Bug 119981 - kernel panic after installing policy 1.9.2-9
Summary: kernel panic after installing policy 1.9.2-9
Alias: None
Product: Fedora
Classification: Fedora
Component: policy
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Whiteboard: triage|leonardjo|closed|rawhide
Keywords: SELinux
: 120048 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2004-04-04 16:39 UTC by Gene Czarcinski
Modified: 2007-11-30 22:10 UTC (History)
4 users (show)

Clone Of:
Last Closed: 2004-05-10 17:24:14 UTC

Attachments (Terms of Use)

Description Gene Czarcinski 2004-04-04 16:39:13 UTC
Description of problem:

After installing policy/policy-sources 1.9.2-9 and policycorutils
1.9.2-1 I rebooted.  The system get could not load (find) the policy
and did a kernel panic.  Rebooting with enforcing=0 completed the reboot.

The first occurance was on a ix86 (smp P-III) system.  I teh repeated
(as a test) on a x86_64 system with the same policy updates installed
and it also could not load/find the policy.  Reboot enforcing=0 went OK.

I then went back to the first system (runlevel 3 boot) and did:

cd /etc/security/selinux/src/policy/
make load

... load worked fine ..

system seems to be OK

setenforce 1

... all hell breaks loose ...
... flood of console avc messages ... cannot ctl-alt-delete ...
... hardware reset ...

Comment 1 Gene Czarcinski 2004-04-04 16:45:14 UTC
One other thing -- I did notice that policy-1.9.2-9 had the file
"/etc/security/selinux/policy." whereas previous ones were of the form

How does the system know (where is it specified) as to what the file
name of the policy is?

Comment 2 Gene Czarcinski 2004-04-04 20:26:25 UTC
OK, now I tried something else on one of the systems (the x86_64).

Manually, I did rpm -Uvh --oldpackage for the previous versions of
policy, policy-sources, and policycoreutils.

I noticed that some files (file_contexts) is being installed "rpmnew"

I then rebooted enforcing=0
I then ran "make reload" and "make relabel"

reboot and try again ... things still not quite right.

I then did make -C /etc/security/selinux/src/policy load

This updated file_contexts.

I then rebooted enforcing=1

Looking the best so far but things still looked screwed up.

I decided to install the src.rpm for setools to see if I could see
what was wrong on the x86_64 (installed into private/local rpm build
tree).  When I did rpm -Uvh, I got lots and lots of messages of the
form on the users telimal window:

/etc/security/selinux/file_contexts:  invalid context
root:object_r:staff_home_t on line number 1742
/etc/security/selinux/file_contexts:  invalid context
root:object_r:httpd_staff_content_t on line number 1743
/etc/security/selinux/file_contexts:  invalid context
root:object_r:staff_gpg_secret_t on line number 1744
/etc/security/selinux/file_contexts:  invalid context
root:object_r:staff_home_irc_t on line number 1745
/etc/security/selinux/file_contexts:  invalid context
root:object_r:staff_mozilla_rw_t on line number 1746
/etc/security/selinux/file_contexts:  invalid context
root:object_r:staff_mozilla_rw_t on line number 1747
/etc/security/selinux/file_contexts:  invalid context
root:object_r:staff_home_screen_t on line number 1748
/etc/security/selinux/file_contexts:  invalid context
root:object_r:staff_home_ssh_t on line number 1749
/etc/security/selinux/file_contexts:  invalid context
root:object_r:staff_home_xauth_t on line number 1750
/etc/security/selinux/file_contexts:  invalid context
system_u:object_r:default_context_t on line number 1751
/etc/security/selinux/file_contexts:  invalid context
system_u:object_r:amanda_recover_dir_t on line number 1752


Without completely reinstalling the system again (which I will do if
necessary), how do I go about completely getting rid of the current
stuff relating to selinux policy and then install stuff and try again?

It appears to me that things have gotten "confused" and I need to
start over.

Comment 3 Miloš Komarčević 2004-04-05 10:13:03 UTC
I had the same problem which I solved by booting with enforcing=0 and
renaming /etc/security/selinux/policy. to /etc/security/selinux/policy.16
Reboot, relabel, reboot (this spiel is getting old fast btw,
especially on my PII) and things work ok for now.
I guess this was a packaging error?

Comment 4 Daniel Walsh 2004-04-05 13:50:15 UTC
Yes a package error.  The Makefile is trying to read policyver from
the kernel.  Problem is on the build machine it can not. So instead of
getting the correct version number it put in "".

Fixed in policy-1.9.2-11

The policy number is generated within checkpolicy and the kernel.

Comment 5 Gene Czarcinski 2004-04-05 14:10:43 UTC
I suggest you take a good look at what is happening when you try to
build the policy rpms.  Try running the build as a regular (no priv)
user ... I did that in a local/private build tree and got lots of
errors ... including where the build was trying to access

I believe there needs to be some deep thinking as to how the policy
rpms are built  ... maybe there is no good way to have a run-only
policy rpm.  Maybe there must only be a policy-sources rpm which then
builds and installs the policy on the running system.

Comment 6 Aleksey Nogin 2004-04-05 16:32:20 UTC
> Maybe there must only be a policy-sources rpm which then
> builds and installs the policy on the running system.

Yes, that's was I was thinking too (see also bug 118604).

Comment 7 Gene Czarcinski 2004-04-05 17:14:18 UTC
tradeoff, tradeoffs ... see discussion on fedora-selinux-list.

Comment 8 Brandon Petersen 2004-04-05 18:48:13 UTC
*** Bug 120048 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.