On Fri, 2005-09-09 at 16:38 -0500, Joy Latten wrote:
I have installed Fedora Core 4 on my machine with selinux enabled
and have followed the instructions to enable MLS. Both are working.
I have compiled a 2.6.13 kernel from
kernel.org with selinux enabled in
my kernel. However, I am unable to boot into my 2.6.13 kernel.
When I disable selinux (selinux=0) or set (enforcing=0) my kernel
boots up ok. When I boot into my 2.6.13 kernel with selinux enabled, the
boot hangs after the SELinux initializations and at the point I believe
udev is suppose to get started.
When I tried booting into my 2.6.13 kernel with "enforcing=0 single"
and did a restorecon /etc/mtab, then did a setenforce 1 to switch to
enforcing mode and exited the single user shell to come up in multi-user
mode, it worked. I am sure I am stepping around something. :-)
(These steps are similar to those in README.mls instructions.) I did get
a bunch of the following messages from "dmesg"
though:
audit(1126300655.450:2839259): avc: denied { search } for pid=2199
comm="klogd" name="/" dev=tmpfs ino=1168
scontext=system_u:system_r:klogd_t:s0-s9:c0.c127
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
I do not understand but am very curious to know why I cannot boot
straight into my 2.6.13 kernel? Does 2.6.13 introduce some changes?
A colleague experienced similar problem. Has anyone else experienced
this problem or can explain to me what is happening?
Sounds like you didn't enable the tmpfs security labeling support in
your kernel .config (CONFIG_TMPFS_SECURITY). That would prevent
setting/getting security labels on the tmpfs /dev managed by udev, and
thus /dev would be inaccessible to most processes.
--
Stephen Smalley
National Security Agency