Bug 520753

Summary:	Cannot reenable SELinux
Product:	[Fedora] Fedora	Reporter:	Tomas Mraz <tmraz>
Component:	dracut	Assignee:	Harald Hoyer <harald>
Status:	CLOSED RAWHIDE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	low
Version:	rawhide	CC:	dwalsh, harald, jkubin, mgrepl
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2009-09-10 14:07:19 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Tomas Mraz 2009-09-02 07:46:58 UTC

I had some weird labelling problems on machine which was upgraded from F11 to rawhide recently. So I have disabled SELinux, and removed the selinux-policy and selinux-policy-targeted packages. Then after reboot I've reinstalled the packages again, touched /.autorelabel, set SELinux to permissive in /etc/selinux/, and rebooted the system again.

Unfortunately after the reboot the SELinux stays disabled and there is nothing in log files except SELinux:  Initializing. SELinux:  Starting in permissive mode
SELinux:  Registering netfilter hooks.

I found that selinuxfs is not mounted on /selinux mountpoint.

There is no selinux=0 on grub kernel command line.

Comment 1 Daniel Walsh 2009-09-04 14:28:43 UTC

vi /etc/selinux/config  change disabeled to enabled.

Comment 2 Tomas Mraz 2009-09-04 14:50:47 UTC

I of course have
SELINUX=permissive
in /etc/selinux/config

(there is no disabled in /etc/selinux/config at all)

I've tried also setting
SELINUX=enabled
in the config file + reboot but it does not help anyway.

I suspect it is caused by the changes to the initrd with change from mkinitrd to dracut.

Comment 3 Daniel Walsh 2009-09-08 10:55:05 UTC

THen we will blame it on dracut.  :^)

Comment 4 Harald Hoyer 2009-09-08 14:38:19 UTC

ok, please install dracut-001-6.gitf5c4374d.fc12 from

http://koji.fedoraproject.org/koji/buildinfo?buildID=131035

on your system and recreate initrd-generic with dracut (like with mkinitrd)

# dracut -f \
      /boot/initrd-generic-2.6.31-0.174.rc7.git2.fc12.x86_64.img \
                           2.6.31-0.174.rc7.git2.fc12.x86_64

Comment 5 Harald Hoyer 2009-09-08 14:41:06 UTC

sry, of course with the correct version

# dracut -f /boot/initrd-generic-$(uname -r).img $(uname -r)

Comment 6 Tomas Mraz 2009-09-08 15:51:26 UTC

Unfortunately I am unable to boot with initrd created by the command above - it panics because it cannot find root device on LVM volume.

This was output during the dracut run:
 dracut -f /boot/initrd-generic-2.6.31-0.190.rc8.fc12.x86_64.img 2.6.31-0.190.rc8.fc12.x86_64
W: Possible missing firmware aic94xx-seq.fw for module aic94xx.ko
W: Possible missing firmware ql8100_fw.bin for module qla2xxx.ko
W: Possible missing firmware ql2500_fw.bin for module qla2xxx.ko
W: Possible missing firmware ql2400_fw.bin for module qla2xxx.ko
W: Possible missing firmware ql2322_fw.bin for module qla2xxx.ko
W: Possible missing firmware ql2300_fw.bin for module qla2xxx.ko
W: Possible missing firmware ql2200_fw.bin for module qla2xxx.ko
W: Possible missing firmware ql2100_fw.bin for module qla2xxx.ko
ln: creating symbolic link `/tmp/initramfs.fEVu6Kbin/reboot': No such file or directory

60390 blocks

Comment 7 Harald Hoyer 2009-09-09 17:43:18 UTC

do you have /usr on a separate partition?

Comment 8 Harald Hoyer 2009-09-09 17:45:58 UTC

if yes, then this is related to bug 521932

Comment 9 Tomas Mraz 2009-09-10 10:34:04 UTC

No. The only separate partition is /boot which is on /dev/sda1. The root is on LVM volume.

Comment 10 Harald Hoyer 2009-09-10 10:49:30 UTC

does:

# /usr/sbin/load_policy -i && echo OK

work?

Comment 12 Harald Hoyer 2009-09-10 14:07:19 UTC

ok, symlink /etc/sysconfig/selinux to /etc/config/selinux was missing
and also bug 522486 happened. Will add code to honor /etc/config/selinux also.