latest Rawhide... selinux-policy-strict-1.17.9-2

Daniel J Walsh dwalsh at redhat.com
Thu Sep 9 14:02:37 UTC 2004 

Stephen Smalley wrote:

>On Fri, 2004-09-03 at 11:43, Tom London wrote:
>  
>
>>Newest Rawhide packages improve things a bit for strict/enforcing, but 
>>still no joy.
>>
>>When booting strict/enforcing, the system seems to boot to single user mode,
>>but is unable to write to the console.  Last messages are avc denials from
>>/bin/dmesg, that seem to occur just before the 'Welcome to Fedora' message.
>>I can hear the device discovery going on, but nothing on the console.
>>After about 5 minutes, ALT-CTL-DEL brought the system down, with the
>>customary console messages. (But, error messages about most file systems
>>not being mounted).
>>
>>Here are the early avcs...
>>
>>Sep  3 07:25:35 fedora kernel: audit(1094196259.050:0): avc:  denied  { 
>>create } for  pid=1 exe=/sbin/init name=initctl 
>>scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t 
>>tclass=fifo_file
>>Sep  3 07:25:36 fedora smartd[2856]: Opened configuration file 
>>/etc/smartd.conf
>>Sep  3 07:25:36 fedora kernel: audit(1094196259.050:0): avc:  denied  { 
>>associate } for  pid=1 exe=/sbin/init name=initctl 
>>scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:fs_t 
>>tclass=filesystem
>>    
>>
>
>No point in even trying to work from those audit messages, as the tmpfs
>entry in fs_use in the rawhide policy is wrong and will break all users
>of anonymous shared mappings and System V shared memory regardless of
>whether it ever works for tmpfs /dev.
>
>And life is still rather unpleasant even if fs_use is reverted to the
>upstream policy.  Using fscontext=system_u:object_r:device_t on the
>tmpfs /dev mount would help significantly, but the claim is that it is
>mounted before the initial policy load.  End result is that tmpfs_t ends
>up doing double duty as a type on shmem and /dev, which has a huge
>impact on existing policy.
>
>Strongly advise changing initialization to umount the initial tmpfs /dev
>prior to initrd exit and re-mount it _after_ the initial policy load
>using fscontext=.  Or load a minimal policy from the initrd in your
>/linuxrc prior to original tmpfs mount.
>
>  
>
Most of the problems with booting strict SELinux with /dev/ mounted on a 
tmpfs file system should be fixed by the
latest policy and initscripts package.

Dan

More information about the fedora-selinux-list mailing list