Created attachment 338898 [details] part of kern.log SELinux somehow comes into the way of mounting the cgroup filesystems (done in /etc/init.d/sysfs), leading to the attached error messages in the syslog. There are no avc denials logged, even if dontaudit rules are disabled. I did verify that the avc logging theoretically works at that time. The problem appears at least with hardened-source-3.7.0 and 3.7.5, using the SELinux base policy r9 and selinux-openrc (revs r9 or r11). I have successfully reproduced the issue in an VM driven by qemu-kvm and built upon stage3-amd64-hardened+nomultilib-20130130.
The same problem also occurs with the hardened-sources kernel versions 3.5.4-r1 and 3.2.35.
"allow kernel_t unlabeled_t:dir search_dir_perms" solves the problem. There are no denials logged due to a ratelimit. A big thanks goes to Stephen Smalley, who provided me with invaluable help on the selinux mailing list.
Committed to repository, will be in rev12
rev 12 in main tree, ~arch'ed
stabilized
