| 1 |
Markus Bartl wrote: |
| 2 |
|
| 3 |
>>> max wrote: |
| 4 |
|
| 5 |
>>>> If i compile a policy on Fedora this is always set to allow, if not I |
| 6 |
>>>> usually run into problems like your having, I don't know enough about |
| 7 |
>>>> gentoo to know if this is supposed to be this way here or not, perhaps |
| 8 |
>>>> someone else can supply the answer. The description in the build.conf file: |
| 9 |
|
| 10 |
The current policy being used by Gentoo is a few months behind the one |
| 11 |
in Fedora (for technical reasons that hopefully will be resolved soon). |
| 12 |
But that wouldn't be causing your problem. Those dmesg warnings just |
| 13 |
mean the kernel you're running knows about the permissions and classes |
| 14 |
that have been added since the policy snapshot was taken. The base |
| 15 |
policy from portage *is* bootable in enforcing mode. |
| 16 |
|
| 17 |
> I know this wont help, but i got exactly the same issue. |
| 18 |
> If i try to boot in enforcing mode, init is blocked and the boot sequence stops. |
| 19 |
|
| 20 |
Some things to try: |
| 21 |
|
| 22 |
1. Relabel everything. Improper file labels cause no end of problems |
| 23 |
and *especially* in the boot process, since the wrong file context leads |
| 24 |
to the wrong process context and everything just falls apart. The |
| 25 |
safest way to do this is to switch to permissive mode, then do: |
| 26 |
|
| 27 |
rlpkg -a -r |
| 28 |
reboot |
| 29 |
rlpkg -a -r # in case anything got created on shutdown/restart. |
| 30 |
|
| 31 |
2. Once you've done that, check the following (still in permissive mode): |
| 32 |
|
| 33 |
# ls -lZ /sbin/init /sbin/rc |
| 34 |
(They should be labeled init_exec_t and initrc_exec_t, respectively.) |
| 35 |
|
| 36 |
# cat /etc/selinux/strict/context/run_init_type |
| 37 |
(should be run_init_t) |
| 38 |
|
| 39 |
# ps axZ | grep init |
| 40 |
(should be running as init_t) |
| 41 |
|
| 42 |
# id -Z |
| 43 |
(your user, role, and type should all match, like |
| 44 |
staff_u:staff_r:staff_t, and not be something like kernel_t, sshd_t, etc.) |
| 45 |
|
| 46 |
--Mike |
Archives