[redhat-lspp] DBUS, udev, and hotplug investigation
Debora Velarde
dvelarde at us.ibm.com
Mon Mar 27 19:37:51 UTC 2006
===================================
Disabling DBUS, udev, and hotplug
===================================
-----------------------------------
How to disable DBUS, udev, hotplug
-----------------------------------
Scripts
-------
Create following scripts. Be sure they have the correct execute
permissions:
# cat /sbin/stop_dbus
#!/bin/sh
#
# stop dbus-daemon
#
prog=dbus
. /etc/init.d/functions
STRING=$"Stopping $prog: "
echo -n $STRING
if [ -x /sbin/pidof ]; then
pid=`/sbin/pidof -x dbus-daemon`
[ -n "$pid" ] && kill $pid
fi
ret=$[$ret + $?]
[ $ret -eq 0 ] && success $"$STRING" || failure $"$STRING"
echo
exit 0
# cat /sbin/stop_udev
#!/bin/sh
#
# stop udev
#
prog=udev
. /etc/init.d/functions
STRING=$"Stopping $prog: "
echo -n $STRING
if [ -x /sbin/pidof ]; then
pid=`/sbin/pidof -x udevd`
[ -n "$pid" ] && kill $pid
fi
ret=$[$ret + $?]
[ $ret -eq 0 ] && success $"$STRING" || failure $"$STRING"
echo
exit 0
# cat stop_hal
#!/bin/sh
#
# stop hal
#
prog=hal
. /etc/init.d/functions
STRING=$"Stopping $prog: "
echo -n $STRING
if [ -x /sbin/pidof ]; then
pid=`/sbin/pidof -x hald`
[ -n "$pid" ] && kill $pid
fi
ret=$[$ret + $?]
[ $ret -eq 0 ] && success $"$STRING" || failure $"$STRING"
echo
exit 0
Changes to /etc/rc.local
------------------------
Append with the following lines to /etc/rc.local:
# Now stop DBUS, udev, and hal (hotplug)
/sbin/stop_hal
/sbin/stop_udev
/sbin/stop_dbus
------------------------------------------------
Additional daemons that also need to be disabled
------------------------------------------------
Additional daemons that will generate error messages if DBUS is not
running and should therefore be disabled:
avahi-daemon
------------
The avahi-daemon is the Avahi mDNS/DNS-SD daemon.
It detects that DBUS is not running, generates an error message, and then
terminates itself.
An example of an error message it sends to /var/log/message:
Mar 20 09:03:55 hostname avahi-daemon[1896]: Disconnnected from D-BUS,
terminating...
To disable avahi-daemon:
chkconfig --del avahi-daemon
The avahi-daemon will be disabled after reboot.
hcidd
-----
The hcidd daemon is the Bluetooth Host Controller Interface Daemon.
It does not terminate itself if DBUS is not running.
Instead it continues to send errors to /var/log/messages.
Mar 20 09:03:56 hostname hcid[1572]: Can't open system message bus
connection: Failed to connect to socket /var/run/dbus/system_bus_socket:
Connection refused
Mar 20 09:04:27 hostname last message repeated 43 times
Mar 20 09:05:28 hostname last message repeated 87 times
Mar 20 09:06:29 hostname last message repeated 87 times
Mar 20 09:07:30 hostname last message repeated 86 times
.
.
.
To disable Bluetooth:
chkconfig --del bluetooth
reboot
You can verify that hcid is not running after reboot with the command:
# service bluetooth status
The output from the above command should include the line:
"hcid is stopped"
-------------------------------------------------------
Device allocation with DBUS, udev, and hotplug disabled
-------------------------------------------------------
I verified that the device allocator didn't generate any error messages
due to the absence of dbus, udev, or hotplug.
Cory Olmo from TCS provided me with a device-allocator HowTo document.
Below are the final steps I used, the majority of which came from Cory's
HowTo document.
After completing the following steps, I did not find any error messages
about dbus, udev, hal, hotplug not being available.
Install FC5T3 and update
------------------------
1) Do a fresh install of Fedora Core 5 Test 3. During the installation,
you can choose to not install any of the graphical-related packages (such
as GNOME, KDE, X11, etc.), because they are not needed.
