| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
Mike Edenfield schrieb: |
| 9 |
Markus |
| 10 |
Bartl wrote: |
| 11 |
|
| 12 |
|
| 13 |
Sep 29 20:20:22 odin type=1400 |
| 14 |
audit(1222712401.300:3): avc: denied { read write } for pid=1 |
| 15 |
comm="init" path="/dev/console" dev=sda3 ino=1485226 |
| 16 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t |
| 17 |
tclass=chr_file |
| 18 |
|
| 19 |
Sep 29 20:20:22 odin type=1400 audit(1222712401.304:4): avc: denied { |
| 20 |
ioctl } for pid=1 comm="init" path="/dev/tty0" dev=sda3 ino=1485112 |
| 21 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t |
| 22 |
tclass=chr_file |
| 23 |
|
| 24 |
Sep 29 20:20:22 odin type=1400 audit(1222712401.316:5): avc: denied { |
| 25 |
read write } for pid=1081 comm="rc" name="console" dev=sda3 |
| 26 |
ino=1485226 scontext=system_u:system_r:initrc_t |
| 27 |
tcontext=system_u:object_r:file_t tclass=chr_file |
| 28 |
|
| 29 |
Sep 29 20:20:22 odin type=1400 audit(1222712401.364:6): avc: denied { |
| 30 |
read write } for pid=1083 comm="consoletype" name="console" dev=sda3 |
| 31 |
ino=1485226 scontext=system_u:system_r:consoletype_t |
| 32 |
tcontext=system_u:object_r:file_t tclass=chr_file |
| 33 |
|
| 34 |
Sep 29 20:20:22 odin type=1400 audit(1222712401.364:7): avc: denied { |
| 35 |
getattr } for pid=1083 comm="consoletype" path="/dev/console" dev=sda3 |
| 36 |
ino=1485226 scontext=system_u:system_r:consoletype_t |
| 37 |
tcontext=system_u:object_r:file_t tclass=chr_file |
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
These are actually pretty harmless -- it just means your static /dev |
| 42 |
isn't labeled correctly. This is because the stage3 tarballs don't |
| 43 |
have any SELinux information in them, so when you unpack it the /dev |
| 44 |
files are there with no labels, but by the time you get SELinux working |
| 45 |
enough to relabel your filesystems, udev has taken over /dev. |
| 46 |
|
| 47 |
|
| 48 |
If you want to get rid of these AVC's from your dmesg, you just need to |
| 49 |
relabel the static dev entries. It's a bit tricky but you only need to |
| 50 |
do it once: |
| 51 |
|
| 52 |
|
| 53 |
# mkdir -p /mnt/realroot |
| 54 |
|
| 55 |
# mount -o bind / /mnt/realroot |
| 56 |
|
| 57 |
# setfiles -r /mnt/realroot \ |
| 58 |
|
| 59 |
/etc/selinux/strict/contexts/files/file_contexts \ |
| 60 |
|
| 61 |
/mnt/realroot/dev |
| 62 |
|
| 63 |
# umount /mnt/realroot |
| 64 |
|
| 65 |
|
| 66 |
*However*, I don't this this is really the cause of your problems. |
| 67 |
Gentoo's boot process is capable of continuing without access to |
| 68 |
/dev/console (though /dev/null may give it problems), and very early on |
| 69 |
udev mounted and everything fixes itself. |
| 70 |
|
| 71 |
|
| 72 |
Have you manually unmasked any packages related to booting? In |
| 73 |
particular, openrc/baselayout2 won't work with the SELinux userland |
| 74 |
from portage, and have given me similar boot failures. |
| 75 |
|
| 76 |
|
| 77 |
Also, can you be more precise about what failed on boot? How far does |
| 78 |
your boot process get? Do you get any of the normal Gentoo boot |
| 79 |
messages (the colorized ones)? |
| 80 |
|
| 81 |
|
| 82 |
--Mike |
| 83 |
|
| 84 |
|
| 85 |
|
| 86 |
Hi Folks!
|
| 87 |
|
| 88 |
Thanks Mike. The above procedure solved the boot problem.
|
| 89 |
Im now able to boot up in enforcing mode.
|
| 90 |
|
| 91 |
What i still get is
|
| 92 |
Sep 30 10:20:01 odin type=1400 audit(1222762783.108:5): avc: denied { |
| 93 |
read write } for pid=1278 comm="modprobe" path="/dev/null" dev=tmpfs |
| 94 |
ino=1330 scontext=system_u:system_r:insmod_t |
| 95 |
tcontext=system_u:object_r:device_t tclass=chr_file
|
| 96 |
...
|
| 97 |
Sep 30 10:20:01 odin type=1400 audit(1222762796.338:19): avc: denied |
| 98 |
{ write } for pid=2882 comm="runscript.sh" name="resolv.conf" dev=sda3 |
| 99 |
ino=1999328 scontext=system_u:system_r:initrc_t |
| 100 |
tcontext=system_u:object_r:net_conf_t tclass=file
|
| 101 |
Sep 30 10:20:01 odin type=1400 audit(1222762801.746:21): avc: denied |
| 102 |
{ search } for pid=3681 comm="syslog-ng" name="lib" dev=sda3 |
| 103 |
ino=770262 scontext=system_u:system_r:syslogd_t |
| 104 |
tcontext=system_u:object_r:var_lib_t tclass=dir
|
| 105 |
Sep 30 10:35:05 odin type=1400 audit(1222763686.716:3): avc: denied { |
| 106 |
write } for pid=1150 comm="bash" name="null" dev=tmpfs ino=1330 |
| 107 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t |
| 108 |
tclass=chr_file
|
| 109 |
|
| 110 |
Im not quite sure if the /dev/null thing is really a problem, but the |
| 111 |
reslov.conf thing is one, because i dont get an IP from DHCP later on |
| 112 |
during boot.
|
| 113 |
Again any ideas are welcome.
|
| 114 |
|
| 115 |
Regards,
|
| 116 |
Markus
|
| 117 |
|
| 118 |
|
| 119 |
|
| 120 |
|
| 121 |
|
| 122 |
|
| 123 |
|
| 124 |
|
Archives