udev slowness and selinux

Tom London selinux at gmail.com
Fri Dec 2 20:36:48 UTC 2005


On 12/2/05, Nicolas Mailhot <nicolas.mailhot at laposte.net> wrote:
> Le vendredi 02 décembre 2005 à 20:42 +0100, Nicolas Mailhot a écrit :
> > Le vendredi 02 décembre 2005 à 14:38 -0500, Stephen Smalley a écrit :
>
> > > Hmmm...same versions of the above, don't see this behavior.  Details?
> >
> > No :(
> > Did a rawhide update (kernel + selinux stuff), touch ./autorelabel,
> > reboot -> bang
> > Tried the previous working kernel -> bang
> > Rebooted on the rescue disk, nothing in the system logs (crash too early
> > at selinux init)
> >
> > Since the last sync was only selinux-related, decided to try
> > selinux=false before mucking with the system, and everything booted at
> > once.
> >
> > Will try to reproduce now, in case it was a transient problem
>
> I can confirm - it's perfectly reproduceable. Boot -> bang. Add
> selinux=false via grub -> works
>
> I'll mail you privately a screenshot.
>
> Regards,
>
> --
> Nicolas Mailhot
>
Additional confirmation:

update to latest policy (selinux-policy-targeted-2.0.7-2) yielded many
avc and transition errors on boot.

Rebooted in permissive and relabeled.

rebooting in enforcing 'works', but lots of avcs:
[root at tlondon ~]# ausearch -m avc,selinux_err -ts 12/02/2005 | audit2allow -l
allow cupsd_t unlabeled_t:dir search;
allow dhcpc_t system_dbusd_var_run_t:dir search;
allow hald_t agp_device_t:chr_file getattr;
allow hald_t clock_device_t:chr_file getattr;
allow hald_t memory_device_t:chr_file getattr;
allow hald_t ptmx_t:chr_file getattr;
allow hald_t random_device_t:chr_file getattr;
allow hald_t sound_device_t:chr_file getattr;
allow hald_t tmpfs_t:chr_file getattr;
allow hald_t tty_device_t:chr_file getattr;
allow hald_t unlabeled_t:dir search;
allow hald_t urandom_device_t:chr_file getattr;
allow hald_t zero_device_t:chr_file getattr;
allow kernel_t lib_t:file execmod;
allow kernel_t texrel_shlib_t:file relabelto;
allow kernel_t user_home_dir_t:dir relabelto;
allow kernel_t user_home_t:dir relabelto;
allow kernel_t user_home_t:file relabelto;
allow kernel_t user_home_t:lnk_file relabelto;
allow kernel_t user_home_t:sock_file relabelto;
allow ntpd_t self:capability sys_resource;
allow privoxy_t unlabeled_t:file getattr;
allow system_dbusd_t unlabeled_t:dir read;
allow unlabeled_t fs_t:filesystem associate;

These known?  Need the actual avcs?

tom
--
Tom London




More information about the devel mailing list