A question about installing refpolicy-2.10081210

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

I have a question about the error messages when installing refpolicy-2.20081210 from the tresys website on dell 610(x86_32) laptop. I have installed and compiled refpolicy-2.20081210 by the following selinux user space tools:

libsepol-2.0.36
libselinux-2.0.79
libsemanage-2.0.27
policycoreutils-2.0.55
checkpolicy-2.0.19
sepolgen-1.0.16

Then I use kernel cmdline of "root=/dev/sda1 rw init=/bin/bash selinux=1" to boot into a shell with selinux enabled so that I could setup proper security contexts for the whole file system in the shell before the next time I would let kernel boot into normal /sbin/init program and start everything with correct security context. Then I do the following commands:

mount -t proc none /proc
mount -t sysfs none /sys
mount -t selinuxfs none /selinux
SELINUXTYPE=refpolicy-20081210
/usr/sbin/load_policy -q /etc/selinux/$SELINUXTYPE/policy/policy.24
sed -i "s/^SELINUXTYPE=.*/SELINUXTYPE=$S! ELINUXTYPE/" /etc/selinux/config
/usr/sbin/restorecon -v -R /

The "load_policy -q" would pop up a message of:
type=1403 audit(1255195933.120:2): policy loaded auid=4294967295 ses=4294967295

so I guess the policy.24 has been loaded successfully, and the "restorecon" could run successfully. However, when I change the kernel cmdline with "init=/sbin/init" I could see hundreds of error messages about udev and mingetty such as:

udevd-event[1252]: selinux_setfscreatecon: matchpathcon(/dev/.tmp-8-0) failed
udevd-event[1215]: selinux_setfilecon: matchpathcon(/dev/ram12) failed

and

type=1400 audit(1248303983.579:5559): avc:  denied  { open } for  pid=3283 comm="mingetty" name="var" dev=sda1 ino=103169 scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=1400 audit(1248303983.598:5560): avc:  denied  { open } for  pid=3282 comm="mingetty" name="var" dev=sda1 ! ino=103169 scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext= system_u:object_r:var_t:s0 tclass=dir

with "INIT: no more processes left in this runlevel" in the end when I try to login through serial console.

I guess above error messages may have resulted in the file system having not been labeled correctly, does anyone know what I may have missed out when trying to relabeling the file system when first time booting into the shell?

Thanks a lot!!

Harry


聊天+搜索+邮箱 想要轻松出游,手机MSN帮你搞定! 立刻下载!
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux