Bug 659076
| Summary: | dracut attempts to load_policy with SELinux=disabled | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | John Ruemker <jruemker> | |
| Component: | dracut | Assignee: | Harald Hoyer <harald> | |
| Status: | CLOSED ERRATA | QA Contact: | Release Test Team <release-test-team-automation> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 6.0 | CC: | atodorov, dwalsh, mgrepl, mmalik, moshiro, rdassen, syeghiay | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 750594 (view as bug list) | Environment: | ||
| Last Closed: | 2011-12-06 16:41:27 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 743047, 750594 | |||
If SELinux is disabled via the config file, the load_policy command actually tells the kernel about this, and allows the kernel to disable the SELinux kernel hooks from the system. Removes selinuxfs from /proc/filesystems for example. If load_policy is never executed the kernel never gets told to remove the SELinux subsystem. but load_policy needs to be fixed: https://bugzilla.redhat.com/show_bug.cgi?id=624223#c31 Miroslav can you back port the load_policy from Rawhide to RHEL6. Fixed in policycoreutils-2.0.83-33.3.el6 Looks good. Not seeing: dracut: Loading SELinux policy dracut: /sbin/load_policy: Can't load policy: No such file or directory in dracut-004-235.el6.noarch # cat /etc/selinux/config | egrep '^SELINUX' SELINUX=disabled # dmesg|fgrep dracut dracut: dracut-004-254.el6 dracut: Starting plymouth daemon dracut: Scanning devices sda2 for LVM logical volumes VolGroup01/LogVol00 dracut: inactive '/dev/VolGroup01/LogVol00' [8.53 GiB] inherit dracut: inactive '/dev/VolGroup01/LogVol01' [1.00 GiB] inherit dracut: Mounted root filesystem /dev/mapper/VolGroup01-LogVol00 dracut: /sbin/load_policy: Can't load policy: No such file or directory dracut: Switching root No "dracut: Loading SELinux policy" present.... WORKSFORME Yes, I see it also. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1521.html |
Description of problem: When booting with SELinux=disabled in /etc/sysconfig/selinux (but without specifying selinux=0 on the kernel cmdline), dracut still attempts to run load_policy in pre-pivot/50selinux-loadpolicy.sh which throws an error: dracut: /sbin/load_policy: Can't load policy: No such file or directory 50selinux-loadpolicy.sh already checks if selinux=0 was a kernel parameter, and could be easily modified to also check the config file. This worked for me: rd_load_policy() { # If SELinux is disabled exit now getarg "selinux=0" > /dev/null && return 0 SELINUX="enforcing" [ -e "$NEWROOT/etc/selinux/config" ] && . "$NEWROOT/etc/selinux/config" + if [ "$SELINUX" = "disabled" ]; then + return 0 + fi # Check whether SELinux is in permissive mode permissive=0 getarg "enforcing=0" > /dev/null if [ $? -eq 0 -o "$SELINUX" = "permissive" ]; then permissive=1 fi This is a low impact issue but it produces an error that may concern users (as it did for my customer). Version-Release number of selected component (if applicable): dracut-004-33.el6_0.noarch How reproducible: Always Steps to Reproduce: 1. Set SELINUX=disabled in /etc/sysconfig/selinux 2. Reboot Actual results: Error on boot Expected results: No errors