(In reply to comment #0)
> Workaround is to use a boot parameter of enforcing=0 instead.

0) Might be related, or might not be related, but after upgrading to selinux-policy-3.10.0-11.fc17.noarch I need "enforcing=0" to login (at runlevel 3).

Without "enforcing=0" any attempt at logging in results in getting kicked back to the login prompt (almost immediately).

1) Please feel free to prod for details, as all selinux related messages appear to be logged.

Please attach the avc's from the audit.log file?

There are no avc's in my audit.log file.

This is happening very early on in system boot so I'm assuming selinux is preventing systemd from starting up logging.

It is only the most recent version of selinux that has started showing this behaviour.

At graphic boot time, every time the escape key is hit to switch to text console there is a message about failing to mount selinuxfs. There are no other messages that appear on the console.

Could you boot with enforcing=0 and then execute

# dmesg |grep avc

[   14.940363] type=1400 audit(1312286776.050:3): avc:  denied  { dyntransition } for  pid=1 comm="systemd" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process
[   22.604532] type=1400 audit(1312311983.725:4): avc:  denied  { read } for  pid=699 comm="systemd-sysctl" name="sysctl.conf" dev=dm-1 ino=1049422 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
[   22.604714] type=1400 audit(1312311983.725:5): avc:  denied  { open } for  pid=699 comm="systemd-sysctl" name="sysctl.conf" dev=dm-1 ino=1049422 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
[   22.604985] type=1400 audit(1312311983.725:6): avc:  denied  { getattr } for  pid=699 comm="systemd-sysctl" path="/etc/sysctl.conf" dev=dm-1 ino=1049422 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
[   28.638208] type=1400 audit(1312311989.768:7): avc:  denied  { relabelto } for  pid=858 comm="systemd-tmpfile" name="seats" dev=tmpfs ino=12684 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=dir
[   28.640646] type=1400 audit(1312311989.770:8): avc:  denied  { relabelto } for  pid=858 comm="systemd-tmpfile" name="sessions" dev=tmpfs ino=12688 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=dir
[   36.931182] type=1400 audit(1312311998.073:9): avc:  denied  { read } for  pid=1096 comm="ksmtuned" path="/bin/bash" dev=dm-1 ino=2752558 scontext=system_u:system_r:ksmtuned_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
[   38.054367] type=1400 audit(1312311999.198:10): avc:  denied  { name_bind } for  pid=1117 comm="dhclient" src=61349 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
[   39.305947] type=1400 audit(1312312000.451:11): avc:  denied  { read } for  pid=1152 comm="systemd-sysctl" name="sysctl.conf" dev=dm-1 ino=1049422 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
[   39.306058] type=1400 audit(1312312000.451:12): avc:  denied  { open } for  pid=1152 comm="systemd-sysctl" name="sysctl.conf" dev=dm-1 ino=1049422 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
[   39.306227] type=1400 audit(1312312000.451:13): avc:  denied  { getattr } for  pid=1152 comm="systemd-sysctl" path="/etc/sysctl.conf" dev=dm-1 ino=1049422 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
[   99.711922] type=1400 audit(1312312060.530:14): avc:  denied  { execute } for  pid=1849 comm="plugin-config" path="/home/darrell/jdk1.7.0/jre/lib/amd64/libnpjp2.so" dev=dm-2 ino=9308364 scontext=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
[  134.983753] type=1400 audit(1312312095.854:15): avc:  denied  { name_connect } for  pid=2365 comm="npviewer.bin" dest=54686 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

Give me some minutes. I will build a new rawhide release which should fix these issues.

There is a new build

http://koji.fedoraproject.org/koji/buildinfo?buildID=256873

(In reply to comment #8) 
> http://koji.fedoraproject.org/koji/buildinfo?buildID=256873

Looks like that fixes it over here.

It didn't fix it for me. Still doesn't boot unless I use enforcing=0 rather than selinux = 0. Not much for avc errors except for


[   34.674692] dbus[941]: avc:  netlink poll: error 4
[   38.702492] type=1400 audit(1312330124.344:3): avc:  denied  { read } for  pid=1109 comm="ksmtuned" path="/bin/bash" dev=dm-1 ino=2752558 scontext=system_u:system_r:ksmtuned_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

Are you saying it will not boot with selinux=0?

(In reply to comment #11)
> Are you saying it will not boot with selinux=0?

Perhaps related to http://zaitcev.livejournal.com/210477.html ? (I can't comment there so I've cc'ed Pete Zaitcev.)

fails to boot with selinux=0 using

kernel 3.1.0-0.rc0.git19.1.fc17
systemd 33-1.fc16

Successful boot using enforcing=0

I do not think my case is the same as Darrell's, because in my case the
boot stops after an error of selinux_init_load_policy(). It is much earlier
than Darrell's system manages to reach. Please see bz#727068 for one which
may be more relevant.

I finally gotten it so you can disable SELinux.  World domination is mine.  :^)

Updated to selinux-policy-3.10.0-16. Same problem still.

Try selinux-policy-3.10.0-16.fc17

See comment #16. Still fails with the same behaviour. Requires enforcing=0 for successful boot.

Could you execute 

# semodule -DB
which will turn off the dontaudit rules.
Reboot in permissive mode,
Collect the AVC messages
# semodule -B
To turn on the dontaudit messages
And attach a compressed version of the AVC messages.

This could be a systemd problem.

Created attachment 516897 [details]
dmesg output

There were no avc messages in the audit log. Attached the dmesg output which does have avc's

I don't see anything that is obvious.

Could you build a custom module from those AVCs and see if the machine can boot in enforcing mode.

# dmesg | grep -v sys_module | audit2allow -M mybrokenboot
# semodule -i mybrokenboot.pp

It fails to boot.

I'm using graphic boot. When I hit escape I get a message about selinuxfs failing to mount. Still wondering if that is a clue.

You could see if mkdir /selinux 

Fixes the problem.

Are you using an older kernel?

When you are booted, you should see the directory

/sys/fs/selinux

Per comment #1, a 3.1 kernel.

Bingo! mkdir fixes the problem. (The /sys/fs/seliunx directory was there with enforcing=0)

I've never removed /selinux. Now the questions are, what has changed that it is now required, or what will ensure that it is there as required?

Updated a 3 approximately 2 week old rawhide system today and it had the same problem.

Before the update, /selinux was there, After the update /selinux was gone so the reboot failed (until I' changed selinux=0 to enforcing=0)

Are  you sure you are fully updated to Rawhide and are booting with a rawhide kernel?

Yes and yes. Booted with enforcing=0, mkdir /selinux (which had disappeared) and rebooted.

At this point I seem to be the only one who has been affected. I'm ok with keeping the bug closed, making an mental flag and waiting to see if anyone else has the problem.

I am looking for components that have /selinux hard coded in them.  A new version of dracut was just released but I don't know if this would fix your problem.

I know there is another problem with dracut.  But I don't think that is the problem.