Bug 727068

Summary: System fails to boot with selinux=0 :: mount failed for selinuxfs on /sys/fs/selinux
Product: [Fedora] Fedora Reporter: Mikko Tiihonen <mikko.tiihonen>
Component: libselinuxAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: alekcejk, awilliam, dwalsh, harald, johannbg, kparal, lpoetter, metherid, mgrepl, mschmidt, notting, plautrba, tbzatek, zaitcev
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: RejectedBlocker RejectedNTH
Fixed In Version: libselinux-2.1.5-5.1.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-30 19:16:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mikko Tiihonen 2011-08-01 09:14:08 UTC 
Description of problem:
Latest rawhide on 1.8.2011 fails to boot with selinux=0

Version-Release number of selected component (if applicable):
systemd-30-1.fc16
kernel-3.1.0-0.rc0.git12.1.fc17

How reproducible:
always. did not occur with last week rawhide with 3.0.0 kernel

Steps to Reproduce:
1. in grub menu edit the kernel command line and add selinux=0
  
Actual results:
Boot fails with error message:
Mount failed for selinuxfs on /sys/fs/selinux
Failed to load SELinux policy

Expected results:
Machine boots

Additional info:
even providing single or emergency on kernel command line does not help.
Only init=/bin/bash provides a working shell
Comment 1 Tomáš Bžatek 2011-08-02 11:12:54 UTC 
Same issue here, maybe it's just a coincidence but specifying "enforcing=0" together with "selinux=0" made my system boot (with custom-compiled 2.6.38.2 kernel).

systemd-32-1.fc17.x86_64
libselinux-2.1.0-1.fc17.x86_64
selinux-policy-3.10.0-12.fc16.noarch
Comment 2 Michal Schmidt 2011-08-02 11:55:53 UTC 
Possibly an effect of bug 726544.
Do you use a dracut-generated initramfs?
Comment 3 Tomáš Bžatek 2011-08-02 13:09:57 UTC 
(In reply to comment #2)
> Possibly an effect of bug 726544.
Looks that way.

> Do you use a dracut-generated initramfs?
Yes, just regenerated this morning.
Comment 4 Lennart Poettering 2011-09-01 00:42:34 UTC 
Hmm, I think this is fixed now, could you plz try to reproduce this issue with 35-1?
Comment 5 Mikko Tiihonen 2011-09-01 06:52:56 UTC 
I just tried systemd 35-1 from koji and the bug is still there.
Kernel was 3.1.0-0.rc4.git0.0.fc16

Here is how I reproduced it:
1) make sure kernel boot parameters include selinux=0
2) make sure /etc/selinux/config has value SELINUX=enforcing
   (I think that is the default, might also happen on permissive)
3) reboot

Result:
Startup fails with the following error message:

Mount failed for selinuxfs on /sys/fs/selinux
Comment 6 nucleo 2011-09-16 21:17:03 UTC 
Is this bug the same as bug 738716 about F16 Beta LiveCD?
Comment 7 Harald Hoyer 2011-09-19 08:18:59 UTC 
*** Bug 738716 has been marked as a duplicate of this bug. ***
Comment 8 Kamil Páral 2011-09-20 07:31:43 UTC 
Reproduced with systemd-35-1 on F16 Beta TC1 clean install from DVD i386. Proposing as F16 Blocker, even though the closest criteria I could find is just:

"The installed system must run normally if the user chooses to install without SELinux"
https://fedoraproject.org/wiki/Fedora_16_Final_Release_Criteria

Please make sure the fix gets also to F16 (this bug is reported against Rawhide).
Comment 9 Lennart Poettering 2011-09-22 02:05:19 UTC 
Hmm, so this appears to be a bug in libselinux. 

If selinux=0 is passed to the kernel, then the mount point directory /sys/fs/selinux will not exist. selinux_init_load_policy() tries to mount selinuxfs on that directory, which will hence fail with ENOENT due to the missing mount point directory. In earlier versions when the file system was still mounted to /selinux the mount point dir always existed (since it was on the root disk, not in sysfs) and hence on selinux=0 ENODEV was returned when the mount was attempted. The function does check for ENODEV and handles things properly, but it doesn't do this for ENOENT.

Dan, a patch to fix this is probably very easy, just make selinux_init_load_policy() check for ENOENT in addition to ENODEV when mount() failed or something like that.

(Note that there was also a cosmetic problem in systemd here: we did not reopen the log fds after selinux_init_load_policy() failed, and the message "Failed to load SELinux policy. Freezing." we were supposed to print was hence not printed when the machine froze. This is fixed now in systemd git, will be in F16 too).

Reassigning to libselinux.
Comment 10 Daniel Walsh 2011-09-22 13:42:04 UTC 
Fixed in libselinux-2.1.5-5.1.fc16
Comment 11 Fedora Update System 2011-09-22 13:52:56 UTC 
libselinux-2.1.5-5.1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/libselinux-2.1.5-5.1.fc16
Comment 12 Adam Williamson 2011-09-30 19:16:11 UTC 
Discussed at the 2011-09-30 blocker review meeting. Rejected as blocker and NTH as there are simply so many workarounds (other ways to achieve the intended goal) and there's no particular release sensitivity (a post-release update would fix this well). Anyway, the bug is fixed and the update just went stable, so closing.
Comment 13 Fedora Update System 2011-09-30 19:28:42 UTC 
libselinux-2.1.5-5.1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.