udev slowness and selinux

Tom London selinux at gmail.com
Sat Dec 3 03:07:03 UTC 2005 

On 12/2/05, Tom London <selinux at gmail.com> wrote:
> On 12/2/05, Daniel J Walsh <dwalsh at redhat.com> wrote:
> > Gene C. wrote:
> > > On Friday 02 December 2005 14:20, Nicolas Mailhot wrote:
> > >
> > >> Le vendredi 02 décembre 2005 à 14:17 -0500, Stephen Smalley a écrit :
> > >>
> > >>> It isn't the number of nodes in /dev; it is the number of entries in
> > >>> file_contexts.  And the slowdown should be improved/eliminated with
> > >>> recent changes in libselinux (1.27.28); let us know if it isn't.  There
> > >>> are two changes in libselinux, one of which will have immediate benefit
> > >>> without requiring any changes to udev, and the other of which requires a
> > >>> small change to udev to take advantage of.
> > >>>
> > >> BTW today's rawhide segfaults on boot if run in enforcing mode
> > >>
> > >> checkpolicy-1.27.19-1
> > >> selinux-policy-targeted-2.0.7-2
> > >> audit-1.1.1-1
> > >> audit-libs-1.1.1-1
> > >> audit-libs-1.1.1-1
> > >> libselinux-1.27.28-1
> > >> libselinux-1.27.28-1
> > >> libsepol-1.9.41-1
> > >> libsepol-1.9.41-1
> > >> libsemanage-1.3.61-1
> > >>
> > >> Adding selinux=false to the boot arguments rescues the system
> > >>
> > >
> > > I also see a kernel panic after today's updates if selinux=enforcing
> > >
> > > Reboot selinux=false single
> > > and change to selinux=permissive gets things working again.
> > >
> > Yesterday's policy package wiped out the policy.20 file, on yum update.
> > We are no longer shipping policy.20 in the rpm, and the package post
> > install creates it.    Problem is the previous version was shipped with
> > it and wipes it out on its post uninstall.  Need to change the trigger
> > on policy package to recreate policy.20.
> >
> > selinux-policy-*-2.0.7-3 fixes the problem.  It is up on my people site
> > ftp://people.redhat.com/dwalsh/SELinux/Fedora
> >
> > You can also do a
> > semoudle -B /usr/share/selinux/targeted/base.pp to recreate the
> > policy.20 file.
> >
> > Do not reboot until you fix this or else init will crash because you
> > have no policy.
> >
> > --
> No joy?
>
> [root at tlondon Downloads]# rpm -Uvh selinux-policy-targeted-2.0.8-1.noarch.rpm
> Preparing...                ########################################### [100%]
>    1:selinux-policy-targeted########################################### [100%]
> libsepol.sepol_genbools_array: boolean allow_write_xshm no longer in policy
> libsepol.sepol_genbools_array: boolean i18n_input_disable_trans no
> longer in policy
> libsepol.sepol_genbools_array: boolean mail_readhome no longer in policy
> libsepol.sepol_genbools_array: boolean mail_writehome no longer in policy
> libsepol.sepol_genbools_array: boolean pppd_for_user no longer in policy
> libsepol.sepol_genbools_array: boolean system_dbusd_disable_trans no
> longer in policy
> /usr/sbin/load_policy:  Can't load policy:  Invalid argument
> libsemanage.semanage_reload_policy: load_policy returned error code 2.
> libsepol.sepol_genbools_array: boolean allow_write_xshm no longer in policy
> libsepol.sepol_genbools_array: boolean i18n_input_disable_trans no
> longer in policy
> libsepol.sepol_genbools_array: boolean mail_readhome no longer in policy
> libsepol.sepol_genbools_array: boolean mail_writehome no longer in policy
> libsepol.sepol_genbools_array: boolean pppd_for_user no longer in policy
> libsepol.sepol_genbools_array: boolean system_dbusd_disable_trans no
> longer in policy
> /usr/sbin/load_policy:  Can't load policy:  Invalid argument
> libsemanage.semanage_reload_policy: load_policy returned error code 2.
> Failed!
> libsepol.sepol_genbools_array: boolean allow_write_xshm no longer in policy
> libsepol.sepol_genbools_array: boolean i18n_input_disable_trans no
> longer in policy
> libsepol.sepol_genbools_array: boolean mail_readhome no longer in policy
> libsepol.sepol_genbools_array: boolean mail_writehome no longer in policy
> libsepol.sepol_genbools_array: boolean pppd_for_user no longer in policy
> libsepol.sepol_genbools_array: boolean system_dbusd_disable_trans no
> longer in policy
> /usr/sbin/load_policy:  Can't load policy:  Invalid argument
> libsemanage.semanage_reload_policy: load_policy returned error code 2.
> libsepol.sepol_genbools_array: boolean allow_write_xshm no longer in policy
> libsepol.sepol_genbools_array: boolean i18n_input_disable_trans no
> longer in policy
> libsepol.sepol_genbools_array: boolean mail_readhome no longer in policy
> libsepol.sepol_genbools_array: boolean mail_writehome no longer in policy
> libsepol.sepol_genbools_array: boolean pppd_for_user no longer in policy
> libsepol.sepol_genbools_array: boolean system_dbusd_disable_trans no
> longer in policy
> /usr/sbin/load_policy:  Can't load policy:  Invalid argument
> libsemanage.semanage_reload_policy: load_policy returned error code 2.
> Failed!
>
Hmmm. Despite the above, rebooting 'works'.

Relabeling now succeeds in 'catching' some unlabeled_t that did not
get properly labeled before (e.g., /sbin/pam_console_apply).

tom
--
Tom London

More information about the fedora-devel-list mailing list