| 1 |
Mike Edenfield schrieb: |
| 2 |
> Markus Bartl wrote: |
| 3 |
> |
| 4 |
>>>> max wrote: |
| 5 |
> |
| 6 |
>>>>> If i compile a policy on Fedora this is always set to allow, if not I |
| 7 |
>>>>> usually run into problems like your having, I don't know enough about |
| 8 |
>>>>> gentoo to know if this is supposed to be this way here or not, |
| 9 |
>>>>> perhaps |
| 10 |
>>>>> someone else can supply the answer. The description in the |
| 11 |
>>>>> build.conf file: |
| 12 |
> |
| 13 |
> The current policy being used by Gentoo is a few months behind the one |
| 14 |
> in Fedora (for technical reasons that hopefully will be resolved |
| 15 |
> soon). But that wouldn't be causing your problem. Those dmesg |
| 16 |
> warnings just mean the kernel you're running knows about the |
| 17 |
> permissions and classes that have been added since the policy snapshot |
| 18 |
> was taken. The base policy from portage *is* bootable in enforcing mode. |
| 19 |
> |
| 20 |
>> I know this wont help, but i got exactly the same issue. |
| 21 |
>> If i try to boot in enforcing mode, init is blocked and the boot |
| 22 |
>> sequence stops. |
| 23 |
> |
| 24 |
> Some things to try: |
| 25 |
> |
| 26 |
> 1. Relabel everything. Improper file labels cause no end of problems |
| 27 |
> and *especially* in the boot process, since the wrong file context |
| 28 |
> leads to the wrong process context and everything just falls apart. |
| 29 |
> The safest way to do this is to switch to permissive mode, then do: |
| 30 |
> |
| 31 |
> rlpkg -a -r |
| 32 |
> reboot |
| 33 |
> rlpkg -a -r # in case anything got created on shutdown/restart. |
| 34 |
> |
| 35 |
> 2. Once you've done that, check the following (still in permissive mode): |
| 36 |
> |
| 37 |
> # ls -lZ /sbin/init /sbin/rc |
| 38 |
> (They should be labeled init_exec_t and initrc_exec_t, respectively.) |
| 39 |
> |
| 40 |
> # cat /etc/selinux/strict/context/run_init_type |
| 41 |
> (should be run_init_t) |
| 42 |
> |
| 43 |
> # ps axZ | grep init |
| 44 |
> (should be running as init_t) |
| 45 |
> |
| 46 |
> # id -Z |
| 47 |
> (your user, role, and type should all match, like |
| 48 |
> staff_u:staff_r:staff_t, and not be something like kernel_t, sshd_t, |
| 49 |
> etc.) |
| 50 |
> |
| 51 |
> --Mike |
| 52 |
> |
| 53 |
> |
| 54 |
> |
| 55 |
Hello. |
| 56 |
|
| 57 |
Ok I did all the checks and everything is like it should be. |
| 58 |
If i check my avc.log from the last reboot I get following entries: |
| 59 |
|
| 60 |
Sep 29 20:20:22 odin type=1400 audit(1222712401.300:3): avc: denied { |
| 61 |
read write } for pid=1 comm="init" path="/dev/console" dev=sda3 |
| 62 |
ino=1485226 scontext=system_u:system_r:init_t |
| 63 |
tcontext=system_u:object_r:file_t tclass=chr_file |
| 64 |
Sep 29 20:20:22 odin type=1400 audit(1222712401.304:4): avc: denied { |
| 65 |
ioctl } for pid=1 comm="init" path="/dev/tty0" dev=sda3 ino=1485112 |
| 66 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t |
| 67 |
tclass=chr_file |
| 68 |
Sep 29 20:20:22 odin type=1400 audit(1222712401.316:5): avc: denied { |
| 69 |
read write } for pid=1081 comm="rc" name="console" dev=sda3 ino=1485226 |
| 70 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t |
| 71 |
tclass=chr_file |
| 72 |
Sep 29 20:20:22 odin type=1400 audit(1222712401.364:6): avc: denied { |
| 73 |
read write } for pid=1083 comm="consoletype" name="console" dev=sda3 |
| 74 |
ino=1485226 scontext=system_u:system_r:consoletype_t |
| 75 |
tcontext=system_u:object_r:file_t tclass=chr_file |
| 76 |
Sep 29 20:20:22 odin type=1400 audit(1222712401.364:7): avc: denied { |
| 77 |
getattr } for pid=1083 comm="consoletype" path="/dev/console" dev=sda3 |
| 78 |
ino=1485226 scontext=system_u:system_r:consoletype_t |
| 79 |
tcontext=system_u:object_r:file_t tclass=chr_file |
| 80 |
|
| 81 |
|
| 82 |
Maybe that helps to locate the problem. |
| 83 |
Thanks all for your help! |
| 84 |
|
| 85 |
Regards, |
| 86 |
Markus |
Archives