On Mon, May 24, 2010 at 12:07 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On Mon, 2010-05-24 at 11:54 -0700, Karl-Michael Schneider wrote: >> I have fc12 installed on a Lenovo R61 laptop with two kernels: >> >> kernel-2.6.31.12-174.2.22.fc12.i686 >> kernel-2.6.32.12-115.fc12.i686 >> >> The 2.6.31 kernel has no problem. But when I try to boot the 2.6.32 >> kernel it fails because SELinux is blocking access to device nodes. I >> can only boot the 2.6.32 kernel in single user mode. The reason is >> that /dev and all files in it have no type: >> >> $ ls -lZ /dev >> crw-------. root root system_u:object_r:unlabeled_t:s0 agpgart > <snip> >> The filesystem is ext3 on LVM: >> >> $ cat /etc/fstab >> /dev/VolGroup00/LogVol00 / ext3 defaults 1 1 >> ... >> >> The filesystem was created when I installed FC9. Later I upgraded to >> FC12. But the problem only appeared when the kernel was updated from >> 2.6.31 to 2.6.32. All 2.6.32 kernels so far had the same problem. >> >> I have already relabeled the filesystem, but it didn't help. I tried >> restorecon -R -v /dev after booting the 2.6.32 kernel but it didn't do >> anything. > > Sounds like the devtmpfs mount with a policy that doesn't know about it. > dmesg | grep SELinux > grep /dev /proc/mounts This is what I get after booting kernel-2.6.32.12-115.fc12.i686: $ dmesg | grep SELinux SELinux: Initializing. SELinux: Starting in permissive mode SELinux: Registering netfilter hooks dracut: Loading SELinux policy SELinux: 8192 avtab hash slots, 179545 rules. SELinux: 8192 avtab hash slots, 179545 rules. SELinux: 8 users, 12 roles, 2445 types, 119 bools, 1 sens, 1024 cats SELinux: 73 classes, 179545 rules SELinux: class kernel_service not defined in policy SELinux: class tun_socket not defined in policy SELinux: permission open in class sock_file not defined in policy SELinux: permission module_request in class system not defined in policy SELinux: permission nlmsg_tty_audit in class netlink_audit_socket not defined in policy SELinux: the above unknown classes and permissions will be allowed SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev dm-0, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev securityfs, type securityfs), uses genfs_contexts SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev devtmpfs, type devtmpfs), not configured for labeling SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts SELinux: initialized (dev sda2, type ext3), uses xattr SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts $ grep /dev /proc/mounts udev /dev devtmpfs rw,relatime,size=1020692k,nr_inodes=214745,mode=755 0 0 devpts /dev/pts devpts rw,seclabel,relatime,gid=5,mode=620,ptmxmode=000 0 0 tmpfs /dev/shm tmpfs rw,seclabel,relatime 0 0 /dev/mapper/VolGroup00-LogVol00 / ext3 rw,seclabel,relatime,errors=continue,user_xattr,acl,data=ordered 0 0 /dev/sda2 /boot ext3 rw,seclabel,relatime,errors=continue,user_xattr,acl,data=ordered 0 0 For comparison here is the latter after booting kernel-2.6.31.12-174.2.22.fc12.i686: udev /dev tmpfs rw,seclabel,relatime,mode=755 0 0 devpts /dev/pts devpts rw,seclabel,relatime,gid=5,mode=620,ptmxmode=000 0 0 tmpfs /dev/shm tmpfs rw,seclabel,relatime 0 0 /dev/mapper/VolGroup00-LogVol00 / ext3 rw,seclabel,relatime,errors=continue,user_xattr,acl,data=ordered 0 0 /dev/sda2 /boot ext3 rw,seclabel,relatime,errors=continue,user_xattr,acl,data=ordered 0 0 -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
