It stops after "enabling swap" and then demands a password to continue "booting normally" .. password authentification that fails. setup runs with /var /home on separate partitions, (ext3) but is quite vanilla otherwise. Reproducible: Always Steps to Reproduce: from my last reboot, theese are the error messages I get: audit(1104463417.112:0): avc: denied { search } for pid=4028 exe=/bin/netstat name=net dev=proc ino=-268435435 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_net_t tclass=dir audit(1104463417.112:0): avc: denied { read } for pid=4028 exe=/bin/netstat name=route dev=proc ino=-268435025 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_net_t tclass=file audit(1104463417.112:0): avc: denied { getattr } for pid=4028 exe=/bin/netstat path=/proc/net/route dev=proc ino=-268435025 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_net_t tclass=file audit(1104463417.596:0): avc: denied { sys_chroot } for pid=4135 exe=/usr/sbin/ntpd capability=18 scontext=system_u:system_r:ntpd_t tcontext=system_u:system_r:ntpd_t tclass=capability audit(1104463417.883:0): avc: denied { getattr } for pid=4185 exe=/bin/true path=/proc/4185/mounts dev=proc ino=274268176 scontext=system_u:system_r:insmod_t tcontext=system_u:system_r:insmod_t tclass=file audit(1104463450.521:0): avc: denied { execute } for pid=4269 exe=/bin/bash name=mount dev=hde3 ino=374743 scontext=root:staff_r:staff_t tcontext=system_u:object_r:mount_exec_t tclass=file audit(1104463450.521:0): avc: denied { execute_no_trans } for pid=4269 exe=/bin/bash path=/bin/mount dev=hde3 ino=374743 scontext=root:staff_r:staff_t tcontext=system_u:object_r:mount_exec_t tclass=file audit(1104463450.521:0): avc: denied { read } for pid=4269 exe=/bin/bash path=/bin/mount dev=hde3 ino=374743 scontext=root:staff_r:staff_t tcontext=system_u:object_r:mount_exec_t tclass=file
Hmm, not sure whats going on. The first three denials aren't fatal. The next is related to ntpd, and should be fixed in the newest ntp policy. The insmod is also not fatal. The remaining look like you logged in as root and tried to mount something while in staff_r instead of sysadm_r.
well.. I'm not. thats why I got confused.
I am also having trouble starting in enforcing mode with udev. Basically it blows up if you try. If starting with enforcing off, I get this: Oct 14 11:38:30 dynamo audit(1129304301.961:2): avc: denied { create } for pid=416 comm="tar" name="vcsa1" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file Oct 14 11:38:30 dynamo audit(1129304301.961:3): avc: denied { create } for pid=416 comm="tar" name="xdb8" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=blk_file Oct 14 11:38:30 dynamo audit(1129304301.969:4): avc: denied { setattr } for pid=416 comm="tar" name="video" dev=tmpfs ino=849 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=lnk_file Oct 14 11:38:30 dynamo audit(1129304302.957:5): avc: denied { search } for pid=496 comm="scsi_id" name="tmp" dev=sda3 ino=41994441 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmp_t tclass=dir Oct 14 11:38:30 dynamo audit(1129304307.875:6): avc: denied { search } for pid=330 comm="udevd" name="1" dev=proc ino=65538 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=dir Oct 14 11:38:30 dynamo audit(1129304307.875:7): avc: denied { read } for pid=330 comm="udevd" name="stat" dev=proc ino=65550 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=file Oct 14 11:38:30 dynamo audit(1129304307.875:8): avc: denied { search } for pid=330 comm="udevd" name="4850" dev=proc ino=317849602 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:initrc_t tclass=dir Oct 14 11:38:30 dynamo audit(1129304307.875:9): avc: denied { read } for pid=330 comm="udevd" name="stat" dev=proc ino=317849614 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:initrc_t tclass=file Oct 14 11:38:30 dynamo audit(1129304307.875:10): avc: denied { search } for pid=330 comm="udevd" name="5036" dev=proc ino=330039298 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:udev_t tclass=dir Oct 14 11:38:30 dynamo audit(1129304307.875:11): avc: denied { read } for pid=330 comm="udevd" name="stat" dev=proc ino=330039310 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:udev_t tclass=file There's a lot more, but I'll stop there. If I set RC_DEVICE_TARBALL="no" in /etc/conf.d/rc, it's a lot happier, though it still throws a lot of denials like this: Oct 14 13:41:55 dynamo audit(1129311713.059:205): avc: denied { search } for pid=331 comm="udevd" name="5052" dev=proc ino=331087874 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:udev_t tclass=dir These are probably not serious.
I don't think this bug matters any more. I put together a system a few weeks back from an SELinux stage3 and it starts fine in enforcing mode.
closing
