Did world updates today and also moved to selinux-base-policy-2.20110726-r11 from hardened-dev overlay. The subsequent boot of the system hung because of a failure to start sysfs and udev. I did do an rlpkg -ar before attempting to reboot. After trying a couple of things including rolling back to an older kernel without success, I put selinux in permissive mode and the system proceeded to boot normally. Here is what I have been able to extract from logs thus far: mkdir: cannot create directory `/sys/fs/cgroup/cpuset': Permission denied mount: mount point /sys/fs/cgroup/cpuset does not exist mkdir: cannot create directory `/sys/fs/cgroup/cpu': Permission denied mount: mount point /sys/fs/cgroup/cpu does not exist mkdir: cannot create directory `/sys/fs/cgroup/devices': Permission denied mount: mount point /sys/fs/cgroup/devices does not exist * ERROR: sysfs failed to start * ERROR: cannot start udev as sysfs would not start The next thing the system attempts is to start d-bus which hangs. Jan 13 19:01:12 siren kernel: type=1400 audit(1326506450.366:3): avc: denied { read write } for pid=617 comm="restorecon" name="console" dev=devtmpfs ino=1038 scontext=system_u:system_r:setfiles_t tcontext=system_u:object_r:device_t tclass=chr_file Jan 13 19:01:12 siren kernel: type=1400 audit(1326506456.486:4): avc: denied { write } for pid=871 comm="mount" name="/" dev=configfs ino=98 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:configfs_t tclass=dir Jan 13 19:01:12 siren kernel: type=1400 audit(1326506456.570:5): avc: denied { write } for pid=878 comm="mkdir" name="/" dev=tmpfs ino=106 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sysfs_t tclass=dir Jan 13 19:01:12 siren kernel: type=1400 audit(1326506456.570:6): avc: denied { add_name } for pid=878 comm="mkdir" name="cpuset" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sysfs_t tclass=dir Jan 13 19:01:12 siren kernel: type=1400 audit(1326506456.570:7): avc: denied { create } for pid=878 comm="mkdir" name="cpuset" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sysfs_t tclass=dir Jan 13 19:01:12 siren kernel: type=1400 audit(1326506456.586:8): avc: denied { search } for pid=879 comm="mount" name="/" dev=cgroup ino=1275 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir Jan 13 19:01:12 siren kernel: type=1400 audit(1326506457.126:9): avc: denied { associate } for pid=897 comm="restorecon" name="shm" dev=devtmpfs ino=120 scontext=system_u:object_r:tmpfs_t tcontext=system_u:object_r:device_t tclass=filesystem Jan 13 19:01:12 siren kernel: type=1400 audit(1326506457.130:10): avc: denied { associate } for pid=897 comm="restorecon" name="pts" dev=devtmpfs ino=119 scontext=system_u:object_r:devpts_t tcontext=system_u:object_r:device_t tclass=filesystem Jan 13 19:01:12 siren kernel: type=1400 audit(1326506458.286:11): avc: denied { module_request } for pid=928 comm="rc" kmod="net-pf-10" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:kernel_t tclass=system Jan 13 19:01:12 siren kernel: type=1400 audit(1326506458.713:12): avc: denied { relabelto } for pid=928 comm="udevd" name=".udev" dev=devtmpfs ino=125 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir Jan 13 19:01:12 siren kernel: type=1400 audit(1326506458.746:13): avc: denied { write } for pid=928 comm="udevd" name=".udev" dev=devtmpfs ino=125 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir Jan 13 19:01:12 siren kernel: type=1400 audit(1326506464.883:23): avc: denied { read } for pid=931 comm="udevd" name="10" dev=devtmpfs ino=622 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file Jan 13 19:01:12 siren kernel: type=1400 audit(1326506464.883:24): avc: denied { unlink } for pid=1193 comm="udevd" name="10" dev=devtmpfs ino=622 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file Jan 13 19:01:12 siren kernel: type=1400 audit(1326506465.566:25): avc: denied { setsched } for pid=1283 comm="mount" scontext=system_u:system_r:mount_t tcontext=system_u:system_r:kernel_t tclass=process Jan 13 19:01:12 siren kernel: type=1400 audit(1326506466.063:26): avc: denied { write } for pid=1313 comm="rm" name="console" dev=sda1 ino=1936394 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir Jan 13 19:01:12 siren kernel: type=1400 audit(1326506466.063:27): avc: denied { remove_name } for pid=1313 comm="rm" name="default8x16.psfu.gz" dev=sda1 ino=1936395 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir Jan 13 19:01:12 siren kernel: type=1400 audit(1326506466.063:28): avc: denied { unlink } for pid=1313 comm="rm" name="default8x16.psfu.gz" dev=sda1 ino=1936395 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=file Jan 13 19:01:12 siren kernel: type=1400 audit(1326506466.086:29): avc: