Description of problem: When MLS policy is installed and configured to be on, the system does not boot.
Ok, I was able to get F18-minimal install to boot in permissive mode. I see a lot AVC msgs related to /dev/log as kernel_t. So all domains are not able to send to kernel_t because this domain is not mls trusted object.
I think we need to move some of the syslog and dbus policies into the "base" modules for minimal.
Not sure whether I hijack the bug, but I see some more MLS related concerns: What about systemd? As systemd is much different in architecture than SysV init, I thought that also the interactions that systemd has causes some problems. /etc/security/namespace.conf contains $HOME/$USER.inst as backend for $HOME -- in RHEL 6 we had /home/home-inst; now, is that directory automatically created with the right permissions -- home-inst had the DAC permissions of 0 and some special SELinux labels? the suggested configuration in the default namespace.conf wrt /tmp is not equivalent to the old RHEL6 config -- is this intentional?: /tmp /tmp-parent/tmp-inst/ level root,adm /dev/shm /dev/shm tmpfs when configuring the old polyinstantiated /tmp dirs, I get the following error: [root@fedora18 ~]# semanage fcontext -a -e /tmp /tmp-parent /sbin/semanage: File spec /tmp-parent conflicts with equivalency rule '/tmp-parent/tmp-inst/ /tmp' who mounts /dev/shm and /run? They need polyinstantiated dirs too, i.e. we need to disable the regular mount during boot and replace it with the line in namespace.conf using the example above for /dev/shm
We have a booting MLS system. I would open a new bug for another issues if needed.