mounted root (ubifs filesystem) readonly on device 0:16.
devtmpfs: mounted
integrity: Loaded X.509 cert 'IMA Certificate Authority:
e2c191a6e31fd02d6beba0c7c7847720a35fd9c6': /etc/keys/ima-x509.der
Freeing unused kernel memory: 1024K
systemd[1]: Successfully loaded Smack policies.
systemd[1]: Successfully loaded Smack/CIPSO policies.
systemd[1]: System time before build time, advancing clock.
systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory
systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory
systemd[1]: Failed to mount cgroup at /sys/fs/cgroup/systemd: No such
file or directory
[!!!!!!] Failed to mount API filesystems, freezing.
systemd[1]: Freezing execution.

Many Thanks,
Martin.
Lennart Poettering
2018-03-20 10:30:57 UTC
Permalink
Raw Message
Post by Martin Townsend
Hi,
I'm getting the following log when booting with IMA/EVM and SMACK
enabled. Before I start delving into IMA and SMACK does anyone know
of any fixes that have gone into systemd that would fix the problem
I'm seeing below. I've not seen anything by looking through git log
or on the internet but may have missed something.
I'm using systemd 229 with a 4.9 kernel. The SMACK policy is pretty
much the default. If I boot with just IMA/EVM enabled it's fine and I
can check signatures etc with evmctl. If I boot with an image that
hasn't been signed and just SMACK then it's fine. If I do both I get
Uh, we generally rely on external patches for SMACK, IMA, SELinux and
AppArmor management, none of us systemd maintainers are true MAC
gurus.

I'd recommend asking the IMA/SMACK folks for help about this.

Not sure why mount() or /dev/shm would return ENOENT though, except if
SMACK actaully can generate that when the smackfsroot=* mount option
we use is not available. Dunno.

Sorry that I can' be more helpful on this,

Lennart
--
Lennart Poettering, Red Hat
Loading...