I've been running a couple of Gentoo SELinux systems using the stock
reference policy for a few months now, for testing & policy development,
but have recently run into a snag. The SELinux folks directed me here
since it seems to be only Gentoo that's giving me problems.
The latest refpolicy requires versions of the SELinux userland that
aren't yet in portage. So I created a local overlay and wr0te ebuilds
for all of them, which seemed to work fine. However, on more than one
machine, I can reproduce a problem by upgrading libselinux from the
latest version in portage to the latest development version (1.34.14 ->
As soon as I install the v2.0 library, my system stops booting properly
until I either disable SELinux in the kernel, or back down to 1.34.14.
The problem manifests itself by causing every app that runs out of init
to fail immediately. None of the /sbin/rc scripts run, and as soon as
the gettys launch they immediately crash until init stops respawning
them. CTRL-ALT-DEL also doesn't work, as init doesn't create the
/dev/initctl socket, and only a hard power-down can get me out of this
If I boot with either "selinux=0" or "emergency" kernel parameters, the
system boots but obviously not in a useable SELinux state. I have
sucessfully used the new v2.0 set of userland tools on at least one
other Gentoo system, as well as Fedora, with no issues. It only seems
to happen if I start with the v1 library then upgrade to the v2 library,
but I can't find any particular application that links to libselinux
that would need to be rebuilt. I tried rebuilding init, pam, login, and
agetty and none of that helped.
I'm not sure how to even start debugging this problem, though I'd be
happy to spend the time if I could figure out how
The system logger
and audit daemons don't start when the failure occurs, I can't log in to
trace the apps, and I'm not finding any core dumps anywhere. Can anyone
point me in the right direction here?