[SELinux] Boot fail due to checking root file system fail

To: debian-security@lists.debian.org
Subject: [SELinux] Boot fail due to checking root file system fail
From: Simon Brandmair <sbrandmair@gmx.net>
Date: Sat, 29 Jan 2011 17:26:29 +0100
Message-id: <[🔎] ii1f3l$mpu$00$1@news.t-online.com>
Hi,

booting debian squeeze with selinux fails with following error (without 
selinux it boots fine):

"Checking root file system...failed (code8)."
and I get a root login prompt.

What am I missing to make my standard installation boot?

# sestatus 
	SELinux status:                 enabled
	SELinuxfs mount:                /selinux
	Current mode:                   permissive
	Mode from config file:          permissive
	Policy version:                 24
	Policy from config file:        default


# dmesg after boot fail

SELinux: 8192 avtab hash slots, 37757 rules.
SELinux: 8192 avtab hash slots, 37757 rules.
SELinux:  6 users, 7 roles, 1142 types, 42 bools, 1 sens, 1024 cats
SELinux:  73 classes, 37757 rules
SELinux:  class kernel_service not defined in policy
SELinux:  class tun_socket not defined in policy
SELinux:  permission open in class sock_file not defined in policy
SELinux:  permission module_request in class system not defined in policy
SELinux:  permission nlmsg_tty_audit in class netlink_audit_socket not 
defined in policy
SELinux: the above unknown classes and permissions will be denied
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev sda2, type ext3), uses xattr
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses 
genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
type=1403 audit(1296317333.486:2): policy loaded auid=4294967295 
ses=4294967295
type=1400 audit(1296317333.798:3): avc:  denied  { read write } for  
pid=348 comm="mountpoint" name="console" dev=sda2 ino=1262391 
scontext=system_u:system_r:mount_t:s
0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file
type=1400 audit(1296317333.798:4): avc:  denied  { read write } for  
pid=348 comm="mountpoint" path="/dev/console" dev=sda2 ino=1262391 
scontext=system_u:system_r:moun
t_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file
type=1400 audit(1296317333.798:5): avc:  denied  { read write } for  
pid=348 comm="mountpoint" path="/dev/console" dev=sda2 ino=1262391 
scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=chr_file
type=1400 audit(1296317333.798:6): avc:  denied  { read write } for  
pid=348 comm="mountpoint" path="/dev/console" dev=sda2 ino=1262391 
scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=chr_file
type=1400 audit(1296317333.890:7): avc:  denied  { read write } for  
pid=355 comm="mount" name="console" dev=sda2 ino=1262391 
scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=chr_file
type=1400 audit(1296317333.890:8): avc:  denied  { read write } for  
pid=355 comm="mount" path="/dev/console" dev=sda2 ino=1262391 
scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=chr_file
type=1400 audit(1296317333.890:9): avc:  denied  { read write } for  
pid=355 comm="mount" path="/dev/console" dev=sda2 ino=1262391 
scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=chr_file
type=1400 audit(1296317333.890:10): avc:  denied  { read write } for  
pid=355 comm="mount" path="/dev/console" dev=sda2 ino=1262391 
scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=chr_file
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
__ratelimit: 333 callbacks suppressed
type=1400 audit(1296317345.187:122): avc:  denied  { read write } for  
pid=466 comm="mountpoint" name="console" dev=sda2 ino=1262391 
scontext=system_u:system_r:mount_t
:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file
type=1400 audit(1296317345.187:123): avc:  denied  { read write } for  
pid=466 comm="mountpoint" path="/dev/console" dev=sda2 ino=1262391 
scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=chr_file
type=1400 audit(1296317345.187:124): avc:  denied  { read write } for  
pid=466 comm="mountpoint" path="/dev/console" dev=sda2 ino=1262391 
scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=chr_file
type=1400 audit(1296317345.191:125): avc:  denied  { read write } for  
