| Summary: | SELinux boot failure after fresh installation | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Markus Bartl <hardened> |
| Component: | Hardened | Assignee: | SE Linux Bugs <selinux> |
| Status: | RESOLVED FIXED | ||
| Severity: | blocker | CC: | eXt |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | x86 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
should be fixed in 2.x policies. please reopen if there are further issues with this. |
After installing SELinux base system following the SELinux HowTo, the system fails to boot in enforcing mode. runscript.sh is denied access to /etc/resolv.conf avc.log gives the following: Sep 27 00:45:40 odin type=1400 audit(1222469133.010:29): avc: denied { write } for pid=2883 comm="runscript.sh" name="resolv.conf" dev=sda3 ino=1999328 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:net_conf_t tclass=file Reproducible: Always Steps to Reproduce: 1. Install SELinux with 2008.0 minimal CD, use 2007.0 portage, 2007.0 stage-3 archive and the SELinux profile 2. Add syslog-ng and logrotate (may not be neccesary to reproduce) 3. Boot with kernel-parameter enforcing=1 (permissive in config file) Actual Results: System hangs in boot sequence Expected Results: System should boot up. My solution: Writing an additional policy: policy_module(boot,1.0) require { type initrc_t, net_conf_t; } allow initrc_t net_conf_t:file { setattr write };