Bug 1219045 - changes to is_selinux_enabled() renders machines unbootable which never had selinux installed or active
Summary: changes to is_selinux_enabled() renders machines unbootable which never had s...
Alias: None
Product: Fedora
Classification: Fedora
Component: libselinux
Version: 22
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Petr Lautrbach
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2015-05-06 13:29 UTC by Kay Sievers
Modified: 2015-07-29 01:57 UTC (History)
4 users (show)

Fixed In Version: libselinux-2.3-10.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-06-01 17:01:12 UTC
Type: Bug

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1243168 0 unspecified CLOSED Entire system mislabelled on fresh Rawhide install 2021-02-22 00:41:40 UTC

Internal Links: 1243168

Description Kay Sievers 2015-05-06 13:29:12 UTC
Recent changes to libselinux return selinux == enabled on systems which never
used selinux and do not have any selinux tools or configuration for it.

The D-Bus daemon fails to start with:
  dbus-daemon[428]: Failed to set up security class mapping
                    (selinux_set_mapping():Invalid argument).
  dbus[428]: [system] SELinux enabled but D-Bus initialization failed;
             check system log

It might be caused by:

Please return to the former behavior or fine-tune the check. 
must not return true, when it is not even possible to enable selinux on the machine, but only libselinux is installed by dependencies. Thanks!

Comment 1 Petr Lautrbach 2015-05-11 13:34:56 UTC
The policy type is set to targeted and the mode is set to permissive when a system is running with SELinux enabled kernel (Fedora default) without /etc/selinux/config file or when there's no SELinux kernel command line option.

If you don't use SELinux, use 'selinux=0' on kernel command line or 'SELINUX=disabled' in /etc/selinux/config

Comment 2 Petr Lautrbach 2015-05-12 16:18:51 UTC
libselinux will be adjusted to check of existence of /etc/selinux/config file, see [1]. If there's /etc/selinux/config file, it's expected that at least selinux-policy is installed and SELinux is considered as enabled. Without /etc/selinux/config file, is_selinux_enabled() will return false.

[1] https://github.com/SELinuxProject/selinux/commit/c08c4eacab8d55598b9e5caaef8a871a7a476cab

It's still recommended to use selinux=0 in kernel command line or SELINUX=disabled in /etc/selinux/config when users don't want to use any SELinux policy. It would stop all of the SELinux hook call overhead in the kernel.

Comment 3 Fedora Update System 2015-05-25 08:43:37 UTC
libselinux-2.3-10.fc22 has been submitted as an update for Fedora 22.

Comment 4 Fedora Update System 2015-05-25 08:43:59 UTC
libselinux-2.3-10.fc21 has been submitted as an update for Fedora 21.

Comment 5 Fedora Update System 2015-05-27 16:10:16 UTC
Package libselinux-2.3-10.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libselinux-2.3-10.fc22'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2015-06-01 17:01:12 UTC
libselinux-2.3-10.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Adam Williamson 2015-07-15 00:37:45 UTC
This change caused a major problem for 23 / Rawhide: since it landed, fresh Rawhide installs from traditional installer images (i.e. boot.iso) are completely broken. See https://bugzilla.redhat.com/show_bug.cgi?id=1243168 .

Comment 8 Fedora Update System 2015-07-29 01:57:04 UTC
libselinux-2.3-10.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.