Re: can not boot with strict policy

[Ken YANG <spng.yang@gmail.com>]

Russell Coker wrote:
> On Tuesday 24 April 2007 03:42, James Morris <jmorris@namei.org> wrote:
>>> Boot with "enforcing=0 single" to come up permissive into single-user
>>> mode, then run /sbin/fixfiles relabel -F to forcible relabel everything,
>>> then reboot.
>> I wonder if we could automate this, so that the autorelabel is also run
>> on boot if you switch between different types of policy.
> 
> There are a few ways of doing this.  For my Kickstart configuration of MLS 
> systems and Play machines I used to create an /etc/init.d script that would 
> put the machine in enforcing mode and configure grub with enforcing=1 and 
> then put enforcing=0 on the grub command-line before the final reboot of the 
> install.
> 
> For a more general solution you might want to have /sbin/init search 
> for /.changing-policy-type as a reason to boot in permissive mode.


the general solution sounds good, which can make the process
automatically like the ".autorelabel" way.

by the way, changing policy from targeted to strict also had other
problems in FC. I am not sure whether the problem occurred in other
distribution too.

before rc.sysinit executes, "/dev" has the "tmpfs_t" type because:

fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);

only after rc.sysinit executed, "/dev" had been relabel to "device_t":

if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ] && LC_ALL=C fgrep -q " 
/dev " /proc/mounts ; then
         /sbin/restorecon  -R /dev 2>/dev/null
fi

so there is the problem:

avc: denied {search} for pid=1 comm="init" name="/" dev=tmpfs ino=824
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir

the "name" field in avc messages is obscure, i deduce the conclusion
from the inode that the target is "/dev", not "/"

but if "distro_redhat" tunables had not been turned on, init will not
have search and other permission to perform certain operations on
tmpfs_t

but because my policy is from svn, the default value of DISTRO
is null.

i doubt whether other distribution has the same problem?
are there some measures to avoid this kind of problem? because
not everyone, especially newbie like me, can figure out this part.


additionally, i am using the "te.vim" from Thomas Bleher to make
te file highlight, but i also want to make fc and if file highlight.
any guides? except SLIDE



> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.