If I boot into single user, cd to /etc/security/selinux/src/policy and
try "make load" or "make reload", it fails in enforcing mode.
Specifically, it can not execute checkpolicy. The log messages are:
Mar 25 23:45:38 dell kernel: security_compute_sid: invalid context
Mar 25 23:45:38 dell kernel: security: context
system_u:system_r:checkpolicy_t is invalid
sulogin should be setting the admin shell context to
root:sysadm_r:sysadm_t, which would be able to run checkpolicy.
From the message above, it appears that your single user shell is
running as system_u:system_r:sysadm_t, and system_r is not authorized
for checkpolicy_t. First question is: Why isn't sulogin being run,
or is there a problem with the sulogin patch?
A workaround would be to add 'role system_r types checkpolicy_t;' to
checkpolicy.te to authorize the role for the domain. Or you could add
'role_transition system_r checkpolicy_exec_t sysadm_r;' to force a
transition in role upon executing checkpolicy.
> First question is: Why isn't sulogin being run,
The sulogin is only run AFAIK when there is some problem with fsck or
RAID. I am not talking about that - I am talking about the shell
promps you get (w/o having to enter the rool password) when booting
into the single-user mode.
This should be fixed by the latest policy 1.9.1-2
sulogin can be run for single-user boots via inittab; this ensures
that even a single-user boot requires root password. A good idea, IMHO,
but your choice...