Red Hat Bugzilla – Bug 178125
rc.sysinit complaining after selinux policy rebuild
Last modified: 2014-03-16 22:57:44 EDT
Description of problem:
after a policy rebuild rc.sysinit will complain about a write error invalid
argument on line 73
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. touch /.autorelabel
3. read system messages after the relabeling ended
What error messages are you seeing? Are you seeing any AVC messages in
/var/log/audit/audit.log or /var/log/messages?
Well, I don't know if it's relevant or not - I usually ignore the avcs during
the policy relabel boot. Anyway, my dmesg says has a lot of things in it
(luckily I haven't rebooted yet)
This is using policy 2.1.12-2, I think the problem is older
Could you attach those avc messages?
Created attachment 123336 [details]
system dmesg after relabel boot
Created attachment 123337 [details]
audit.log on the same system, starting with last auditd start
The actual sysinit error deos not seem to have been logged anywhere (sorry about
the lag, network is fluctuating wildly there)
Hm, line 73 is where it resets the SELinux mode (enforcing, permissive, etc.)
So this would imply that before it started relabeling, it's running in the wrong
domain, and can't change the mode back? I suppose we would need to catch that
and then reboot, but without the error message, not sure what we'd check for. :/
It Should be running in initrc_t.
Many fixes in policy for fetchmail problems.
if id -Z not = initrc_t reboot.
Or if it could tell init to start the rc script again?
Of course init needs to be running as init_t...
The test at the moment is:
REBOOTFLAG=`restorecon -v /sbin/init`
(i.e., if init has the wrong context on the file, then reboot.)
Should we just check for initrc_t instead?
No that is fine.