On Mon, May 24, 2010 at 12:07 PM, Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
On Mon, 2010-05-24 at 11:54 -0700, Karl-Michael Schneider wrote:
> I have fc12 installed on a Lenovo R61 laptop with two kernels:
>
> kernel-2.6.31.12-174.2.22.fc12.i686
> kernel-2.6.32.12-115.fc12.i686
>
> The 2.6.31 kernel has no problem. But when I try to boot the 2.6.32
> kernel it fails because SELinux is blocking access to device nodes. I
> can only boot the 2.6.32 kernel in single user mode. The reason is
> that /dev and all files in it have no type:
>
> $ ls -lZ /dev
> crw-------. root root system_u:object_r:unlabeled_t:s0 agpgart
<snip>
> The filesystem is ext3 on LVM:
>
> $ cat /etc/fstab
> /dev/VolGroup00/LogVol00 / ext3 defaults 1 1
> ...
>
> The filesystem was created when I installed FC9. Later I upgraded to
> FC12. But the problem only appeared when the kernel was updated from
> 2.6.31 to 2.6.32. All 2.6.32 kernels so far had the same problem.
>
> I have already relabeled the filesystem, but it didn't help. I tried
> restorecon -R -v /dev after booting the 2.6.32 kernel but it didn't do
> anything.
Sounds like the devtmpfs mount with a policy that doesn't know about it.
dmesg | grep SELinux
grep /dev /proc/mounts
This is what I get after booting kernel-2.6.32.12-115.fc12.i686:
$ dmesg | grep SELinux
SELinux: Initializing.
SELinux: Starting in permissive mode
SELinux: Registering netfilter hooks
dracut: Loading SELinux policy
SELinux: 8192 avtab hash slots, 179545 rules.
SELinux: 8192 avtab hash slots, 179545 rules.
SELinux: 8 users, 12 roles, 2445 types, 119 bools, 1 sens, 1024 cats
SELinux: 73 classes, 179545 rules
SELinux: class kernel_service not defined in policy
SELinux: class tun_socket not defined in policy
SELinux: permission open in class sock_file not defined in policy
SELinux: permission module_request in class system not defined in policy
SELinux: permission nlmsg_tty_audit in class netlink_audit_socket not
defined in policy
SELinux: the above unknown classes and permissions will be allowed
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: initialized (dev dm-0, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev securityfs, type securityfs), uses genfs_contexts
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev devtmpfs, type devtmpfs), not configured for labeling
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev sda2, type ext3), uses xattr
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
$ grep /dev /proc/mounts
udev /dev devtmpfs rw,relatime,size=1020692k,nr_inodes=214745,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /dev/shm tmpfs rw,seclabel,relatime 0 0
/dev/mapper/VolGroup00-LogVol00 / ext3
rw,seclabel,relatime,errors=continue,user_xattr,acl,data=ordered 0 0
/dev/sda2 /boot ext3
rw,seclabel,relatime,errors=continue,user_xattr,acl,data=ordered 0 0
For comparison here is the latter after booting
kernel-2.6.31.12-174.2.22.fc12.i686:
udev /dev tmpfs rw,seclabel,relatime,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /dev/shm tmpfs rw,seclabel,relatime 0 0
/dev/mapper/VolGroup00-LogVol00 / ext3
rw,seclabel,relatime,errors=continue,user_xattr,acl,data=ordered 0 0
/dev/sda2 /boot ext3
rw,seclabel,relatime,errors=continue,user_xattr,acl,data=ordered 0 0