Resolving SELinux audit errors on boot in Fedora Core 4

I’ve upgraded two systems at work from Fedora Core 3 to Fedora Core 4: a desktop using the normal installer, and a test server upgrading with yum. The yum upgrade worked well except for two snags. The first was a conflict with the old kernel-utils package. I followed the recommendation by installing the new kernel first, rebooting, then removing the old kernel.

The second was that SELinux* denied access to about a dozen services on start-up. It was in auditing mode, not enforcing mode, so the services still worked, but I wanted to be able to start enforcing the policy once I resolved some other issues.

After digging through the Fedora Core SELinux FAQ, messing with restorecon and relabeling, I noticed that it didn’t log any errors when I restarted the services manually, only when they started on boot. I looked more closely at log entries. Here’s a typical one:

Jun 22 09:21:06 <servername> kernel: audit(1119457266.772:14): avc: denied { use } for pid=1941 comm="ntpdate" name=init **dev=rootfs** ino=8 scontext=system_u:system_r:ntpd_t tcontext=system_u:system_r:kernel_t tclass=fd

The device, rootfs, was the key. When I had installed the new kernel, it was running under the simpler SELinux policy for Fedora Core 3. The “targeted” policy in Fedora Core 4 covers more services. So the initial ramdisk the kernel uses to boot had everything labeled for the old policy.

Solution: Rebuild the initrd. Reboot. Done.

mv /boot/initrd-2.6.11-1.1369_FC4.img \
   /boot/initrd-2.6.11-1.1369_FC4.img.bak;
/sbin/mkinitrd initrd-2.6.11-1.1369_FC4.img \
    2.6.11-1.1369_FC4