If I boot into single user, cd to /etc/security/selinux/src/policy and try "make load" or "make reload", it fails in enforcing mode. Specifically, it can not execute checkpolicy. The log messages are: Mar 25 23:45:38 dell kernel: security_compute_sid: invalid context system_u:system_r:checkpolicy_t for scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:checkpolicy_exec_t tclass=process Mar 25 23:45:38 dell kernel: security: context system_u:system_r:checkpolicy_t is invalid
sulogin should be setting the admin shell context to root:sysadm_r:sysadm_t, which would be able to run checkpolicy. From the message above, it appears that your single user shell is running as system_u:system_r:sysadm_t, and system_r is not authorized for checkpolicy_t. First question is: Why isn't sulogin being run, or is there a problem with the sulogin patch? A workaround would be to add 'role system_r types checkpolicy_t;' to checkpolicy.te to authorize the role for the domain. Or you could add 'role_transition system_r checkpolicy_exec_t sysadm_r;' to force a transition in role upon executing checkpolicy.
> First question is: Why isn't sulogin being run, The sulogin is only run AFAIK when there is some problem with fsck or RAID. I am not talking about that - I am talking about the shell promps you get (w/o having to enter the rool password) when booting into the single-user mode.
This should be fixed by the latest policy 1.9.1-2
sulogin can be run for single-user boots via inittab; this ensures that even a single-user boot requires root password. A good idea, IMHO, but your choice...