# [resolved] SELinux denials at boot time

## Cakemix

I'm deploying my first hardened Gentoo installation and I'm receiving a bunch of warnings in the log from boot time which I'm having trouble clearing up. My current profile is selinux/2007.0/x86/hardened, and I'm running the 2.6.20-hardened-r5 kernel. Help, please? :)

 *Quote:*   

> security:  5 users, 5 roles, 883 types, 31 bools
> 
> security:  60 classes, 21980 rules
> 
> SELinux:  Completing initialization.
> ...

 Last edited by Cakemix on Fri Jul 27, 2007 11:36 pm; edited 1 time in total

----------

## nixnut

Looks like this mail may be relevant to your situation.

----------

## Cakemix

 *Quote:*   

> # setsebool -P global_ssp 1
> 
> libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/strict/modules/tmp/base.pp.
> 
> Could not change policy booleans

 

But then I'm also getting this as well:

 *Quote:*   

>  * Inserting base module into strict module store.
> 
> libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy did not exit cleanly.
> 
> libsemanage.semanage_reload_policy: load_policy returned error code -1.
> ...

 

which seems to be this bug.

----------

## Cakemix

setsebool ran fine and fixed the urandom issue once I ran the load_policy routine from the ebuild manually. Fixed the wrong context on ld.so.cache too.

Still have the following when booting with udev:

 *Quote:*   

> audit(1185583236.604:3): avc:  denied  { write } for  pid=1002 comm="bash" name="null" dev=tmpfs ino=1891 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file

 

----------

