On Mon, 2010-02-22 at 14:12 -0500, Alan Rouse wrote: > Stephen wrote: > > You need to perform a restorecon -R /dev from /etc/rc.d/rc.sysinit so that the tmpfs /dev mount is properly > > labeled. File a bug against whatever package owns that file in OpenSUSE (in Fedora, it is the initscripts > > rpm). > > The scripts are different in suse. I've placed the restorecon command in /etc/init.d/boot prior to the first mount attempt. That seems to do the trick -- the denied messages related to tempfs are now gone. > > See attached audit.log from the subsequent boot. At this point, I think you can take the particular avc messages (split up by logical grouping, e.g. for each unique scontext=) to the refpolicy list (refpolicy@xxxxxxxxxxxxxx) and see about getting them resolved upstream. There may need to be some suse-specific rules added to the refpolicy. In the interim, you can always create a local policy module via audit2allow to enable your system to work. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
