selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: Bootup problem with refpolicy-2.20091117 - rules fo

Re: Bootup problem with refpolicy-2.20091117 - rules found but still can't login

From: Justin P. Mattock <justinmattock_at_nospam>
Date: Thu Jan 21 2010 - 10:46:46 GMT
To: TaurusHarry <>

On 01/21/10 01:36, TaurusHarry wrote:
> Hi Justin,
> Sorry I respond late, thanks a lot for you to remind to first boot
> SELinux into Permissive mode then analyze the AVC denied messages and
> try to supplement necessary rules, I think it is indeed the
> once-and-for-all solution to any problem of missing SELinux rules.

(o.k. had to change the character encoding if you don't mind.) first things first.. is obviously putting everything into permissive mode(boot param=enforcing=0,and /etc/selinux/config* (which you seem to have done).

> It took me two days to come up with following rules that may be
> desirable to the refpolicy-2.20091117: (or to use dontaudit if they are
> expected redundant behaviors)

alright so your using the stable release of refpolicy(apologize if any typo's... a bit late,and a bit of hops in) ;-)

> +allow crond_t self:capability { dac_override setgid setuid sys_nice
> dac_read_search audit_control };
> +corecmd_bin_domtrans(crond_t)
> +hostname_domtrans(crond_t)
> +corecmd_getattr_bin_files(crond_t)
> +corecmd_exec_bin(crond_t)
> +corecmd_manage_bin_files(crond_t)
> +fs_search_tmpfs(crond_t)
> +fs_manage_tmpfs_sockets(crond_t)
> +dontaudit quota_t self:memprotect { mmap_zero} ;
> +fs_search_tmpfs(getty_t)
> +term_use_console(insmod_t)
> +fs_search_tmpfs(iscsid_t)
> +fs_manage_tmpfs_sockets(iscsid_t)
> +files_rw_lock_dirs(mount_t)
> +files_manage_generic_locks(mount_t)
> +fs_search_tmpfs(pam_console_t)
> +fs_getattr_tmpfs_dirs(pam_console_t)
> +fs_manage_tmpfs_dirs(pam_console_t)
> +fs_search_tmpfs(portmap_t)
> +/root -d gen_context(system_u:object_r:user_home_dir_t,s0)
> +/root/.+ gen_context(system_u:object_r:user_home_t,s0)
> +fs_search_tmpfs(sendmail_t)
> +fs_manage_tmpfs_sockets(sendmail_t)
> +term_read_console(setfiles_t)
> +fs_search_tmpfs(syslogd_t)
> +fs_manage_tmpfs_dirs(syslogd_t)
> +fs_manage_tmpfs_sockets(syslogd_t)
> +fs_search_tmpfs(sysstat_t)

I think the main thing first before customizations is making sure everything is legit.(but could be wrong);
> (BTW, why there are so many types that have missed the "search"
> privilege against tmpfs_t? Any convenient way to solve this problem than
> invoking fs_search_tmpfs() against each type individually?)

sounds like a problem with pam_namespace, and xselinux/xsandbox (did dan think about polyinstantiation as he wrote xsandbox?(no offense)) noticed my home directory is being waxed out with a change of policy type(standard/mcs)

> I've tried my best to translate as many AVC denied messages to SELinux
> rules as possible, however, even with all above additional rules
> applied, I still can't log in SELinux in Enforcing mode(the console
> stuck with "INIT: Id "0" respawning too fast: disabled for 5 minutes"),
> and there is NOT a single AVC denied message I could find any more by
> dmesg after log in with enforcing=0! I really don't get it :-(

with the namespace, and xsandbox thing I've set-up an new policy, relabeled with the new policy and for some reason have been stuck with user_r:object_r:user_home_t(:s0) in my home dir(anything with name:name as the owner)
labeled in .mozilla/.thunderbird,and most of everything that was there as the original home dir after compiling the policy(but could be my part because of keeping a copy of my home directory and copying over , because namespace/xsandbox keeps waxing out my home directory(or eating it up).

basically I see user_r:object_r:user_home_t(:s0) as the context even thoug I've defined my user name/login with semanage. (but could be missing something);

> What could I have missed out? So far all I know is that neither the
> kernel nor the SELinux tools I used are latest, my kernel is 2.6.27 and
> SELinux tools are of "Release 2009-04-03". Do I need to update kernel
> and SElinux tools in order to use refpolicy-2.20091117? What can I do
> now to solve this problem?

best thing is to pull everything from git git clone git clone

this way everybosy gets a better/updated idea of whats happening (having policycoreutils 2yrs behind, libselinux might cause issues);

> BTW, I've compiled refpolicy-2.20091117 with "TYPE = standard", while I
> originally wanted to try out the MLS type. I uuss I have to overcome the
> standard type problem before moving on to the MLS type.

I would stick with standard just to make things simple mls does not work with the xserver(but could be wrong), mcs does, but just noticed a constraint with changing roles(but have not reported due to making sure I have things legit);

> Any comment is greatly appreciated!
> Thanks a lot!
> Harry

first things first is making sure the policy loads.. so lets focus in on that(people jump in anytime).


Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to with the words "unsubscribe selinux" without quotes as the message.