On Wednesday 03 June 2009, 08:46 -0400 William Keaney wrote::
> I had similar issues a while back. The problem is that the static device
> nodes in /dev on your root filesystem do not have the proper labels. Once
> udev
> starts, it mounts its own fs over that location and replaces the files with
> correctly labeled nodes.
> Try booting with "init=/bin/bash", then run "mount -o remount,rw /". This
> should give you access to the static nodes in /dev, and you can relabel them
> with the correct contexts.
>
> Will Keaney
William Keaney, Thank you for your quick answer!
i forgot that there could be static files in /dev :-)
i did 'mount --bind / /mnt/fixdev'
and executed setfiles on fixdev/dev. It works fine and i have no more
avc-messages from init. All the static files in /dev (files dev=hda2)
are now correct labeled. But i'm still getting:
----------------------------------------------------------------------
audit(1244054432.619:3): avc: denied { write } for pid=1126
comm="bash" name="null" dev=tmpfs ino=1445
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t
tclass=chr_file
audit(1244054432.719:4): avc: denied { read } for pid=1133
comm="write_root_link" name="console" dev=tmpfs ino=1439
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t
tclass=chr_file
audit(1244054433.191:5): avc: denied { read write } for pid=1184
comm="modprobe" name="null" dev=tmpfs ino=1445
scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t
tclass=chr_file
audit(1244054433.191:6): avc: denied { getattr } for pid=1184
comm="modprobe" name="null" dev=tmpfs ino=1445
scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t
tclass=chr_file
----------------------------------------------------------------------
ls -iZ /dev/{null,console}
1439 system_u:object_r:console_device_t /dev/console 1445
system_u:object_r:null_device_t /dev/null
Now are /dev/null and /dev/console the dynamically created files on
tmpfs. But the type in avc-message is distinguished from the type i get
with
ls -Z
