From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040312 Description of problem: I updated my local copy of the bitkeeper kernel tree, and added selinux options to an existing, working, configuration. I then compiled and installed the resulting kernel. I booted this kernel into permissive selinux mode and was not able to log in because of the numerous policy-related messages seen during boot up. I then dropped down to single user mode and did a "fixfiles relabel" and tried again with no success. I rebooted again after adding selinux=0 to the command line with no problems. This produced a normally functioning system. The FAQ seems to suggest that fixfiles relabel should resolve the problem, but it doesn't seem to in this case. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. compile and install a stock kernel 2. boot into permissive selinux mode 3. numerous policy failures are seen Additional info:
Created attachment 99528 [details] configuration file used to build the kernel Following are the SELINUX options: # # Security options # CONFIG_SECURITY=y # CONFIG_SECURITY_NETWORK is not set # CONFIG_SECURITY_CAPABILITIES is not set # CONFIG_SECURITY_ROOTPLUG is not set CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_DEVELOP=y # CONFIG_SECURITY_SELINUX_MLS is not set
Created attachment 99529 [details] dmesg output from failed boot attempt
The above errors during boot were seen on a boot subsequent to doing a fixfiles relabel.
Created attachment 99554 [details] new /var/log/messages after fixing compile options Someone passed on some additional options I needed to enable to get the compile working. This allowed me to recompile and boot correctly. I am still getting the attached messages in the log which don't occur when booting a redhat kernel.
There are a few errors mixed together here. First, you need to relabel your filesystem; your /usr/X11R6/bin/XOrg has the wrong type. Secondly, FAM is incompatible with SELinux. I added a workaround for this in the latest FAM to simply disable itself if SELinux is enabled. The xauth bits I have to look into more... Anyways, can you do a relabel and update to the latest rawhide to verify that the first two are fixed? Thanks.
Created attachment 99617 [details] updated bootlog I ran up2date this afternoon (21 April) and did a fixfiles relabel as suggested with little change in behaviour. The xattr problems are gone, but I still see the Xorg problems remain. Most of it looks like normal glitches, expected in development. The things that bother me the most are the unlabeled attributes. How can a relabeled filesystem have unlabeled objects?
/initrd being still mounted is the problem. Basically files within this directory are unlabeled_t.