1 |
Markus Bartl wrote: |
2 |
|
3 |
>>> max wrote: |
4 |
|
5 |
>>>> If i compile a policy on Fedora this is always set to allow, if not I |
6 |
>>>> usually run into problems like your having, I don't know enough about |
7 |
>>>> gentoo to know if this is supposed to be this way here or not, perhaps |
8 |
>>>> someone else can supply the answer. The description in the build.conf file: |
9 |
|
10 |
The current policy being used by Gentoo is a few months behind the one |
11 |
in Fedora (for technical reasons that hopefully will be resolved soon). |
12 |
But that wouldn't be causing your problem. Those dmesg warnings just |
13 |
mean the kernel you're running knows about the permissions and classes |
14 |
that have been added since the policy snapshot was taken. The base |
15 |
policy from portage *is* bootable in enforcing mode. |
16 |
|
17 |
> I know this wont help, but i got exactly the same issue. |
18 |
> If i try to boot in enforcing mode, init is blocked and the boot sequence stops. |
19 |
|
20 |
Some things to try: |
21 |
|
22 |
1. Relabel everything. Improper file labels cause no end of problems |
23 |
and *especially* in the boot process, since the wrong file context leads |
24 |
to the wrong process context and everything just falls apart. The |
25 |
safest way to do this is to switch to permissive mode, then do: |
26 |
|
27 |
rlpkg -a -r |
28 |
reboot |
29 |
rlpkg -a -r # in case anything got created on shutdown/restart. |
30 |
|
31 |
2. Once you've done that, check the following (still in permissive mode): |
32 |
|
33 |
# ls -lZ /sbin/init /sbin/rc |
34 |
(They should be labeled init_exec_t and initrc_exec_t, respectively.) |
35 |
|
36 |
# cat /etc/selinux/strict/context/run_init_type |
37 |
(should be run_init_t) |
38 |
|
39 |
# ps axZ | grep init |
40 |
(should be running as init_t) |
41 |
|
42 |
# id -Z |
43 |
(your user, role, and type should all match, like |
44 |
staff_u:staff_r:staff_t, and not be something like kernel_t, sshd_t, etc.) |
45 |
|
46 |
--Mike |