-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/13/2012 05:10 PM, Anamitra Dutta Majumdar (anmajumd) wrote:

The policy expected to include the MLS componant?
system_ubject_r:tmpfs_t:s0



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlApdIwACgkQrlYvE4MpobNdwACgzekTr8Ho/M9RcmycK7NLXTaE
SyQAn2TktuUvXzuVylDwOa1R8zQjmsh6
=Q7/z
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/13/2012 05:10 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
> We are trying to port over our policies from RHEL5 based CUCM release to
> RHEL6 based release. We are starting selinux in permissive mode.
>
> When the system comes up during firstboot it gets stuck at a certain
> point. When we check the syslogs we find that they are empty.
>
> On checking the message buffer we find the following entries
>
> *SELinux: security_context_to_sid(system_ubject_r:tmpfs_t) failed for
> (dev dbcfs, type dbcfs) errno=-22 Kill signal sent to compthread*
>
The policy expected to include the MLS componant?
system_ubject_r:tmpfs_t:s0

> What could be causing such an error in RHEL6. The same policies work fine
> on RHEL5.
>
> Any pointers would be greatly appreciated.
>
> Thanks, Anamitra
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlApdIwACgkQrlYvE4MpobMKxgCgmX5u70WAol IJ2G8CJliz057l
MLYAn0UWV9tZILJomuJCV5Au2uNIg6Mj
=+HVY
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Hi Dan,

Thanks for your response.

I do not see any denials though.

What policies should I be checking for.

-Anamitra

On 8/13/12 2:41 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 08/13/2012 05:10 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>
>The policy expected to include the MLS componant?
>system_ubject_r:tmpfs_t:s0
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.12 (GNU/Linux)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
>iEYEARECAAYFAlApdIwACgkQrlYvE4MpobNdwACgzekTr8H o/M9RcmycK7NLXTaE
>SyQAn2TktuUvXzuVylDwOa1R8zQjmsh6
>=Q7/z
>-----END PGP SIGNATURE-----

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/13/2012 06:55 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
> Hi Dan,
>
> Thanks for your response.
>
> I do not see any denials though.
>
> What policies should I be checking for.
>
I am not sure what you are doing, but if you have a compiled policy on an
Older OS, you should recompile it on the NEW Os. not just attempt to install a
policy module.

http://danwalsh.livejournal.com/49762.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAqVlkACgkQrlYvE4MpobMUvgCgsiHuJ9wOaq VdfdR1R8lAQhRi
u8wAoN6tL4tz9d34PRkTOaJpZWVLQGXs
=SsuI
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

On Mon, 2012-08-13 at 21:10 +0000, Anamitra Dutta Majumdar (anmajumd)
wrote:
> We are trying to port over our policies from RHEL5 based CUCM release
> to RHEL6 based release. We are starting selinux in permissive mode.
>
>
> When the system comes up during firstboot it gets stuck at a certain
> point. When we check the syslogs we find that they are empty.
>
>
> On checking the message buffer we find the following entries
>
>
> SELinux: security_context_to_sid(system_ubject_r:tmpfs_t) failed for
> (dev dbcfs, type dbcfs) errno=-22
> Kill signal sent to compthread

This means you tried to pass context=system_ubject_r:tmpfs_t as a
mount option (e.g. from /etc/fstab or the mount command line) when
mounting the dbcfs (which is what?), and you need to specify the :s0
suffix on the context for the MLS/MCS label.

>
> What could be causing such an error in RHEL6. The same policies work
> fine on RHEL5.
>
>
> Any pointers would be greatly appreciated.
>
>
> Thanks,
> Anamitra
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Hi Dan,

We are compiling our policies on the new OS and then installing it. All
the policies install fine.
When the box comes up after firstboot following the install that is when
we see this error in the
D message buffer.

Here are our current entries in the /etc/fstab file


#
UUID=0325a3b6-4c4d-468d-8d41-218a625104af / ext4
defaults,noatime 1 1
UUID=9da9fcd3-127a-4cfd-8354-bda6b7b12b39 /common ext4
defaults 1 2
UUID=43b41e10-8147-4e6b-95fd-663b904a248a /grub ext4
defaults 1 2
UUID=a0e34fd5-d4a8-48e0-a1e8-c58b38880dd6 /partB ext4
defaults 1 0
UUID=41d14b91-c85d-4a69-8c35-df8213a0647c swap swap
defaults 0 0
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
none /var/log/ramfs/cm/trace/ccm/sdi dbcfs
noauto,uid=513,gid=506,mode=0770,size=128M,wproc=c cm,dest=/var/log/active/c
m/trace/ccm/sdi 0 0
none /var/log/ramfs/cm/trace/ccm/sdl dbcfs
noauto,uid=513,gid=506,mode=0770,size=128M,wproc=c cm,dest=/var/log/active/c
m/trace/ccm/sdl 0 0
none /var/log/ramfs/cm/trace/ccm/calllogs dbcfs
noauto,uid=513,gid=506,mode=0770,size=128M,wproc=c cm,dest=/var/log/active/c
m/trace/ccm/calllogs 0 0
none /var/log/ramfs/cm/trace/ccm/dntrace dbcfs
noauto,uid=513,gid=506,mode=0770,size=128M,wproc=c cm,dest=/var/log/active/c
m/trace/ccm/dntrace 0 0
none /var/log/ramfs/cm/trace/lbm/sdl dbcfs
noauto,uid=0,gid=506,mode=0770,size=128M,wproc=lbm ,dest=/var/log/active/cm/
trace/lbm/sdl 0 0
none /var/log/ramfs/cm/trace/cti/sdi dbcfs
noauto,uid=513,gid=506,mode=0770,size=128M,wproc=C TIManager,dest=/var/log/a
ctive/cm/trace/cti/sdi 0 0
none /var/log/ramfs/cm/trace/cti/sdl dbcfs
noauto,uid=513,gid=506,mode=0770,size=128M,wproc=C TIManager,dest=/var/log/a
ctive/cm/trace/cti/sdl 0 0
~





Thanks,
Anamitra

On 8/14/12 6:44 AM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 08/13/2012 06:55 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>> Hi Dan,
>>
>> Thanks for your response.
>>
>> I do not see any denials though.
>>
>> What policies should I be checking for.
>>
>I am not sure what you are doing, but if you have a compiled policy on an
>Older OS, you should recompile it on the NEW Os. not just attempt to
>install a
>policy module.
>
>http://danwalsh.livejournal.com/49762.html
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.12 (GNU/Linux)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
>iEYEARECAAYFAlAqVlkACgkQrlYvE4MpobMUvgCgsiHuJ9wOa qVdfdR1R8lAQhRi
>u8wAoN6tL4tz9d34PRkTOaJpZWVLQGXs
>=SsuI
>-----END PGP SIGNATURE-----

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux