https://bugzilla.novell.com/show_bug.cgi?id=811368
https://bugzilla.novell.com/show_bug.cgi?id=811368#c15
Frederic Crozat changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|jslaby@suse.com |mmarek@suse.com
--- Comment #15 from Frederic Crozat 2013-10-03 17:04:38 UTC ---
I've reproduced the issue but I'm still a newbie on SELinux.
Looking at the policy for udev, it seems missing some stuff :
- /usr/lib/udev/rules.d/* isn't labelled at all as udev rules (well, same issue
on Fedora 19). Only stuff in /etc/udev/rules.d is. I don't know if it is wanted
or not.
The following devices are not created by udev nor systemd but by one of
mkinitrd script, and since udev only relabel devices when they are created, it
might explain why they have an incorrect label on startup :
"
mknod -m 0666 /dev/tty c 5 0
mknod -m 0600 /dev/console c 5 1
mknod -m 0666 /dev/ptmx c 5 2
mknod -m 0666 /dev/null c 1 3
mknod -m 0600 /dev/kmsg c 1 11
mknod -m 0660 /dev/snapshot c 10 231
mknod -m 0666 /dev/random c 1 8
mknod -m 0644 /dev/urandom c 1 9
"
after comparing boot with dracut, I found the issue :
loading selinux policy shouldn't be done in mkinitrd itself (when booting with
systemd) but left to systemd, which will take care of loading selinux policy at
startup (before udev and journald are started) and will relabel /dev and /run.
I'd suggest to disable the selinux_load_policy "/root" line in
/lib/mkinitrd/scripts/boot-boot.sh when systemd has been detected as the init
system (if you want to keep compatibility with the old sysvinit otherwise, just
remove the entire selinux stuff from mkinitrd).
Once it is done, labelling of /dev and /run will work fine (tested on a VM)
reassigning to mkinitrd maintainer
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.