Bug 659076 - dracut attempts to load_policy with SELinux=disabled
Summary: dracut attempts to load_policy with SELinux=disabled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: dracut
Version: 6.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Harald Hoyer
QA Contact: Release Test Team
URL:
Whiteboard:
Depends On:
Blocks: 743047 750594
TreeView+ depends on / blocked
 
Reported: 2010-12-01 20:55 UTC by John Ruemker
Modified: 2018-11-26 18:42 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 750594 (view as bug list)
Environment:
Last Closed: 2011-12-06 16:41:27 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1521 normal SHIPPED_LIVE dracut bug fix and enhancement update 2011-12-06 00:50:19 UTC
Red Hat Knowledge Base (Legacy) 43355 None None None Never

Description John Ruemker 2010-12-01 20:55:16 UTC
Description of problem: When booting with SELinux=disabled in /etc/sysconfig/selinux (but without specifying selinux=0 on the kernel cmdline), dracut still attempts to run load_policy in pre-pivot/50selinux-loadpolicy.sh which throws an error:

 dracut: /sbin/load_policy: Can't load policy: No such file or directory

50selinux-loadpolicy.sh already checks if selinux=0 was a kernel parameter, and could be easily modified to also check the config file.  This worked for me:

rd_load_policy()
{
    # If SELinux is disabled exit now
    getarg "selinux=0" > /dev/null && return 0

    SELINUX="enforcing"
    [ -e "$NEWROOT/etc/selinux/config" ] && . "$NEWROOT/etc/selinux/config"

+    if [ "$SELINUX" = "disabled" ]; then
+        return 0
+    fi


    # Check whether SELinux is in permissive mode
    permissive=0
    getarg "enforcing=0" > /dev/null
    if [ $? -eq 0 -o "$SELINUX" = "permissive" ]; then
        permissive=1
    fi

This is a low impact issue but it produces an error that may concern users (as it did for my customer). 

Version-Release number of selected component (if applicable): dracut-004-33.el6_0.noarch

How reproducible: Always

Steps to Reproduce:
1. Set SELINUX=disabled in /etc/sysconfig/selinux
2. Reboot
  
Actual results: Error on boot

Expected results: No errors

Comment 2 Harald Hoyer 2010-12-02 10:30:12 UTC
If SELinux is disabled via the config file, the load_policy command actually
tells the kernel about this, and allows the kernel to disable the SELinux
kernel hooks from the system.  Removes selinuxfs from /proc/filesystems for
example.

If load_policy is never executed the kernel never gets told to remove the
SELinux subsystem.

Comment 3 Harald Hoyer 2010-12-02 10:31:03 UTC
but load_policy needs to be fixed:

https://bugzilla.redhat.com/show_bug.cgi?id=624223#c31

Comment 5 Daniel Walsh 2010-12-02 14:42:31 UTC
Miroslav can you back port the load_policy from Rawhide to RHEL6.

Comment 8 Daniel Walsh 2011-03-15 16:23:03 UTC
Fixed in policycoreutils-2.0.83-33.3.el6

Comment 24 Daniel Walsh 2011-09-07 17:55:42 UTC
Looks good.

Comment 27 Alexander Todorov 2011-09-20 14:39:30 UTC
Not seeing:

dracut: Loading SELinux policy
dracut: /sbin/load_policy: Can't load policy: No such file or directory


in dracut-004-235.el6.noarch

Comment 34 Harald Hoyer 2011-11-01 09:48:22 UTC
# cat /etc/selinux/config | egrep '^SELINUX'
SELINUX=disabled

# dmesg|fgrep dracut
dracut: dracut-004-254.el6
dracut: Starting plymouth daemon
dracut: Scanning devices sda2  for LVM logical volumes VolGroup01/LogVol00 
dracut: inactive '/dev/VolGroup01/LogVol00' [8.53 GiB] inherit
dracut: inactive '/dev/VolGroup01/LogVol01' [1.00 GiB] inherit
dracut: Mounted root filesystem /dev/mapper/VolGroup01-LogVol00
dracut: /sbin/load_policy: Can't load policy: No such file or directory
dracut: Switching root


No "dracut: Loading SELinux policy" present.... WORKSFORME

Comment 35 Miroslav Grepl 2011-11-01 14:02:31 UTC
Yes, I see it also.

Comment 38 errata-xmlrpc 2011-12-06 16:41:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1521.html


Note You need to log in before you can comment on or make changes to this bug.