+++ This bug was initially created as a clone of Bug #531228 +++ Description of problem: Since we are pulling in a newer kernel for the real time kernel, it includes access that is not defined in the RHEL5 policy. These access checks are denied by default, including open. This means a RHEL5 box can not run with SELinux in enforcing mode with the Real Time Kernel. In Fedora we have the ability to tell the kernel to "allow" all access that it knows about and the policy does not. In order to get this to work in RHEL5 we need to back port changes to the checkpolicy, libsepol and selinux-policy packages. The test to see if these backports work is to develop a policy on RHEL5 that a Real Time Kernel can boot in enforcing mode.
Fixed in checkpolicy-1.33.1-5.el5
It's quite complicated to reproduce this problem. Even MRG guys do not hit it on RHEL5.3/5.4... * I've tried two RT kernels and both booted successfully without AVCs. * I've tried both new and old version of: checkpolicy & libsepol & selinux-policy * I've recompiled selinux-policy several times (including many changes) RT kernel booted successfully in all cases (with no complaints). Since I did not reproduce the issue I'm not switching this bug to VERIFIED, however after two days of testing I'm pretty sure that it's fixed. Patch is obviously applied correctly. Setting verified to SanityOnly.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0184.html