This has happened on multiple occasions. I followed the doc and it does not load I keep having to load the base policy with cd /usr/share/selinux/mcs/ && semodule -b base.pp -i $(ls *.pp |grep -v base.pp) the same thing happens with strict. Perhaps we should add this line to the doc.
Actually on mcs that doesn't work.
I get this error when I do something like ./sshd restart Exec:: No such file or directory
Somehow after running semodule -n -B && ldd /sbin/init I got that as my denial message. Dec 19 17:41:05 zeus kernel: [ 2727.420844] type=1400 audit(1355956865.592:25): avc: denied { search } for pid=2442 comm="rc" name="1" dev="proc" ino=2053 ipaddr=137.112.116.221 scontext=root:sysadm_r:run_init_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir ng
Dec 19 17:44:23 zeus kernel: [ 2925.755099] type=1400 audit(1355957063.925:26): avc: denied { read } for pid=2446 comm="rc" name="environ" dev="proc" ino=2054 ipaddr=137.112.116.221 scontext=root:sysadm_r:run_init_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file Dec 19 17:44:23 zeus kernel: [ 2925.755144] type=1400 audit(1355957063.925:27): avc: denied { open } for pid=2446 comm="rc" path="/proc/1/environ" dev="proc" ino=2054 ipaddr=137.112.116.221 scontext=root:sysadm_r:run_init_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file Dec 19 17:44:23 zeus kernel: [ 2925.755207] type=1400 audit(1355957063.925:28): avc: denied { getattr } for pid=2446 comm="rc" path="/proc/1/environ" dev="proc" ino=2054 ipaddr=137.112.116.221 scontext=root:sysadm_r:run_init_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file I guess there were 3 simultaneous errors
You're mixing a lot of things which makes it hard to know what the problem is. You state that the base policy doesn't load. What do you get? Any errors on the screen? If you clear your avc log, install the base policy and then check the avc denials, which ones do you get? What is the output of sestatus?
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: denied Max kernel policy version: 28
That was strange, I made it enforcing, relabeled, rebuilt the policies and it worked somehow. No clue how it happened.
Disregard that last post, I was in permissive with the wrong role so it just went through (but no avc error?) when enforcing permission was denied thankfully
It seems to work now except that for init scripts I have to do the full path when running them such as /etc/init.d/sshd restart instead of ./sshd restart which gives me Exec:: No such file or directory as an error.
The "Exec::" error isn't related to switching base policy; I have that on all systems. Not sure if this is by design or not. I'll create a bug for that to track. Any problems related to switching the policy types?
Exec issue reported as bug #448292
I guess it may be for another reason than what it was when I was using strict.
Ok going to close this one as invalid