selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: RE: Bootup problem with refpolicy-2.20091117 - rules fo

RE: Bootup problem with refpolicy-2.20091117 - rules found but still can't login

From: Stephen Smalley <sds_at_nospam>
Date: Fri Jan 22 2010 - 16:14:07 GMT
To: TaurusHarry <>

On Fri, 2010-01-22 at 10:13 +0000, TaurusHarry wrote:
> Exactly! Aside from missing necessary TE rules another possible reason
> program can't run normally is that the file accessed has not been
> properly labeled. My above findings that many types have no "search"
> privilege against the tmpfs_t is a good example of this: none
> of /dev/* should be labeled as tmpfs_t. From my below findings we can
> see that tmpfs have been mounted to both /dev and /dev/shm, and after
> booting with enforcing=0, /dev/stderr and etc are labeled as tmpfs_t,
> but after I manually do restorecon -R /dev, they will all reclaim
> their correct labels:
> root@cp3020:/root> cat /proc/cmdline
> root=/dev/sda1 rw console=ttyS0,115200n8 ip=dhcp selinux=1 enforcing=0
> BOOT_IMAGE=/vlm-boards/12885/qcao/kernel
> root@cp3020:/root> cat /proc/mounts
> rootfs / rootfs rw 0 0
> /dev/root / ext2 rw,errors=continue 0 0
> none /selinux selinuxfs rw 0 0
> /proc /proc proc rw 0 0
> /sys /sys sysfs rw 0 0
> none /dev tmpfs rw,mode=755 0 0
> devpts ! /dev/pts devpts rw,mode=600 0 0
> tmpfs /dev/shm tmpfs rw 0 0
> none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0
> root@cp3020:/root> ls -Z /dev/ | grep tmpfs_t
> lrwxrwxrwx root root system_u:object_r:tmpfs_t:s0 MAKEDEV
> drwxr-xr-x root root system_u:object_r:tmpfs_t:s0 bsg
> lrwxrwxrwx root root system_u:object_r:tmpfs_t:s0 core
> drwxr-xr-x root root system_u:object_r:tmpfs_t:s0 cpu
> drwxr-xr-x root root system_u:object_r:tmpfs_t:s0 disk
> lrwxrwxrwx root root system_u:object_r:tmpfs_t:s0 fd
> crw------- root root system_u:object_r:tmpfs_t:s0 ipmi0
> srw-rw-rw- root root system_u:object_r:tmpfs_t:s15:c0.c255 log
> drwxrwxrwt root root system_u:object_r:tmpfs_t:s0 shm
> lrwxrwxrwx root root system_u:object_r:tmpfs_t:s0 stderr
> lrwxrwxrwx root ro! ot system_u:object_r:tmpfs_t:s0 stdin
> lrwxrwxrwx root root system_u:object_r:tmpfs_t:s0 stdout
> root@cp3020:/root> /sbin/restorecon -R /dev
> root@cp3020:/root> ls -Z /dev | grep tmpfs_t
> root@cp3020:/root> ls -Z /dev | grep -v device_t
> prw------- root root system_u:object_r:initctl_t:s0 initctl
> srw-rw-rw- root root system_u:object_r:devlog_t:s0 log
> crw-rw-rw- root tty system_u:object_r:ptmx_t:s0 ptmx
> drwxr-xr-x root root system_u:object_r:devpts_t:s0-s15:c0.c255 pts
> crw-rw-rw- root tty system_u:object_r:devtty_t:s0 tty
> root@cp3020:/root>
> However, after reboot the console still hangs. I think many files
> under /dev/ are created by udev on-the-fly so we have to label them
> after creation. Then I modified rc.sysinit to move "/sbin/restorecon
> -R /dev" out of the c! ontrol of the if statement and thus always be
> conducted, but the probl em is still there. I even went on to
> touch /.autorelabel and changed "/sbin/fixfiles restore > /dev/null
> 2>&1" to "/sbin/restorecon -R /" in the relabel_selinux() function(so
> that the whole filesystem is relabeled once again during bootup), but
> the problem still persists.
> Any further comments?

The restorecon -R /dev has to be done on every boot since tmpfs is ephemeral.

There are certain allow rules that are only included if DISTRO=redhat related to relabeling of the tmpfs /dev I believe, as some other distros took a different approach (mounting with rootcontext=?)? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to with the words "unsubscribe selinux" without quotes as the message.