Red Hat Bugzilla – Bug 861145
System won't boot in MLS mode
Last modified: 2013-04-25 14:55:44 EDT
Description of problem:
When MLS policy is installed and configured to be on, the system does not boot.
Ok, I was able to get F18-minimal install to boot in permissive mode.
I see a lot AVC msgs related to /dev/log as kernel_t. So all domains are not able to send to kernel_t because this domain is not mls trusted object.
I think we need to move some of the syslog and dbus policies into the "base" modules for minimal.
Not sure whether I hijack the bug, but I see some more MLS related concerns:
What about systemd? As systemd is much different in architecture than SysV init, I thought that also the interactions that systemd has causes some problems.
/etc/security/namespace.conf contains $HOME/$USER.inst as backend for $HOME -- in RHEL 6 we had /home/home-inst; now, is that directory automatically created with the right permissions -- home-inst had the DAC permissions of 0 and some special SELinux labels?
the suggested configuration in the default namespace.conf wrt /tmp is not equivalent to the old RHEL6 config -- is this intentional?:
/tmp /tmp-parent/tmp-inst/ level root,adm
/dev/shm /dev/shm tmpfs
when configuring the old polyinstantiated /tmp dirs, I get the following error:
[root@fedora18 ~]# semanage fcontext -a -e /tmp /tmp-parent
/sbin/semanage: File spec /tmp-parent conflicts with equivalency rule '/tmp-parent/tmp-inst/ /tmp'
who mounts /dev/shm and /run? They need polyinstantiated dirs too, i.e. we need to disable the regular mount during boot and replace it with the line in namespace.conf using the example above for /dev/shm
We have a booting MLS system. I would open a new bug for another issues if needed.