Bug 861145

Summary: System won't boot in MLS mode
Product: [Fedora] Fedora Reporter: Steve Grubb <sgrubb>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 18CC: dominick.grift, dwalsh, ebenes, mgrepl, smueller
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-25 18:55:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 853068    

Description Steve Grubb 2012-09-27 16:00:43 UTC 
Description of problem:
When MLS policy is installed and configured to be on, the system does not boot.
Comment 1 Miroslav Grepl 2012-10-01 12:03:17 UTC 
Ok, I was able to get F18-minimal install to boot in permissive mode.

I see a lot AVC msgs related to /dev/log as kernel_t. So all domains are not able to send to kernel_t because this domain is not mls trusted object.
Comment 2 Daniel Walsh 2012-10-01 14:26:37 UTC 
I think we need to move some of the syslog and dbus policies into the "base" modules for minimal.
Comment 3 Stephan Mueller 2012-10-01 18:31:27 UTC 
Not sure whether I hijack the bug, but I see some more MLS related concerns:

What about systemd? As systemd is much different in architecture than SysV init, I thought that also the interactions that systemd has causes some problems.

/etc/security/namespace.conf contains $HOME/$USER.inst as backend for $HOME -- in RHEL 6 we had /home/home-inst; now, is that directory automatically created with the right permissions -- home-inst had the DAC permissions of 0 and some special SELinux labels?


the suggested configuration in the default namespace.conf wrt /tmp is not equivalent to the old RHEL6 config -- is this intentional?:
/tmp     /tmp-parent/tmp-inst/          level     root,adm
/dev/shm /dev/shm               tmpfs

when configuring the old polyinstantiated /tmp dirs, I get the following error:
[root@fedora18 ~]# semanage fcontext -a -e /tmp /tmp-parent
/sbin/semanage: File spec /tmp-parent conflicts with equivalency rule '/tmp-parent/tmp-inst/ /tmp'

who mounts /dev/shm and /run? They need polyinstantiated dirs too, i.e. we need to disable the regular mount during boot and replace it with the line in namespace.conf using the example above for /dev/shm
Comment 4 Miroslav Grepl 2013-04-25 18:55:44 UTC 
We have a booting MLS system. I would open a new bug for another issues if needed.