278513 – sys-apps/ccs-tools-1.6.8_p20090623: Boot process fails trying to mount /sys after running /sbin/tomoyo-init

Bug 278513 - sys-apps/ccs-tools-1.6.8_p20090623: Boot process fails trying to mount /sys after running /sbin/tomoyo-init

Summary: sys-apps/ccs-tools-1.6.8_p20090623: Boot process fails trying to mount /sys a...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Core system (show other bugs)
Hardware:	All Linux

Importance:	High critical (vote)
Assignee:	MATSUU Takuto (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2009-07-20 21:59 UTC by Fiona Klute
Modified:	2009-10-27 10:44 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
tomoyo-init script (tomoyo-init,585 bytes, text/plain) 2009-10-27 10:44 UTC, YuGMiX	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fiona Klute 2009-07-20 21:59:08 UTC

I compiled vanilla kernel 2.6.30.2 with the TOMOYO security module and installed sys-apps/ccs-tools. However, the boot process failed a the point where /sys should be mounted. The reason seems to be that /sbin/tomoyo-init mounts /sys and /sys/kernel/securityfs, while the init system expects sysfs not to be mounted at this time.

Reproducible: Always

Steps to Reproduce:
1. Install a kernel with TOMOYO support compiled in.
2. Install sys-apps/ccs-tools.
3. Initialize the TOMOYO policy.
4. Reboot.

Actual Results:  
The init system drops to maintenance mode after failing to mount /sys because it is already mounted.

Expected Results:  
Normal boot after running /sbin/tomoyo-init.

I'm using Baselayout 1 and a custom initramfs to mount an encrypted root partition. The initramfs-init execs busybox switch_root to get to /sbin/init.

I found this at the end of /sbin/tomoyo-init:

# [ $SECURITY_UNMOUNT -eq 1 ] && umount -n /sys/kernel/security
# [ $SYS_UNMOUNT -eq 1 ] && umount -n /sys
[ $PROC_UNMOUNT -eq 1 ] && umount -n /proc
exit 0

I suspect that uncommenting those two lines might solve the problem, but I'm new to TOMOYO and might be missing something.

Comment 1 MATSUU Takuto (RETIRED) gentoo-dev

2009-07-26 02:47:33 UTC

I got response from upstream.
http://sourceforge.jp/projects/tomoyo/lists/archive/dev/2009-July/001189.html

Yes. Uncommenting those two lines will solve the problem.

TOMOYO's management tools assume that securityfs is mounted on /sys/kernel/security/ .
But many systems don't mount securityfs on /sys/kernel/security/ upon boot.
If securityfs is not mounted, TOMOYO's management tools (e.g. ccs-editpolicy) can't work.
Therefore, the author decided that /sbin/tomoyo-init leaves securityfs mounted on /sys/kernel/security/ .

But in your environment, it causes problems...
Should we ask users to add an entry to /etc/fstab so that /sys/kernel/security/ is mounted?
Or, should we let TOMOYO's management tools try to mount /sys/kernel/security/ when the tools are executed?

Comment 2 Fiona Klute 2009-07-27 19:01:10 UTC

In uncommented those two lines, works now. Thanks! :-)

Looks like this is fixed in tomoyo-tools 2.2.0:
http://sourceforge.jp/projects/tomoyo/lists/archive/users-en/2009-July/000080.html

Comment 3 MATSUU Takuto (RETIRED) gentoo-dev

2009-07-28 23:49:13 UTC

sys-apps/tomoyo-tools-2.2.0_p20090727 in cvs.

Comment 4 YuGMiX 2009-10-27 10:44:55 UTC

Created attachment 208419 [details]
tomoyo-init script