denied { create } for pid=1314 comm="mkdir" name=".test.1307" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_run_t tclass=dir Jan 13 19:01:12 siren kernel: type=1400 audit(1326506466.486:30): avc: denied { getattr } for pid=1451 comm="fuser" path="socket:[1515]" dev=sockfs ino=1515 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t tclass=unix_stream_socket Jan 13 19:01:12 siren kernel: type=1400 audit(1326506466.490:31): avc: denied { getattr } for pid=1452 comm="fuser" path="socket:[1516]" dev=sockfs ino=1516 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t tclass=netlink_kobject_uevent_socket Jan 13 19:01:12 siren kernel: type=1400 audit(1326506466.533:32): avc: denied { getattr } for pid=1534 comm="fuser" path="/sys/kernel/debug" dev=debugfs ino=1 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:debugfs_t tclass=dir Jan 13 19:01:12 siren kernel: type=1400 audit(1326506471.000:39): avc: denied { search } for pid=1843 comm="klogd" name="src" dev=sda1 ino=464406 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:src_t tclass=dir Jan 13 19:01:12 siren kernel: type=1400 audit(1326506471.023:40): avc: denied { read } for pid=1843 comm="klogd" name="linux" dev=sda1 ino=464552 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:src_t tclass=lnk_file Jan 13 19:01:12 siren kernel: type=1400 audit(1326506471.053:41): avc: denied { read } for pid=1843 comm="klogd" name="System.map" dev=sda1 ino=558149 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:src_t tclass=file Jan 13 19:01:12 siren kernel: type=1400 audit(1326506471.053:42): avc: denied { open } for pid=1843 comm="klogd" name="System.map" dev=sda1 ino=558149 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:src_t tclass=file Jan 13 19:01:12 siren kernel: type=1400 audit(1326506471.053:43): avc: denied { getattr } for pid=1843 comm="klogd" path="/usr/src/linux-3.1.7-hardened/System.map" dev=sda1 ino=558149 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:src_t tclass=file Jan 13 19:01:12 siren kernel: type=1400 audit(1326506472.236:44): avc: denied { read } for pid=1855 comm="modprobe" path="/var/lib/ip6tables/rules-save" dev=sda1 ino=445955 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:initrc_tmp_t tclass=file Jan 13 19:01:23 siren kernel: type=1400 audit(1326506483.700:45): avc: denied { accept } for pid=2277 comm="slapd" path="/var/run/openldap/slapd.sock" scontext=system_u:system_r:slapd_t tcontext=system_u:system_r:slapd_t tclass=unix_stream_socket Jan 13 19:01:24 siren kernel: type=1400 audit(1326506484.283:46): avc: denied { accept } for pid=2277 comm="slapd" path="/var/run/openldap/slapd.sock" scontext=system_u:system_r:slapd_t tcontext=system_u:system_r:slapd_t tclass=unix_stream_socket Jan 13 19:01:24 siren dbus[2291]: avc: netlink poll: error 4 Jan 13 19:01:24 siren kernel: type=1400 audit(1326506484.290:47): avc: denied { setrlimit } for pid=2291 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=process Jan 13 19:01:24 siren dbus[2291]: avc: netlink poll: error 4 Jan 13 19:01:24 siren dbus[2291]: avc: netlink poll: error 4
Are you running ~arch software?
Yes, everything is ~amd64 except for the hardened-dev overlay. I think what is actually going on is something is different in openrc-0.9.8 which came down with the updates and now that has to be accounted for in the base policy. On the other hand I saw several avc's about slapd being unable to accept() on its socket file, which I'm pretty sure is a new development. Here is the list of updates that were emerged that I think might have any impact. There were about 50 altogether and I can get the complete list if you want. openrc-0.9.8 selinux-dbus-2.20110726-r2 hardened-sources-3.1.7 selinux-base-policy-2.20110726-r11 coreutils-8.15 libdrm-2.4.30 util-linux-2.20.1-r1 Also I should mention that kernel mode setting of the console display did not function when selinux was enforcing. However, I think this was a result of udev not starting.
The sysfs stuff is probably due to openrc (as /etc/init.d/sysfs is provided by openrc). The new version probably has changes in its behavior and those still need to be accounted for in the policies. I'm currently building up a server in ~arch completely so that I can reproduce and help fix, but that might take a while (first need to focus on failures with stable keywords ;-)
ACK on the sysfs one, will be allowed in rev 12 (currently by allowing initrc_t to manage sysfs dirs, but in the future we might use named transitions first). Will check dbus now.
dbus works fine if sysfs is available.
*** Bug 400987 has been marked as a duplicate of this bug. ***
Available in hardened-dev overlay
confirmed fix
in main tree, ~arch'ed
Stabilized