https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c0 Summary: Incorrect SELinux labels in /dev causes systemd to loop Classification: openSUSE Product: openSUSE Factory Version: 13.1 Milestone 0 Platform: Other OS/Version: Other Status: ASSIGNED Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: vcizek@suse.com ReportedBy: vcizek@suse.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- Systemd won't start on a Factory machine with SELinux mls policy in enforcing mode. Corresponding AVC messages show: 2013-03-22T12:54:24.500000+01:00 dhcp88 kernel: [ 7.036863] type=1400 audit(1363953261.042:3): avc: denied { read } for pid=191 comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1787 scontext=system_u:system_r:syslogd_t:s15:c0.c1023 tcontext=system_u:object_r:device_t:s15:c0.c1023 tclass=chr_file 2013-03-22T12:54:24.500057+01:00 dhcp88 kernel: [ 7.243186] type=1400 audit(1363953261.250:8): avc: denied { write } for pid=196 comm="systemd-sysctl" name="kmsg" dev="devtmpfs" ino=1793 scontext=system_u:system_r:systemd_sysctl_t:s0-s15:c0.c1023 tcontext=system_u:object_r:device_t:s15:c0.c1023 tclass=chr_file
From the above messages indicate that /dev/null and /dev/kmsg are both labeled as device_t, which is the default for files in /dev. However looking at the files' labels (when booting in SELinux permissive mode):
# ls -1Z /dev/null /dev/kmsg system_u:object_r:kmsg_device_t:s15:c0.c1023 /dev/kmsg system_u:object_r:null_device_t:s0 /dev/null The devices are labeled with incorrect (default) types when running in mls policy in enforcing mode. It looks like systemd-journal accesses these devices before udev relabels them. Note: this occurs for other devices too, eg ttys. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.