Summary: | system fails to boot with selinux-base-policy-2.20110726-r11 in enforcing mode | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Stan Sander <stsander> |
Component: | Hardened | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | prometheanfire, selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Stan Sander
2012-01-14 03:33:38 UTC
Are you running ~arch software? Yes, everything is ~amd64 except for the hardened-dev overlay. I think what is actually going on is something is different in openrc-0.9.8 which came down with the updates and now that has to be accounted for in the base policy. On the other hand I saw several avc's about slapd being unable to accept() on its socket file, which I'm pretty sure is a new development. Here is the list of updates that were emerged that I think might have any impact. There were about 50 altogether and I can get the complete list if you want. openrc-0.9.8 selinux-dbus-2.20110726-r2 hardened-sources-3.1.7 selinux-base-policy-2.20110726-r11 coreutils-8.15 libdrm-2.4.30 util-linux-2.20.1-r1 Also I should mention that kernel mode setting of the console display did not function when selinux was enforcing. However, I think this was a result of udev not starting. The sysfs stuff is probably due to openrc (as /etc/init.d/sysfs is provided by openrc). The new version probably has changes in its behavior and those still need to be accounted for in the policies. I'm currently building up a server in ~arch completely so that I can reproduce and help fix, but that might take a while (first need to focus on failures with stable keywords ;-) ACK on the sysfs one, will be allowed in rev 12 (currently by allowing initrc_t to manage sysfs dirs, but in the future we might use named transitions first). Will check dbus now. dbus works fine if sysfs is available. *** Bug 400987 has been marked as a duplicate of this bug. *** Available in hardened-dev overlay confirmed fix in main tree, ~arch'ed Stabilized |