https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c15 Frederic Crozat <fcrozat@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jslaby@suse.com |mmarek@suse.com --- Comment #15 from Frederic Crozat <fcrozat@suse.com> 2013-10-03 17:04:38 UTC --- I've reproduced the issue but I'm still a newbie on SELinux. Looking at the policy for udev, it seems missing some stuff : - /usr/lib/udev/rules.d/* isn't labelled at all as udev rules (well, same issue on Fedora 19). Only stuff in /etc/udev/rules.d is. I don't know if it is wanted or not. The following devices are not created by udev nor systemd but by one of mkinitrd script, and since udev only relabel devices when they are created, it might explain why they have an incorrect label on startup : " mknod -m 0666 /dev/tty c 5 0 mknod -m 0600 /dev/console c 5 1 mknod -m 0666 /dev/ptmx c 5 2 mknod -m 0666 /dev/null c 1 3 mknod -m 0600 /dev/kmsg c 1 11 mknod -m 0660 /dev/snapshot c 10 231 mknod -m 0666 /dev/random c 1 8 mknod -m 0644 /dev/urandom c 1 9 " after comparing boot with dracut, I found the issue : loading selinux policy shouldn't be done in mkinitrd itself (when booting with systemd) but left to systemd, which will take care of loading selinux policy at startup (before udev and journald are started) and will relabel /dev and /run. I'd suggest to disable the selinux_load_policy "/root" line in /lib/mkinitrd/scripts/boot-boot.sh when systemd has been detected as the init system (if you want to keep compatibility with the old sysvinit otherwise, just remove the entire selinux stuff from mkinitrd). Once it is done, labelling of /dev and /run will work fine (tested on a VM) reassigning to mkinitrd maintainer -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.