Hi, maybe I can help you. I hit a similar problem a while ago. I presume that you use a tmpfs for /run. If that's the case you may need to relabel /dev/utmp (not inside the tmpfs but on the disk itself - use bindmount and the instructions for relabeling /lib from the handbook or unmount run).
Another hint from me: don't use dracut if you plan to boot in enforcing. I never could get it working (if you need an initramfs build a minimal one for yourself). -Hinnerk On Wed, Mar 06, 2013 at 12:15:38PM +0100, Krzysztof Nowicki wrote: > Hi, > > I'm trying to migrate a machine to SELinux. I was able to run all the steps > related to the kernel, packages and filesystem. The system boots fine in > permissive mode but I'm getting a lot of AVC denials related to /run. The > obvious suspect would the lack of proper labelling so I checked the fstab and > verified that the /run filesystem is present with the correct rootcontext > option. To my surprise however the /run filesystem is still mounted without > the rootcontext option. > > I've spent some time tracking this down and eventually found out that the > issue is related to the Dracut initramfs. The init script mounts /run from > there. Obviously the the mount options are hard-coded and rootcontext is not > among them. > > So I tried to edit the Dracut's init script > (/usr/lib64/dracut/modules.d/99base/init.sh) to append the rootcontext option > to the mount /run line, but surprisingly it was completely ignored. > > Did anybody hit a similar problem? > > Regards > Chris > >
