Bug 444772

Summary: SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.23, searching for an older version.
Product: [Fedora] Fedora Reporter: Sami Farin <hvtaifwkbgefbaei>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 9CC: yangchuanqing2008
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-02 20:35:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sami Farin 2008-04-30 15:03:38 UTC 
Description of problem:

can not enable selinux.
also:

SELinux:  Could not downgrade policy file
/etc/selinux/targeted/policy/policy.23, searching for an older version.
SELinux:  Could not downgrade policy file
/etc/selinux/targeted/policy/policy.22, searching for an older version.
SELinux:  Could not downgrade policy file
/etc/selinux/targeted/policy/policy.21, searching for an older version.
SELinux:  Could not downgrade policy file
/etc/selinux/targeted/policy/policy.20, searching for an older version.
SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.23:
 No such file or directory
load_policy:  Can't load policy:  No such file or directory

What is that supposed to mean?
Why it can not downgrade it?  Why does it want to downgrade?
How to fix it?

# l /etc/selinux/targeted/policy/
total 13816
drwxr-xr-x 2 root root      94 2008-04-30 17:50:59.132440645 +0300 .
drwxr-xr-x 7 root root    4096 2008-04-30 17:50:59.145440593 +0300 ..
-rw-r--r-- 1 root root 2082160 2005-02-10 10:26:36.512454000 +0200 policy.18.rpmsave
-rw------- 1 root root  310020 2005-11-27 01:39:13.940573000 +0200 policy.20
-rw------- 1 root root 3903703 2007-11-03 18:27:54.034319022 +0200 policy.21
-rw-r--r-- 1 root root 3903715 2008-04-10 00:41:17.384481625 +0300 policy.22
-rw------- 1 root root 3903727 2008-04-30 17:50:59.132440645 +0300 policy.23




Version-Release number of selected component (if applicable):
3.3.1-42

How reproducible:
always

selinux-policy-3.0.8-44 worked earlier, but I have not tried downgrading to it
as of yet.

Steps to Reproduce:
1. load_policy
2.
3.
  
Actual results:
policy load fails, selinux stays disabled

Expected results:
loading of policy

Additional info:
Comment 1 Daniel Walsh 2008-05-07 17:58:29 UTC 
Have you upgraded to the latest kernel?  You should be able to remove all of the
policy files except for 23.  But you need to have the latest kernel and initrd
setup.
Comment 2 Sami Farin 2008-05-07 18:28:34 UTC 
No, I do not have latest kernel or initrd.
I have only latest kernel that works.

Nothing about such things are in the dependencies of selinux-policy.
load_policy says nothing related to any kernel versions or initrd.

I downgraded to selinux-policy-targeted-3.0.8-44.fc8, it had policy.21, I try again:
SELinux:  Could not downgrade policy file
/etc/selinux/targeted/policy/policy.21, searching for an older version.
SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.23:
 No such file or directory
load_policy:  Can't load policy:  No such file or directory

Uh oh, well I ran "load_policy -i" , seems to last for some hours...
does not tell what it is doing, or estimates about completion... yes I could
sysrq+w or reboot...

Oh now it finished.
SELinux: policy loaded with handle_unknown=allow

All this black magic... a bit over my head, though I have used Linux only for 14
years.
Comment 3 Daniel Walsh 2008-05-07 19:52:57 UTC 
You are running rawhide, so the kernel/upstart/selinux
policy/SysVinit/libselinux/libsepol/checkpolicy/libsemanage have all upgraded. 
I have no idea why the latest rawhide soon to be Fedora 9 kernel will not work
on your machine, but I know that all of the latest stuff will not work properly
with a very old kernel/initrd.
Comment 4 Bug Zapper 2008-05-14 10:26:09 UTC 
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 youngtao 2009-04-24 11:59:08 UTC 
just make the /etc/selinux/config

*********************************************************************
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
*********************************************************************


and then 


#init 6;

waitting unitl you have 3 cups of coffee

so login and do #sestatus

if it shows disable

you can run #load_policy -qi


just V ing....