problem booting a 2.6.13 kernel with selinux enabled

Stephen Smalley sds at
Mon Sep 12 12:21:56 UTC 2005

On Fri, 2005-09-09 at 16:38 -0500, Joy Latten wrote:
> I have installed Fedora Core 4 on my machine with selinux enabled
> and have followed the instructions to enable MLS. Both are working.
> I have compiled a 2.6.13 kernel from with selinux enabled in
> my kernel. However, I am unable to boot into my 2.6.13 kernel.
> When I disable selinux (selinux=0) or set (enforcing=0) my kernel
> boots up ok. When I boot into my 2.6.13 kernel with selinux enabled, the
> boot hangs after the SELinux initializations and at the point I believe
> udev is suppose to get started. 
> When I tried booting into my 2.6.13 kernel with "enforcing=0 single"
> and did a restorecon /etc/mtab, then did a setenforce 1 to switch to
> enforcing mode and exited the single user shell to come up in multi-user
> mode, it worked. I am sure I am stepping around something. :-)
> (These steps are similar to those in instructions.) I did get
> a bunch of the following messages from "dmesg"
> though:
> audit(1126300655.450:2839259): avc:  denied  { search } for  pid=2199
> comm="klogd" name="/" dev=tmpfs ino=1168
> scontext=system_u:system_r:klogd_t:s0-s9:c0.c127
> tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
> I do not understand but am very curious to know why I cannot boot
> straight into my 2.6.13 kernel?  Does 2.6.13 introduce some changes?
> A colleague experienced similar problem. Has anyone else experienced
> this problem or can explain to me what is happening?

Sounds like you didn't enable the tmpfs security labeling support in
your kernel .config (CONFIG_TMPFS_SECURITY).  That would prevent
setting/getting security labels on the tmpfs /dev managed by udev, and
thus /dev would be inaccessible to most processes.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list