Device nodes have no type when booting a 2.6.32.*.fc12 kernel

Karl-Michael Schneider karlmicha at gmail.com
Tue May 25 18:39:37 UTC 2010 

On Mon, May 24, 2010 at 12:07 PM, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> On Mon, 2010-05-24 at 11:54 -0700, Karl-Michael Schneider wrote:
>> I have fc12 installed on a Lenovo R61 laptop with two kernels:
>>
>> kernel-2.6.31.12-174.2.22.fc12.i686
>> kernel-2.6.32.12-115.fc12.i686
>>
>> The 2.6.31 kernel has no problem. But when I try to boot the 2.6.32
>> kernel it fails because SELinux is blocking access to device nodes. I
>> can only boot the 2.6.32 kernel in single user mode. The reason is
>> that /dev and all files in it have no type:
>>
>> $ ls -lZ /dev
>> crw-------. root root system_u:object_r:unlabeled_t:s0 agpgart
> <snip>
>> The filesystem is ext3 on LVM:
>>
>> $ cat /etc/fstab
>> /dev/VolGroup00/LogVol00 /                       ext3    defaults        1 1
>> ...
>>
>> The filesystem was created when I installed FC9. Later I upgraded to
>> FC12. But the problem only appeared when the kernel was updated from
>> 2.6.31 to 2.6.32. All 2.6.32 kernels so far had the same problem.
>>
>> I have already relabeled the filesystem, but it didn't help. I tried
>> restorecon -R -v /dev after booting the 2.6.32 kernel but it didn't do
>> anything.
>
> Sounds like the devtmpfs mount with a policy that doesn't know about it.
> dmesg | grep SELinux
> grep /dev /proc/mounts

This is what I get after booting kernel-2.6.32.12-115.fc12.i686:

$ dmesg | grep SELinux
SELinux:  Initializing.
SELinux:  Starting in permissive mode
SELinux:  Registering netfilter hooks
dracut: Loading SELinux policy
SELinux: 8192 avtab hash slots, 179545 rules.
SELinux: 8192 avtab hash slots, 179545 rules.
SELinux:  8 users, 12 roles, 2445 types, 119 bools, 1 sens, 1024 cats
SELinux:  73 classes, 179545 rules
SELinux:  class kernel_service not defined in policy
SELinux:  class tun_socket not defined in policy
SELinux:  permission open in class sock_file not defined in policy
SELinux:  permission module_request in class system not defined in policy
SELinux:  permission nlmsg_tty_audit in class netlink_audit_socket not
defined in policy
SELinux: the above unknown classes and permissions will be allowed
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev dm-0, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev securityfs, type securityfs), uses genfs_contexts
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev devtmpfs, type devtmpfs), not configured for labeling
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev sda2, type ext3), uses xattr
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts

$ grep /dev /proc/mounts
udev /dev devtmpfs rw,relatime,size=1020692k,nr_inodes=214745,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /dev/shm tmpfs rw,seclabel,relatime 0 0
/dev/mapper/VolGroup00-LogVol00 / ext3
rw,seclabel,relatime,errors=continue,user_xattr,acl,data=ordered 0 0
/dev/sda2 /boot ext3
rw,seclabel,relatime,errors=continue,user_xattr,acl,data=ordered 0 0

For comparison here is the latter after booting
kernel-2.6.31.12-174.2.22.fc12.i686:

udev /dev tmpfs rw,seclabel,relatime,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /dev/shm tmpfs rw,seclabel,relatime 0 0
/dev/mapper/VolGroup00-LogVol00 / ext3
rw,seclabel,relatime,errors=continue,user_xattr,acl,data=ordered 0 0
/dev/sda2 /boot ext3
rw,seclabel,relatime,errors=continue,user_xattr,acl,data=ordered 0 0

More information about the selinux mailing list