Red Hat Bugzilla – Full Text Bug Listing
|Summary:||System fails to boot with selinux=0 :: mount failed for selinuxfs on /sys/fs/selinux|
|Product:||[Fedora] Fedora||Reporter:||Mikko Tiihonen <mikko.tiihonen>|
|Component:||libselinux||Assignee:||Daniel Walsh <dwalsh>|
|Status:||CLOSED ERRATA||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||rawhide||CC:||alekcejk, awilliam, dwalsh, harald, johannbg, kparal, lpoetter, metherid, mgrepl, mschmidt, notting, plautrba, tbzatek, zaitcev|
|Fixed In Version:||libselinux-2.1.5-5.1.fc16||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2011-09-30 15:16:11 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Mikko Tiihonen 2011-08-01 05:14:08 EDT
Description of problem: Latest rawhide on 1.8.2011 fails to boot with selinux=0 Version-Release number of selected component (if applicable): systemd-30-1.fc16 kernel-3.1.0-0.rc0.git12.1.fc17 How reproducible: always. did not occur with last week rawhide with 3.0.0 kernel Steps to Reproduce: 1. in grub menu edit the kernel command line and add selinux=0 Actual results: Boot fails with error message: Mount failed for selinuxfs on /sys/fs/selinux Failed to load SELinux policy Expected results: Machine boots Additional info: even providing single or emergency on kernel command line does not help. Only init=/bin/bash provides a working shell
Comment 1 Tomáš Bžatek 2011-08-02 07:12:54 EDT
Same issue here, maybe it's just a coincidence but specifying "enforcing=0" together with "selinux=0" made my system boot (with custom-compiled 22.214.171.124 kernel). systemd-32-1.fc17.x86_64 libselinux-2.1.0-1.fc17.x86_64 selinux-policy-3.10.0-12.fc16.noarch
Comment 2 Michal Schmidt 2011-08-02 07:55:53 EDT
Possibly an effect of bug 726544. Do you use a dracut-generated initramfs?
Comment 3 Tomáš Bžatek 2011-08-02 09:09:57 EDT
(In reply to comment #2) > Possibly an effect of bug 726544. Looks that way. > Do you use a dracut-generated initramfs? Yes, just regenerated this morning.
Comment 4 Lennart Poettering 2011-08-31 20:42:34 EDT
Hmm, I think this is fixed now, could you plz try to reproduce this issue with 35-1?
Comment 5 Mikko Tiihonen 2011-09-01 02:52:56 EDT
I just tried systemd 35-1 from koji and the bug is still there. Kernel was 3.1.0-0.rc4.git0.0.fc16 Here is how I reproduced it: 1) make sure kernel boot parameters include selinux=0 2) make sure /etc/selinux/config has value SELINUX=enforcing (I think that is the default, might also happen on permissive) 3) reboot Result: Startup fails with the following error message: Mount failed for selinuxfs on /sys/fs/selinux
Comment 7 Harald Hoyer 2011-09-19 04:18:59 EDT
*** Bug 738716 has been marked as a duplicate of this bug. ***
Comment 8 Kamil Páral 2011-09-20 03:31:43 EDT
Reproduced with systemd-35-1 on F16 Beta TC1 clean install from DVD i386. Proposing as F16 Blocker, even though the closest criteria I could find is just: "The installed system must run normally if the user chooses to install without SELinux" https://fedoraproject.org/wiki/Fedora_16_Final_Release_Criteria Please make sure the fix gets also to F16 (this bug is reported against Rawhide).
Comment 9 Lennart Poettering 2011-09-21 22:05:19 EDT
Hmm, so this appears to be a bug in libselinux. If selinux=0 is passed to the kernel, then the mount point directory /sys/fs/selinux will not exist. selinux_init_load_policy() tries to mount selinuxfs on that directory, which will hence fail with ENOENT due to the missing mount point directory. In earlier versions when the file system was still mounted to /selinux the mount point dir always existed (since it was on the root disk, not in sysfs) and hence on selinux=0 ENODEV was returned when the mount was attempted. The function does check for ENODEV and handles things properly, but it doesn't do this for ENOENT. Dan, a patch to fix this is probably very easy, just make selinux_init_load_policy() check for ENOENT in addition to ENODEV when mount() failed or something like that. (Note that there was also a cosmetic problem in systemd here: we did not reopen the log fds after selinux_init_load_policy() failed, and the message "Failed to load SELinux policy. Freezing." we were supposed to print was hence not printed when the machine froze. This is fixed now in systemd git, will be in F16 too). Reassigning to libselinux.
Comment 10 Daniel Walsh 2011-09-22 09:42:04 EDT
Fixed in libselinux-2.1.5-5.1.fc16
Comment 11 Fedora Update System 2011-09-22 09:52:56 EDT
libselinux-2.1.5-5.1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/libselinux-2.1.5-5.1.fc16
Comment 12 Adam Williamson 2011-09-30 15:16:11 EDT
Discussed at the 2011-09-30 blocker review meeting. Rejected as blocker and NTH as there are simply so many workarounds (other ways to achieve the intended goal) and there's no particular release sensitivity (a post-release update would fix this well). Anyway, the bug is fixed and the update just went stable, so closing.
Comment 13 Fedora Update System 2011-09-30 15:28:42 EDT
libselinux-2.1.5-5.1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.