RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 659076 - dracut attempts to load_policy with SELinux=disabled
Summary: dracut attempts to load_policy with SELinux=disabled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: dracut
Version: 6.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Harald Hoyer
QA Contact: Release Test Team
URL:
Whiteboard:
Depends On:
Blocks: 743047 750594
TreeView+ depends on / blocked
 
Reported: 2010-12-01 20:55 UTC by John Ruemker
Modified: 2018-11-26 18:42 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 750594 (view as bug list)
Environment:
Last Closed: 2011-12-06 16:41:27 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Legacy) 43355 0 None None None Never
Red Hat Product Errata RHBA-2011:1521 0 normal SHIPPED_LIVE dracut bug fix and enhancement update 2011-12-06 00:50:19 UTC

Description John Ruemker 2010-12-01 20:55:16 UTC 
Description of problem: When booting with SELinux=disabled in /etc/sysconfig/selinux (but without specifying selinux=0 on the kernel cmdline), dracut still attempts to run load_policy in pre-pivot/50selinux-loadpolicy.sh which throws an error:

 dracut: /sbin/load_policy: Can't load policy: No such file or directory

50selinux-loadpolicy.sh already checks if selinux=0 was a kernel parameter, and could be easily modified to also check the config file.  This worked for me:

rd_load_policy()
{
    # If SELinux is disabled exit now
    getarg "selinux=0" > /dev/null && return 0

    SELINUX="enforcing"
    [ -e "$NEWROOT/etc/selinux/config" ] && . "$NEWROOT/etc/selinux/config"

+    if [ "$SELINUX" = "disabled" ]; then
+        return 0
+    fi


    # Check whether SELinux is in permissive mode
    permissive=0
    getarg "enforcing=0" > /dev/null
    if [ $? -eq 0 -o "$SELINUX" = "permissive" ]; then
        permissive=1
    fi

This is a low impact issue but it produces an error that may concern users (as it did for my customer). 

Version-Release number of selected component (if applicable): dracut-004-33.el6_0.noarch

How reproducible: Always

Steps to Reproduce:
1. Set SELINUX=disabled in /etc/sysconfig/selinux
2. Reboot
  
Actual results: Error on boot

Expected results: No errors
Comment 2 Harald Hoyer 2010-12-02 10:30:12 UTC 
If SELinux is disabled via the config file, the load_policy command actually
tells the kernel about this, and allows the kernel to disable the SELinux
kernel hooks from the system.  Removes selinuxfs from /proc/filesystems for
example.

If load_policy is never executed the kernel never gets told to remove the
SELinux subsystem.
Comment 3 Harald Hoyer 2010-12-02 10:31:03 UTC 
but load_policy needs to be fixed:

https://bugzilla.redhat.com/show_bug.cgi?id=624223#c31
Comment 5 Daniel Walsh 2010-12-02 14:42:31 UTC 
Miroslav can you back port the load_policy from Rawhide to RHEL6.
Comment 8 Daniel Walsh 2011-03-15 16:23:03 UTC 
Fixed in policycoreutils-2.0.83-33.3.el6
Comment 24 Daniel Walsh 2011-09-07 17:55:42 UTC 
Looks good.
Comment 27 Alexander Todorov 2011-09-20 14:39:30 UTC 
Not seeing:

dracut: Loading SELinux policy
dracut: /sbin/load_policy: Can't load policy: No such file or directory


in dracut-004-235.el6.noarch
Comment 34 Harald Hoyer 2011-11-01 09:48:22 UTC 
# cat /etc/selinux/config | egrep '^SELINUX'
SELINUX=disabled

# dmesg|fgrep dracut
dracut: dracut-004-254.el6
dracut: Starting plymouth daemon
dracut: Scanning devices sda2  for LVM logical volumes VolGroup01/LogVol00 
dracut: inactive '/dev/VolGroup01/LogVol00' [8.53 GiB] inherit
dracut: inactive '/dev/VolGroup01/LogVol01' [1.00 GiB] inherit
dracut: Mounted root filesystem /dev/mapper/VolGroup01-LogVol00
dracut: /sbin/load_policy: Can't load policy: No such file or directory
dracut: Switching root


No "dracut: Loading SELinux policy" present.... WORKSFORME
Comment 35 Miroslav Grepl 2011-11-01 14:02:31 UTC 
Yes, I see it also.
Comment 38 errata-xmlrpc 2011-12-06 16:41:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1521.html
Note You need to log in before you can comment on or make changes to this bug.