1170665 – system do not boot if selinux config file is mlaformed

Bug 1170665 - system do not boot if selinux config file is mlaformed

Summary: system do not boot if selinux config file is mlaformed

Keywords:
Status:	CLOSED DUPLICATE of bug 1155468
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	systemd
Sub Component:
Version:	21
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	urgent
Target Milestone:	---
Assignee:	systemd-maint
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-12-04 15:03 UTC by jiri vanek
Modified:	2014-12-05 14:45 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-12-05 14:45:06 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description jiri vanek 2014-12-04 15:03:38 UTC

Description of problem:
When /etc/selinux/config contains invalid value, system do not boot, and hangs on "switching root"

Version-Release number of selected component (if applicable):
tested on f21 and rawhide

How reproducible:
always

Steps to Reproduce:
1. edit /etc/selinux/config ; put any typo to values:
something like:
SELINUX=disable (insted of SELINUX=disabled)
or overlook like:
SELINUXTYPE=disabled (instead of targeted)
2. reboot

Actual results:
you are stuck, and need to boot from live disk, find error (and with messgae "switching roots" its quite hard to find an cause), 

Expected results:
- proper error messgae like "selinux can not be started" or better "unknow $1 in /etc/selinux/config. expected $2" 
- boot at least to init 1, with highest and most restricting selinux policies



Additional info:

Not sure if systemd is guilty. Feel free to move to different component (but component is not selinux)

Comment 1 Zbigniew Jędrzejewski-Szmek 2014-12-05 14:23:41 UTC

This is by design. If selinux is in enforcing mode, and systemd cannot initialize selinux, it freezes, effectively hanging the machine. Recently we have pushed some fixes upstream to make sure that a message is printed on the console (http://cgit.freedesktop.org/systemd/systemd/commit/?id=cb6531bee6, https://bugzilla.redhat.com/show_bug.cgi?id=1155468). I know current behaviour is harsh, but on the other hand, that's the selinux philosphy.

Comment 2 jiri vanek 2014-12-05 14:30:58 UTC

ok. I can understand this, but note - my selinux is not in enforcing mode, it is in undefined mode.

I would be happy to  boot to enforcing mode in this case...

I dont know how :

SELINUX=disabled|targeted
SELINUXTYPE=some_typo

config is working. But according to your reply in this case it should work.
So why not to start in  enforcing/targeted if even SELINUX is malformed?

Althoug I must disagree with non-booting as default, this is candidate to close-duplicate 1155468 anyway...



> If selinux is in enforcing mode, and systemd cannot initialize selinux

Well, selinux can not be in enforcing mode if it is not initialized... What ema I missing?

Comment 3 Zbigniew Jędrzejewski-Szmek 2014-12-05 14:40:54 UTC

It is assumed to be in enforcing mode, unless otherwise configured. enforcing=0 or something else on the kernel commandline will of course make it non-enforcing. Systemd simply calls selinux_init_load_policy() and if that errors out, init is frozen.

Comment 4 jiri vanek 2014-12-05 14:45:06 UTC

Ok. thanx for explanations. Reading 1155468 .. probably nothing more to be done. Looking forward to have those messages in living packages!

*** This bug has been marked as a duplicate of bug 1155468 ***

Note You need to log in before you can comment on or make changes to this bug.