Tom London wrote:
Running targeted, latest rawhide (e.g., selinux-policy-targeted-2.1.6-22).
Reboot in enforcing mode fails: system goes into 'disk repair' mode.
'enforcing=0' works, but many messages.
First, 'id -Z' in gnome terminal: [tbl@tlondon ~]$ id -Z system_u:system_r:xdm_t:SystemLow-SystemHigh [tbl@tlondon ~]$
'audit2allow -d' shows...
[root@tlondon ~]# audit2allow -d allow auditctl_t tmpfs_t:chr_file write; allow auditd_t tmpfs_t:chr_file getattr; allow auditd_t tmpfs_t:dir search; allow cpucontrol_t tmpfs_t:chr_file write; allow cpucontrol_t tmpfs_t:dir search; allow cpuspeed_t tmpfs_t:chr_file getattr; allow cpuspeed_t tmpfs_t:dir search; allow dhcpc_t tmpfs_t:chr_file { read write }; allow dhcpc_t tmpfs_t:dir search; allow fsadm_t tmpfs_t:blk_file ioctl; allow fsadm_t tmpfs_t:chr_file ioctl; allow hwclock_t tmpfs_t:chr_file getattr; allow hwclock_t tmpfs_t:dir search; allow ifconfig_t tmpfs_t:chr_file write; allow klogd_t tmpfs_t:dir search; allow klogd_t tmpfs_t:sock_file write; allow mount_t tmpfs_t:blk_file getattr; allow netutils_t tmpfs_t:chr_file write; allow pam_console_t tmpfs_t:blk_file setattr; allow pam_console_t tmpfs_t:chr_file setattr; allow pam_console_t tmpfs_t:dir search; allow pam_console_t tmpfs_t:lnk_file getattr; allow portmap_t tmpfs_t:chr_file getattr; allow portmap_t tmpfs_t:dir search; allow syslogd_t tmpfs_t:dir add_name; allow syslogd_t tmpfs_t:sock_file setattr; [root@tlondon ~]#
Relabeling is borked: [root@tlondon ~]# restorecon -v -R /tmp file_contexts: invalid context system_u:object_r:tmp_t matchpathcon(/tmp) failed Invalid argument file_contexts: invalid context system_u:object_r:xdm_xserver_tmp_t matchpathcon(/tmp/.X0-lock) failed Invalid argument file_contexts: invalid context system_u:object_r:xfs_tmp_t matchpathcon(/tmp/.font-unix) failed Invalid argument file_contexts: invalid context system_u:object_r:xfs_tmp_t matchpathcon(/tmp/.font-unix/fs7100) failed Invalid argument [root@tlondon ~]#
tom
Tom London
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This is caused by a bug in libsetrans. You can either disable libsetrans for the time being via /etc/selinux/targeted/setrans.conf or grab the updated libsetrans package from ftp://people.redhat.com/dwalsh/SELinux/Fedora
Basically the untranslation of
system_u:object_r:xfs_tmp_t -> system_u:object_r:xfs_tmp_t:s0 was broken by some optimizations that were added to libsetrans in last nights rawhide. Fix will be in tonights rawhide.