Bug 727068 - System fails to boot with selinux=0 :: mount failed for selinuxfs on /sys/fs/selinux
System fails to boot with selinux=0 :: mount failed for selinuxfs on /sys/fs/...
Product: Fedora
Classification: Fedora
Component: libselinux (Show other bugs)
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
RejectedBlocker RejectedNTH
: 738716 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2011-08-01 05:14 EDT by Mikko Tiihonen
Modified: 2011-09-30 15:28 EDT (History)
14 users (show)

See Also:
Fixed In Version: libselinux-2.1.5-5.1.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-09-30 15:16:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mikko Tiihonen 2011-08-01 05:14:08 EDT
Description of problem:
Latest rawhide on 1.8.2011 fails to boot with selinux=0

Version-Release number of selected component (if applicable):

How reproducible:
always. did not occur with last week rawhide with 3.0.0 kernel

Steps to Reproduce:
1. in grub menu edit the kernel command line and add selinux=0
Actual results:
Boot fails with error message:
Mount failed for selinuxfs on /sys/fs/selinux
Failed to load SELinux policy

Expected results:
Machine boots

Additional info:
even providing single or emergency on kernel command line does not help.
Only init=/bin/bash provides a working shell
Comment 1 Tomáš Bžatek 2011-08-02 07:12:54 EDT
Same issue here, maybe it's just a coincidence but specifying "enforcing=0" together with "selinux=0" made my system boot (with custom-compiled kernel).

Comment 2 Michal Schmidt 2011-08-02 07:55:53 EDT
Possibly an effect of bug 726544.
Do you use a dracut-generated initramfs?
Comment 3 Tomáš Bžatek 2011-08-02 09:09:57 EDT
(In reply to comment #2)
> Possibly an effect of bug 726544.
Looks that way.

> Do you use a dracut-generated initramfs?
Yes, just regenerated this morning.
Comment 4 Lennart Poettering 2011-08-31 20:42:34 EDT
Hmm, I think this is fixed now, could you plz try to reproduce this issue with 35-1?
Comment 5 Mikko Tiihonen 2011-09-01 02:52:56 EDT
I just tried systemd 35-1 from koji and the bug is still there.
Kernel was 3.1.0-0.rc4.git0.0.fc16

Here is how I reproduced it:
1) make sure kernel boot parameters include selinux=0
2) make sure /etc/selinux/config has value SELINUX=enforcing
   (I think that is the default, might also happen on permissive)
3) reboot

Startup fails with the following error message:

Mount failed for selinuxfs on /sys/fs/selinux
Comment 6 nucleo 2011-09-16 17:17:03 EDT
Is this bug the same as bug 738716 about F16 Beta LiveCD?
Comment 7 Harald Hoyer 2011-09-19 04:18:59 EDT
*** Bug 738716 has been marked as a duplicate of this bug. ***
Comment 8 Kamil Páral 2011-09-20 03:31:43 EDT
Reproduced with systemd-35-1 on F16 Beta TC1 clean install from DVD i386. Proposing as F16 Blocker, even though the closest criteria I could find is just:

"The installed system must run normally if the user chooses to install without SELinux"

Please make sure the fix gets also to F16 (this bug is reported against Rawhide).
Comment 9 Lennart Poettering 2011-09-21 22:05:19 EDT
Hmm, so this appears to be a bug in libselinux. 

If selinux=0 is passed to the kernel, then the mount point directory /sys/fs/selinux will not exist. selinux_init_load_policy() tries to mount selinuxfs on that directory, which will hence fail with ENOENT due to the missing mount point directory. In earlier versions when the file system was still mounted to /selinux the mount point dir always existed (since it was on the root disk, not in sysfs) and hence on selinux=0 ENODEV was returned when the mount was attempted. The function does check for ENODEV and handles things properly, but it doesn't do this for ENOENT.

Dan, a patch to fix this is probably very easy, just make selinux_init_load_policy() check for ENOENT in addition to ENODEV when mount() failed or something like that.

(Note that there was also a cosmetic problem in systemd here: we did not reopen the log fds after selinux_init_load_policy() failed, and the message "Failed to load SELinux policy. Freezing." we were supposed to print was hence not printed when the machine froze. This is fixed now in systemd git, will be in F16 too).

Reassigning to libselinux.
Comment 10 Daniel Walsh 2011-09-22 09:42:04 EDT
Fixed in libselinux-2.1.5-5.1.fc16
Comment 11 Fedora Update System 2011-09-22 09:52:56 EDT
libselinux-2.1.5-5.1.fc16 has been submitted as an update for Fedora 16.
Comment 12 Adam Williamson 2011-09-30 15:16:11 EDT
Discussed at the 2011-09-30 blocker review meeting. Rejected as blocker and NTH as there are simply so many workarounds (other ways to achieve the intended goal) and there's no particular release sensitivity (a post-release update would fix this well). Anyway, the bug is fixed and the update just went stable, so closing.
Comment 13 Fedora Update System 2011-09-30 15:28:42 EDT
libselinux-2.1.5-5.1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.