[systemd-devel] system failing to boot with SMACK/IMA enabled.

Martin Townsend mtownsend1973 at gmail.com
Wed Mar 14 23:05:19 UTC 2018


Hi,

I'm getting the following log when booting with IMA/EVM and SMACK
enabled.  Before I start delving into IMA and SMACK does anyone know
of any fixes that have gone into systemd that would fix the problem
I'm seeing below.  I've not seen anything by looking through git log
or on the internet but may have missed something.

I'm using systemd 229 with a 4.9 kernel.  The SMACK policy is pretty
much the default.  If I boot with just IMA/EVM enabled it's fine and I
can check signatures etc with evmctl.  If I boot with an image that
hasn't been signed and just SMACK then it's fine. If I do both I get
the following:

...
Security Framework initialized
Smack:  Initializing.
Smack:  IPv6 port labeling enabled.
Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
CPU: Testing write buffer coherency: ok
Setting up static identity map for 0x80100000 - 0x80100058
devtmpfs: initialized
evm: security.SMACK64
evm: security.SMACK64EXEC
evm: security.SMACK64TRANSMUTE
evm: security.SMACK64MMAP
evm: security.ima
evm: security.capability
...
Loading compiled-in X.509 certificates
Loaded X.509 cert 'IMA-EVM Root CA: cc972d25acf7c1efaa5329a48104efa303f0833a'
...
UBIFS (ubi0:0): FS size: 201764864 bytes (192 MiB, 1589 LEBs), journal
size 9023488 bytes (8 MiB, 72 LEBs)
UBIFS (ubi0:0): reserved for root: 0 bytes (0 KiB)
UBIFS (ubi0:0): media format: w4/r0 (latest is w4/r0), UUID
F6EA70A5-1931-4049-89CB-93B82F37F6A4, small LPT model
VFS: Mounted root (ubifs filesystem) readonly on device 0:16.
devtmpfs: mounted
integrity: Loaded X.509 cert 'IMA Certificate Authority:
e2c191a6e31fd02d6beba0c7c7847720a35fd9c6': /etc/keys/ima-x509.der
Freeing unused kernel memory: 1024K
systemd[1]: Successfully loaded Smack policies.
systemd[1]: Successfully loaded Smack/CIPSO policies.
systemd[1]: System time before build time, advancing clock.
systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory
systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory
systemd[1]: Failed to mount cgroup at /sys/fs/cgroup/systemd: No such
file or directory
[!!!!!!] Failed to mount API filesystems, freezing.
systemd[1]: Freezing execution.

Many Thanks,
Martin.


More information about the systemd-devel mailing list