Re: missing tmpfs_t in latest?

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

Tom London wrote:
> Running targeted, latest rawhide (e.g., selinux-policy-targeted-2.1.6-22).
>
> Reboot in enforcing mode fails: system goes into 'disk repair' mode.
>
> 'enforcing=0' works, but many messages.
>
> First, 'id -Z' in gnome terminal:
> [tbl@tlondon ~]$ id -Z
> system_u:system_r:xdm_t:SystemLow-SystemHigh
> [tbl@tlondon ~]$
>
> 'audit2allow -d' shows...
>
> [root@tlondon ~]# audit2allow -d
> allow auditctl_t tmpfs_t:chr_file write;
> allow auditd_t tmpfs_t:chr_file getattr;
> allow auditd_t tmpfs_t:dir search;
> allow cpucontrol_t tmpfs_t:chr_file write;
> allow cpucontrol_t tmpfs_t:dir search;
> allow cpuspeed_t tmpfs_t:chr_file getattr;
> allow cpuspeed_t tmpfs_t:dir search;
> allow dhcpc_t tmpfs_t:chr_file { read write };
> allow dhcpc_t tmpfs_t:dir search;
> allow fsadm_t tmpfs_t:blk_file ioctl;
> allow fsadm_t tmpfs_t:chr_file ioctl;
> allow hwclock_t tmpfs_t:chr_file getattr;
> allow hwclock_t tmpfs_t:dir search;
> allow ifconfig_t tmpfs_t:chr_file write;
> allow klogd_t tmpfs_t:dir search;
> allow klogd_t tmpfs_t:sock_file write;
> allow mount_t tmpfs_t:blk_file getattr;
> allow netutils_t tmpfs_t:chr_file write;
> allow pam_console_t tmpfs_t:blk_file setattr;
> allow pam_console_t tmpfs_t:chr_file setattr;
> allow pam_console_t tmpfs_t:dir search;
> allow pam_console_t tmpfs_t:lnk_file getattr;
> allow portmap_t tmpfs_t:chr_file getattr;
> allow portmap_t tmpfs_t:dir search;
> allow syslogd_t tmpfs_t:dir add_name;
> allow syslogd_t tmpfs_t:sock_file setattr;
> [root@tlondon ~]#
>
> Relabeling is borked:
> [root@tlondon ~]# restorecon -v -R /tmp
> file_contexts:  invalid context system_u:object_r:tmp_t
> matchpathcon(/tmp) failed Invalid argument
> file_contexts:  invalid context system_u:object_r:xdm_xserver_tmp_t
> matchpathcon(/tmp/.X0-lock) failed Invalid argument
> file_contexts:  invalid context system_u:object_r:xfs_tmp_t
> matchpathcon(/tmp/.font-unix) failed Invalid argument
> file_contexts:  invalid context system_u:object_r:xfs_tmp_t
> matchpathcon(/tmp/.font-unix/fs7100) failed Invalid argument
> [root@tlondon ~]#
>
> tom
> --
> Tom London
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>   

This is caused by a bug in libsetrans.  You can either disable 
libsetrans for the time being
via /etc/selinux/targeted/setrans.conf
or
grab the updated libsetrans package from 
ftp://people.redhat.com/dwalsh/SELinux/Fedora

Basically the untranslation of

system_u:object_r:xfs_tmp_t -> system_u:object_r:xfs_tmp_t:s0 was broken by some optimizations that were
added to libsetrans in last nights rawhide.  Fix will be in tonights rawhide.



--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list