2) After installation is complete, log in as the "root" user and relabel
the filesystem
# touch /.autorelabel
reboot
3) After rebooting the system, log in as the "root" user,
and newrole into the sysadm role:
# newrole -r sysadm_r -t sysadm_t
4) Depending on which packages were installed, it might be necessary to
install additional development packages:
# yum install rpm-build gcc make m4
ALTERNATIVELY (if yum doesn't work, or if your test machine is not
connected to the internet), you can download individual packages
from Rawhide:
http://download.fedora.redhat.com/pub/fedora/linux/core/development/i386/Fedora/RPMS/
5) Do a yum update of the SELinux packages and libraries:
# yum update libselinux libsepol libsemanage libsetrans checkpolicy
policycoreutils selinux-policy
ALTERNATIVELY (if yum doesn't work, or if your test machine is not
connected to the internet), you can download individual packages
from Rawhide:
http://download.fedora.redhat.com/pub/fedora/linux/core/development/i386/Fedora/RPMS/
6) Do a yum install of audit packages: audit, audit-libs, audit-libs-devel
7) NOTE: do not install the mls policy yet (it is easier to do things
in targeted policy)
Build the policy
----------------
1) Copy the "selinux-policy" source rpm supplied by TCS to the test
machine
(this source rpm is from Rawhide, but has the devallocator patches
applied)
2) Install the source rpm.
# rpm -i selinux-policy-2.2.23-15.TCS.1.src.rpm
3) Build the policy:
# cd /usr/src/redhat/SPECS
# rpmbuild -bb selinux-policy.spec
If the build fails, it most likely means you don't have all the needed
development-related packages installed (go back to step 3 in previous
section
and install any needed packages).
4) Copy the newest dev_allocator rpm to the test machine. Install the
dev_allocator rpm:
# rpm -i dev_allocator-0.5-4.i386.rpm
# rpm -ivh dev_allocator-0.5-4.src.rpm
# cd /usr/src/redhat/SPECS/
# rpmbuild -bb dev_allocator.spec
# cd /usr/src/redhat/RPMS/i386/
# rpm -ivh dev_allocator-0.5-4.i386.rpm
Install the MLS policy
----------------------
0) check policy before:
# rpm -qa | grep policy
policycoreutils-1.29.26-6
selinux-policy-2.2.23-15
checkpolicy-1.29.4-1
selinux-policy-targeted-2.2.23-15
1) Install the newly-built mls policy:
# cd /usr/src/redhat/RPMS/noarch/
# rpm -Uvh selinux-policy-mls-2.2.23-15.TCS.1.noarch.rpm
selinux-policy-2.2.23-15.TCS.1.noarch.rpm selinux-policy-targeted-2.2.23-
2) Make the mls policy the default policy by editing /etc/selinux/config
and changing "SELINUXTYPE=targeted" to "SELINUXTYPE=mls"
3) Reboot into permissive single-user mode. Do this at the GRUB boot
screen by pressing "a", then add these boot parameters: single
enforcing=0
4) While it is booting up, there will be many "avc" error messages.
At the shell prompt, relabel the filesystem, then reboot:
# fixfiles restore
# reboot
5) Boot up normally, log in as the "root" user, newrole to the secadm_r
role at SystemHigh:
# newrole -r secadm_r -l SystemHigh
and then issue this command:
# sestatus
Make sure the output indicates you are running the mls policy.
6) Verify the dev_allocator has the correct file contexts:
# ls -Z /usr/sbin/dev_allocator_config
(it should have a type of devadm_exec_t)
-rwxr-xr-x root root system_u:object_r:devadm_exec_t:SystemLow
/usr/sbin/dev_allocator_config
# ls -Z /usr/bin/dev_allocator
(it should have a type of devallocator_exec_t)
-rwsr-xr-x root root system_u:object_r:devallocator_exec_t:SystemLow
/usr/bin/dev_allocator
# ls -Z /etc/devallocation
(it should have a type of devallocator_conf_t)
-rw-r--r-- root root system_u:object_r:devallocator_conf_t:SystemHigh
supported_device_classes.conf
Using dev_allocator
-------------------
1) Add a new device configuration
Login as root
# newrole -r secadm_r -l SystemHigh
# dev_allocator_config -a --dev_name cdrom --file /dev/cdrom --class cdrom
--minsl SystemLow --maxsl SystemHigh
2) Allocate the specified device
Login as non-root user
# dev_allocator -a /dev/cdrom
-----
Print
-----
There is a CUPS patch available for the PrinterSpooler to use D-BUS.
According to Matt, who is working on cups for LSPP, the cups package is
not using D-BUS.
More information about the redhat-lspp
mailing list