On Friday 08 August 2008 10:00:39 Russell Coker wrote: > On Friday 08 August 2008 00:10, Dennis Wronka <linuxweb@xxxxxxx> wrote: > > Does anybody know where this problem is? Is it udev? I already compiled > > it with SELinux-support, but /dev is always tmpfs_t. > > As said, I suspect udev here, but of course I might be wrong. > > Your udev script which mounts the tmpfs (which might be /etc/init.d/udev or > a script called by it) needs to call restorecon. > > See the scripts in Debian and Fedora for examples of how it's done. Thansk, this already helped with the wrongly labeled /dev, but not with the error, which I believe will still stop the boot if I'd switch to enforcing. Here's the message: type=1401 audit(1218261917.800:3): security_validate_transition: denied for oldcontext=system_u:object_r:fixed_disk_device_t:s0 newconext=system_u:object_r:fixed_disk_device_t:s15:c0.c255 taskcontext=system_u:system_r:lvm_t:s0-s15:c0.c255 tclass=blk_file As the message doesn't show anything I do not know for sure which file it exactly is. As this message is caused by the call of dmsetup mknodes (I use an encrypted root-partition in this setup) it must be either /dev/hdaX (all three hda-partitions have this context, hda3 is the actual root-fs) or /dev/mapper/cryptroot, which also has that context and is the file that's actually supposed to be created by dmsetup. I had a look around in the policy but couldn't find a way to get around this. Also Google wasn't very helpful as it points to patches and sources of the SELinux-libraries. Just for testing I removed the call of dmsetup mknodes, but the error still happens, as lvm vgmknodes still is called and it causes the same problem. I also switched (disabled the lvm-call and re-enabled the dmsetup-call) and I get the error. So, both calls give this error, as they both run in the same domain lvm_t and want to do the same stuff with my files. Now the problem is, how do I get rid of this problem? Both LVM and DevMapper are compiled with SELinux-support, but somehow MLS doesn't allow them to perform this transition.
Attachment:
signature.asc
Description: This is a digitally signed message part.
