1 |
|
2 |
|
3 |
|
4 |
|
5 |
|
6 |
|
7 |
|
8 |
Mike Edenfield schrieb: |
9 |
Markus |
10 |
Bartl wrote: |
11 |
|
12 |
|
13 |
Sep 29 20:20:22 odin type=1400 |
14 |
audit(1222712401.300:3): avc: denied { read write } for pid=1 |
15 |
comm="init" path="/dev/console" dev=sda3 ino=1485226 |
16 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t |
17 |
tclass=chr_file |
18 |
|
19 |
Sep 29 20:20:22 odin type=1400 audit(1222712401.304:4): avc: denied { |
20 |
ioctl } for pid=1 comm="init" path="/dev/tty0" dev=sda3 ino=1485112 |
21 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t |
22 |
tclass=chr_file |
23 |
|
24 |
Sep 29 20:20:22 odin type=1400 audit(1222712401.316:5): avc: denied { |
25 |
read write } for pid=1081 comm="rc" name="console" dev=sda3 |
26 |
ino=1485226 scontext=system_u:system_r:initrc_t |
27 |
tcontext=system_u:object_r:file_t tclass=chr_file |
28 |
|
29 |
Sep 29 20:20:22 odin type=1400 audit(1222712401.364:6): avc: denied { |
30 |
read write } for pid=1083 comm="consoletype" name="console" dev=sda3 |
31 |
ino=1485226 scontext=system_u:system_r:consoletype_t |
32 |
tcontext=system_u:object_r:file_t tclass=chr_file |
33 |
|
34 |
Sep 29 20:20:22 odin type=1400 audit(1222712401.364:7): avc: denied { |
35 |
getattr } for pid=1083 comm="consoletype" path="/dev/console" dev=sda3 |
36 |
ino=1485226 scontext=system_u:system_r:consoletype_t |
37 |
tcontext=system_u:object_r:file_t tclass=chr_file |
38 |
|
39 |
|
40 |
|
41 |
These are actually pretty harmless -- it just means your static /dev |
42 |
isn't labeled correctly. This is because the stage3 tarballs don't |
43 |
have any SELinux information in them, so when you unpack it the /dev |
44 |
files are there with no labels, but by the time you get SELinux working |
45 |
enough to relabel your filesystems, udev has taken over /dev. |
46 |
|
47 |
|
48 |
If you want to get rid of these AVC's from your dmesg, you just need to |
49 |
relabel the static dev entries. It's a bit tricky but you only need to |
50 |
do it once: |
51 |
|
52 |
|
53 |
# mkdir -p /mnt/realroot |
54 |
|
55 |
# mount -o bind / /mnt/realroot |
56 |
|
57 |
# setfiles -r /mnt/realroot \ |
58 |
|
59 |
/etc/selinux/strict/contexts/files/file_contexts \ |
60 |
|
61 |
/mnt/realroot/dev |
62 |
|
63 |
# umount /mnt/realroot |
64 |
|
65 |
|
66 |
*However*, I don't this this is really the cause of your problems. |
67 |
Gentoo's boot process is capable of continuing without access to |
68 |
/dev/console (though /dev/null may give it problems), and very early on |
69 |
udev mounted and everything fixes itself. |
70 |
|
71 |
|
72 |
Have you manually unmasked any packages related to booting? In |
73 |
particular, openrc/baselayout2 won't work with the SELinux userland |
74 |
from portage, and have given me similar boot failures. |
75 |
|
76 |
|
77 |
Also, can you be more precise about what failed on boot? How far does |
78 |
your boot process get? Do you get any of the normal Gentoo boot |
79 |
messages (the colorized ones)? |
80 |
|
81 |
|
82 |
--Mike |
83 |
|
84 |
|
85 |
|
86 |
Hi Folks!
|
87 |
|
88 |
Thanks Mike. The above procedure solved the boot problem.
|
89 |
Im now able to boot up in enforcing mode.
|
90 |
|
91 |
What i still get is
|
92 |
Sep 30 10:20:01 odin type=1400 audit(1222762783.108:5): avc: denied { |
93 |
read write } for pid=1278 comm="modprobe" path="/dev/null" dev=tmpfs |
94 |
ino=1330 scontext=system_u:system_r:insmod_t |
95 |
tcontext=system_u:object_r:device_t tclass=chr_file
|
96 |
...
|
97 |
Sep 30 10:20:01 odin type=1400 audit(1222762796.338:19): avc: denied |
98 |
{ write } for pid=2882 comm="runscript.sh" name="resolv.conf" dev=sda3 |
99 |
ino=1999328 scontext=system_u:system_r:initrc_t |
100 |
tcontext=system_u:object_r:net_conf_t tclass=file
|
101 |
Sep 30 10:20:01 odin type=1400 audit(1222762801.746:21): avc: denied |
102 |
{ search } for pid=3681 comm="syslog-ng" name="lib" dev=sda3 |
103 |
ino=770262 scontext=system_u:system_r:syslogd_t |
104 |
tcontext=system_u:object_r:var_lib_t tclass=dir
|
105 |
Sep 30 10:35:05 odin type=1400 audit(1222763686.716:3): avc: denied { |
106 |
write } for pid=1150 comm="bash" name="null" dev=tmpfs ino=1330 |
107 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t |
108 |
tclass=chr_file
|
109 |
|
110 |
Im not quite sure if the /dev/null thing is really a problem, but the |
111 |
reslov.conf thing is one, because i dont get an IP from DHCP later on |
112 |
during boot.
|
113 |
Again any ideas are welcome.
|
114 |
|
115 |
Regards,
|
116 |
Markus
|
117 |
|
118 |
|
119 |
|
120 |
|
121 |
|
122 |
|
123 |
|
124 |
|