Re: Mount of cgroup filesystems fails when booting in SELinux enforcing mode

[Luis Ressel <aranea@aixah.de>]

[-- Attachment #1: Type: text/plain, Size: 1652 bytes --]

On Fri, 15 Feb 2013 14:30:11 -0500
Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On 02/15/2013 01:44 PM, Luis Ressel wrote:
> > Again, you're right. On this boot, dontaudit rules were actually
> > enabled. Now, here's another log where they are disabled again.
> 
> This line from your log file:
> 
> audit_printk_skb: 643 callbacks suppressed
> 
> indicates that you are hitting the printk ratelimit (to prevent
> flooding of syslog) and therefore dropping messages.
> 
> You could apply the attached patch or something like it to disable
> the printk ratelimit on audit messages.

Thanks! Now I finally got a denial message. kernel_t needs search
permissions on unlabeled_t dirs, that's all.

> However, you might want to first fix some of the obvious denials in
> your policy.  The rlimitinh, siginh, and noatsecure ones can
> generally be ignored.  But you are getting various other denials that
> likely should be allowed.  Adding the unconfined module to your
> policy would automatically eliminate any denials for the kernel or
> init domains.

Yes, I did all this testing in a VM, not on the system where I
originally encountered these issues, and I didn't fine-tune the VM
policy. And my policy doesn't include the unconfined module because it
was optional in my distro, defaulted to off and I thought it was only
neccessary for targeted mode. But I'll try it out now.


I want to thank you again for your fast and helpful responses. Without
your help, I probably wouldn't have been able to resolve this issue, at
least not within resonable time. You really saved me from having severe
headaches!

Luis

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 836 bytes --]