pid=467 comm="mountpoint" name="console" dev=sda2 ino=1262391 
scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=chr_file
type=1400 audit(1296317345.191:126): avc:  denied  { read write } for  
pid=467 comm="mountpoint" path="/dev/console" dev=sda2 ino=1262391 
scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=chr_file
type=1400 audit(1296317345.191:127): avc:  denied  { read write } for  
pid=467 comm="mountpoint" path="/dev/console" dev=sda2 ino=1262391 
scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=chr_file
type=1400 audit(1296317345.191:128): avc:  denied  { read write } for  
pid=468 comm="mountpoint" name="console" dev=sda2 ino=1262391 
scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=chr_file
type=1400 audit(1296317345.191:129): avc:  denied  { read write } for  
pid=468 comm="mountpoint" path="/dev/console" dev=sda2 ino=1262391 
scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=chr_file
type=1400 audit(1296317345.191:130): avc:  denied  { read write } for  
pid=468 comm="mountpoint" path="/dev/console" dev=sda2 ino=1262391 
scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=chr_file
type=1400 audit(1296317345.199:131): avc:  denied  { read write } for  
pid=472 comm="mount" name="console" dev=sda2 ino=1262391 
scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=chr_file
__ratelimit: 63 callbacks suppressed
type=1400 audit(1296317352.483:153): avc:  denied  { search } for  pid=496 
comm="sulogin" name="root" dev=sda2 ino=491521 
scontext=system_u:system_r:sulogin_t:s0 
tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir
type=1400 audit(1296317352.515:154): avc:  denied  { module_request } 
for  pid=496 comm="bash" scontext=system_u:system_r:sysadm_t:s0 
tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=1400 audit(1296317352.515:155): avc:  denied  { module_request } 
for  pid=496 comm="bash" scontext=system_u:system_r:sysadm_t:s0 
tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=1400 audit(1296317374.037:156): avc:  denied  { module_request } 
for  pid=502 comm="ls" scontext=system_u:system_r:sysadm_t:s0 
tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=1400 audit(1296317374.037:157): avc:  denied  { module_request } 
for  pid=502 comm="ls" scontext=system_u:system_r:sysadm_t:s0 
tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=1400 audit(1296317374.037:158): avc:  denied  { module_request } 
for  pid=502 comm="ls" scontext=system_u:system_r:sysadm_t:s0 
tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=1400 audit(1296317374.037:159): avc:  denied  { module_request } 
for  pid=502 comm="ls" scontext=system_u:system_r:sysadm_t:s0 
tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=1400 audit(1296317374.037:160): avc:  denied  { module_request } 
for  pid=502 comm="ls" scontext=system_u:system_r:sysadm_t:s0 
tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=1400 audit(1296317374.049:161): avc:  denied  { module_request } 
for  pid=502 comm="ls" scontext=system_u:system_r:sysadm_t:s0 
tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=1400 audit(1296317374.049:162): avc:  denied  { module_request } 
for  pid=502 comm="ls" scontext=system_u:system_r:sysadm_t:s0 
tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=1400 audit(1296317374.049:163): avc:  denied  { module_request } 
for  pid=502 comm="ls" scontext=system_u:system_r:sysadm_t:s0 
tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=1400 audit(1296317374.049:164): avc:  denied  { module_request } 
for  pid=502 comm="ls" scontext=system_u:system_r:sysadm_t:s0 
tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=1400 audit(1296317374.049:165): avc:  denied  { module_request } 
for  pid=502 comm="ls" scontext=system_u:system_r:sysadm_t:s0 
tcontext=system_u:system_r:kernel_t:s0 tclass=system


Cheers,
Simon
Reply to:
Prev by Date: [SELinux] Wildcard for object classes?
Next by Date: Re: [SECURITY] [DSA-2154-1] exim4 security update
Previous by thread: [SELinux] Wildcard for object classes?
Next by thread: Re: [SELinux] Boot fail due to checking root file system fail
Index(es):
- Date
- Thread