Bug 727068
Summary: | System fails to boot with selinux=0 :: mount failed for selinuxfs on /sys/fs/selinux | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mikko Tiihonen <mikko.tiihonen> |
Component: | libselinux | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | alekcejk, awilliam, dwalsh, harald, johannbg, kparal, lpoetter, metherid, mgrepl, mschmidt, notting, plautrba, tbzatek, zaitcev |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | RejectedBlocker RejectedNTH | ||
Fixed In Version: | libselinux-2.1.5-5.1.fc16 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-09-30 19:16:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mikko Tiihonen
2011-08-01 09:14:08 UTC
Same issue here, maybe it's just a coincidence but specifying "enforcing=0" together with "selinux=0" made my system boot (with custom-compiled 2.6.38.2 kernel). systemd-32-1.fc17.x86_64 libselinux-2.1.0-1.fc17.x86_64 selinux-policy-3.10.0-12.fc16.noarch Possibly an effect of bug 726544. Do you use a dracut-generated initramfs? (In reply to comment #2) > Possibly an effect of bug 726544. Looks that way. > Do you use a dracut-generated initramfs? Yes, just regenerated this morning. Hmm, I think this is fixed now, could you plz try to reproduce this issue with 35-1? I just tried systemd 35-1 from koji and the bug is still there. Kernel was 3.1.0-0.rc4.git0.0.fc16 Here is how I reproduced it: 1) make sure kernel boot parameters include selinux=0 2) make sure /etc/selinux/config has value SELINUX=enforcing (I think that is the default, might also happen on permissive) 3) reboot Result: Startup fails with the following error message: Mount failed for selinuxfs on /sys/fs/selinux Is this bug the same as bug 738716 about F16 Beta LiveCD? *** Bug 738716 has been marked as a duplicate of this bug. *** Reproduced with systemd-35-1 on F16 Beta TC1 clean install from DVD i386. Proposing as F16 Blocker, even though the closest criteria I could find is just: "The installed system must run normally if the user chooses to install without SELinux" https://fedoraproject.org/wiki/Fedora_16_Final_Release_Criteria Please make sure the fix gets also to F16 (this bug is reported against Rawhide). Hmm, so this appears to be a bug in libselinux. If selinux=0 is passed to the kernel, then the mount point directory /sys/fs/selinux will not exist. selinux_init_load_policy() tries to mount selinuxfs on that directory, which will hence fail with ENOENT due to the missing mount point directory. In earlier versions when the file system was still mounted to /selinux the mount point dir always existed (since it was on the root disk, not in sysfs) and hence on selinux=0 ENODEV was returned when the mount was attempted. The function does check for ENODEV and handles things properly, but it doesn't do this for ENOENT. Dan, a patch to fix this is probably very easy, just make selinux_init_load_policy() check for ENOENT in addition to ENODEV when mount() failed or something like that. (Note that there was also a cosmetic problem in systemd here: we did not reopen the log fds after selinux_init_load_policy() failed, and the message "Failed to load SELinux policy. Freezing." we were supposed to print was hence not printed when the machine froze. This is fixed now in systemd git, will be in F16 too). Reassigning to libselinux. Fixed in libselinux-2.1.5-5.1.fc16 libselinux-2.1.5-5.1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/libselinux-2.1.5-5.1.fc16 Discussed at the 2011-09-30 blocker review meeting. Rejected as blocker and NTH as there are simply so many workarounds (other ways to achieve the intended goal) and there's no particular release sensitivity (a post-release update would fix this well). Anyway, the bug is fixed and the update just went stable, so closing. libselinux-2.1.5-5.1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |