mac-troubleshoot.html

这是很好的学习嵌入式LINUX的文章

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Troubleshooting the MAC Framework</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD 使用手册" href="index.html" />
<link rel="UP" title="Mandatory Access Control" href="mac.html" />
<link rel="PREVIOUS" title="Another Example: Using MAC to Constrain a Web Server"
href="mac-examplehttpd.html" />
<link rel="NEXT" title="存储" href="disks.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=GB2312" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD 使用手册</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="mac-examplehttpd.html"
accesskey="P">后退</a></td>
<td width="80%" align="center" valign="bottom">章 15. Mandatory Access Control</td>
<td width="10%" align="right" valign="bottom"><a href="disks.html"
accesskey="N">前进</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="MAC-TROUBLESHOOT" name="MAC-TROUBLESHOOT">15.16. Troubleshooting
the MAC Framework</a></h1>

<p>During the development stage, a few users reported problems with normal configuration.
Some of these problems are listed below:</p>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN22734" name="AEN22734">15.16.1. The <var
class="OPTION">multilabel</var> option cannot be enabled on <tt
class="FILENAME">/</tt></a></h2>

<p>The <var class="OPTION">multilabel</var> flag does not stay enabled on my root (<tt
class="FILENAME">/</tt>) partition!</p>

<p>It seems that one out of every fifty users has this problem, indeed, we had this
problem during our initial configuration. Further observation of this so called ``bug''
has lead me to believe that it is a result of either incorrect documentation or
misinterpretation of the documentation. Regardless of why it happened, the following
steps may be taken to resolve it:</p>

<div class="PROCEDURE">
<ol type="1">
<li>
<p>Edit <tt class="FILENAME">/etc/fstab</tt> and set the root partition at <var
class="OPTION">ro</var> for read-only.</p>
</li>

<li>
<p>Reboot into single user mode.</p>
</li>

<li>
<p>Run <tt class="COMMAND">tunefs</tt> <var class="OPTION">-l enable</var> on <tt
class="FILENAME">/</tt>.</p>
</li>

<li>
<p>Reboot the system into normal mode.</p>
</li>

<li>
<p>Run <tt class="COMMAND">mount</tt> <var class="OPTION">-urw</var> <tt
class="FILENAME">/</tt> and change the <var class="OPTION">ro</var> back to <var
class="OPTION">rw</var> in <tt class="FILENAME">/etc/fstab</tt> and reboot the system
again.</p>
</li>

<li>
<p>Double-check the output from the <tt class="COMMAND">mount</tt> to ensure that <var
class="OPTION">multilabel</var> has been properly set on the root file system.</p>
</li>
</ol>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN22769" name="AEN22769">15.16.2. Cannot start <span
class="TRADEMARK">XFree86</span>&#8482; after <acronym
class="ACRONYM">MAC</acronym></a></h2>

<p>After establishing a secure environment with <acronym class="ACRONYM">MAC</acronym>, I
am no longer able to start <span class="TRADEMARK">XFree86</span>&#8482;!</p>

<p>This could be caused by the <acronym class="ACRONYM">MAC</acronym> <var
class="LITERAL">partition</var> policy or by a mislabeling in one of the <acronym
class="ACRONYM">MAC</acronym> labeling policies. To debug, try the following:</p>

<div class="PROCEDURE">
<ol type="1">
<li>
<p>Check the error message; if the user is in the <var class="LITERAL">insecure</var>
class, the <var class="LITERAL">partition</var> policy may be the culprit. Try setting
the user's class back to the <var class="LITERAL">default</var> class and rebuild the
database with the <tt class="COMMAND">cap_mkdb</tt> command. If this does not alleviate
the problem, go to step two.</p>
</li>

<li>
<p>Double-check the label policies. Ensure that the policies are set correctly for the
user in question, the <span class="TRADEMARK">XFree86</span> application, and the <tt
class="FILENAME">/dev</tt> entries.</p>
</li>

<li>
<p>If neither of these resolve the problem, send the error message and a description of
your environment to the TrustedBSD discussion lists located at the <a
href="http://www.TrustedBSD.org" target="_top">TrustedBSD</a> website or to the <a
href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-questions" target="_top">FreeBSD
general questions 邮件列表</a> mailing list.</p>
</li>
</ol>
</div>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="mac-examplehttpd.html"
accesskey="P">后退</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">起点</a></td>
<td width="33%" align="right" valign="top"><a href="disks.html"
accesskey="N">前进</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">Another Example: Using MAC to Constrain a Web
Server</td>
<td width="34%" align="center" valign="top"><a href="mac.html"
accesskey="U">上一级</a></td>
<td width="33%" align="right" valign="top">存储</td>
</tr>
</table>
</div>
</body>
</html>