Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 239852 - SELinux boot failure after fresh installation
Summary: SELinux boot failure after fresh installation
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: x86 Linux
: High blocker
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-05 08:25 UTC by Markus Bartl
Modified: 2009-12-16 14:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Bartl 2008-10-05 08:25:52 UTC 
After installing SELinux base system following the SELinux HowTo, the system fails to boot in enforcing mode.
runscript.sh is denied access to /etc/resolv.conf
avc.log gives the following:
Sep 27 00:45:40 odin type=1400 audit(1222469133.010:29): avc:  denied  { write } for  pid=2883 comm="runscript.sh" name="resolv.conf" dev=sda3 ino=1999328 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:net_conf_t tclass=file


Reproducible: Always

Steps to Reproduce:
1. Install SELinux with 2008.0 minimal CD, use 2007.0 portage, 2007.0 stage-3 archive and the SELinux profile
2. Add syslog-ng and logrotate (may not be neccesary to reproduce)
3. Boot with kernel-parameter enforcing=1 (permissive in config file)

Actual Results:  
System hangs in boot sequence

Expected Results:  
System should boot up.

My solution:
Writing an additional policy:

policy_module(boot,1.0)

require {
        type initrc_t, net_conf_t;
}

allow initrc_t net_conf_t:file { setattr write };
Comment 1 Chris PeBenito (RETIRED) gentoo-dev 2009-12-16 14:55:23 UTC 
should be fixed in 2.x policies.  please reopen if there are further issues with this.