Hide Forgot
Description of problem: When booting with SELinux=disabled in /etc/sysconfig/selinux (but without specifying selinux=0 on the kernel cmdline), dracut still attempts to run load_policy in pre-pivot/50selinux-loadpolicy.sh which throws an error: dracut: /sbin/load_policy: Can't load policy: No such file or directory 50selinux-loadpolicy.sh already checks if selinux=0 was a kernel parameter, and could be easily modified to also check the config file. This worked for me: rd_load_policy() { # If SELinux is disabled exit now getarg "selinux=0" > /dev/null && return 0 SELINUX="enforcing" [ -e "$NEWROOT/etc/selinux/config" ] && . "$NEWROOT/etc/selinux/config" + if [ "$SELINUX" = "disabled" ]; then + return 0 + fi # Check whether SELinux is in permissive mode permissive=0 getarg "enforcing=0" > /dev/null if [ $? -eq 0 -o "$SELINUX" = "permissive" ]; then permissive=1 fi This is a low impact issue but it produces an error that may concern users (as it did for my customer). Version-Release number of selected component (if applicable): dracut-004-33.el6_0.noarch How reproducible: Always Steps to Reproduce: 1. Set SELINUX=disabled in /etc/sysconfig/selinux 2. Reboot Actual results: Error on boot Expected results: No errors
If SELinux is disabled via the config file, the load_policy command actually tells the kernel about this, and allows the kernel to disable the SELinux kernel hooks from the system. Removes selinuxfs from /proc/filesystems for example. If load_policy is never executed the kernel never gets told to remove the SELinux subsystem.
but load_policy needs to be fixed: https://bugzilla.redhat.com/show_bug.cgi?id=624223#c31
Miroslav can you back port the load_policy from Rawhide to RHEL6.
Fixed in policycoreutils-2.0.83-33.3.el6
Looks good.
Not seeing: dracut: Loading SELinux policy dracut: /sbin/load_policy: Can't load policy: No such file or directory in dracut-004-235.el6.noarch
# cat /etc/selinux/config | egrep '^SELINUX' SELINUX=disabled # dmesg|fgrep dracut dracut: dracut-004-254.el6 dracut: Starting plymouth daemon dracut: Scanning devices sda2 for LVM logical volumes VolGroup01/LogVol00 dracut: inactive '/dev/VolGroup01/LogVol00' [8.53 GiB] inherit dracut: inactive '/dev/VolGroup01/LogVol01' [1.00 GiB] inherit dracut: Mounted root filesystem /dev/mapper/VolGroup01-LogVol00 dracut: /sbin/load_policy: Can't load policy: No such file or directory dracut: Switching root No "dracut: Loading SELinux policy" present.... WORKSFORME
Yes, I see it also.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1521.html