SELinux blocks access to device files when booting 2.6.32.* kernels (fc12)

Karl-Michael Schneider karlmicha at gmail.com
Fri May 21 17:30:59 UTC 2010 

On Fri, May 21, 2010 at 4:30 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/21/2010 03:03 AM, Karl-Michael Schneider wrote:
>> I did some more debugging: booted both kernels in single user mode,
>> then listed the security contexts in /dev:
>>
>> kernel-2.6.31.12-174.2.22.fc12:
>> $ ls -Zd /dev
>> drwxr-xr-x. root root system_u:object_r:device_t:s0    /dev
>> files in /dev are labeled according to
>> /etc/selinux/targeted/contexts/files/file_contexts
>>
>> kernel-2.6.32.12-115.fc12:
>> $ ls -Zd /dev
>> drwxr-xr-x. root root system_u:object_r:unlabeled_t:s0    /dev
>> all files /dev are unlabeled_t
>>
>> But
>> $ fixfiles check /dev
>> prints nothing.
>>
>> On Thu, May 20, 2010 at 1:57 PM, Karl-Michael Schneider
>> <karlmicha at gmail.com> wrote:
>>> I cannot boot any 2.6.32.* kernel, right after udev is started I see
>>> console messages like
>>>
>>> ln: creating symbolic link "/dev/fd": Permission denied
>>>
>>> and then booting is very slow and mounting the local file systems
>>> fails. I believe it is a problem with SELinux because when I add
>>> enforcing=0 to the kernel parameters in grub, it boots with no
>>> problems, although I see many console messages like
>>>
>>> udev-work[678]: setfilecon /dev/fd failed: Operation not supported
>>>
>>> I also have a 2.6.31.12-174.2.22 kernel installed which I can boot and
>>> which doesn't have this problem. But every newer kernel that I
>>> installed does not boot when SELinux is enforcing.
>>>
>>> I relabeled the filesystem, but it didn't help.
>>>
>>> Any ideas what I can try next?
>>>
> What file system is /dev?
>
> What does
> # restorecon -R -v /dev
> do?
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkv2bsMACgkQrlYvE4MpobMYeACdF7Oxmc0rxiGoYsFVT1A8J3ub
> VXkAnjChY769Hqt5JJEFksRGvvwQcETd
> =OPJ1
> -----END PGP SIGNATURE-----
>

/dev is ext3 on an LVM. The entry from /etc/fstab is

/dev/VolGroup00/LogVol00 /                       ext3    defaults        1 1

restorecon -R -v /dev does nothing (no output, file contexts are not
changed). That is despite the fact all the rules for /dev exist in
/etc/selinux/targeted/contexts/files/file_contexts.

More information about the users mailing list