856332 – RHEL6.4 build panic after dracut FATAL: Initial SELinux policy load failed

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 856332 - RHEL6.4 build panic after dracut FATAL: Initial SELinux policy load failed

Summary: RHEL6.4 build panic after dracut FATAL: Initial SELinux policy load failed

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-09-11 19:35 UTC by Scott Poore
Modified:	2014-05-14 16:43 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1101967 (view as bug list)
Environment:
Last Closed:	2012-10-09 11:12:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
print screen (20.71 KB, image/png) 2013-05-29 06:36 UTC, EricLee	no flags	Details
View All

Description Scott Poore 2012-09-11 19:35:15 UTC

Description of problem:

Panic during RHEL 6.4 nightly build kickstart in beaker:

dracut: Mounted root filesystem /dev/sda3 
dracut: Loading SELinux policy 
type=1404 audit(1347361672.118:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 
dracut: SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.24: No such file or directory /sbin/load_policy: Can't load policy and enforcing mode requested: No such file or directory 
dracut Warning: Initial SELinux policy load failed. 
dracut: FATAL: Initial SELinux policy load failed. Machine in enforcing mode. To disable selinux, add selinux=0 to the kernel command line. 
dracut: Refusing to continue 
dracut Warning: Signal caught! 
  
  
 %G  
  
dracut Warning: dracut: FATAL: Initial SELinux policy load failed. Machine in enforcing mode. To disable selinux, add selinux=0 to the kernel command line. 
dracut Warning: dracut: Refusing to continue 
Kernel panic - not syncing: Attempted to kill init! 


Version-Release number of selected component (if applicable):

RHEL6.4-20120910.n.0 Server x86_64

How reproducible:
Unknown

Steps to Reproduce:
1. RHEL 6.4 build in beaker
  
Actual results:

panic

Expected results:

install OS without panic

Additional info:

Comment 2 Scott Poore 2012-09-18 17:49:51 UTC

Any word on this one?

Here's a little more info from the failure I saw:

Kernel panic - not syncing: Attempted to kill init! 
Pid: 1, comm: init Not tainted 2.6.32-306.el6.x86_64 #1 
Call Trace: 
 [<ffffffff81503dff>] ? panic+0xa0/0x168 
 [<ffffffff81070eb2>] ? do_exit+0x862/0x870 
 [<ffffffff8117f365>] ? fput+0x25/0x30 
 [<ffffffff81070f18>] ? do_group_exit+0x58/0xd0 
 [<ffffffff81070fa7>] ? sys_exit_group+0x17/0x20 
 [<ffffffff8100b0f2>] ? system_call_fastpath+0x16/0x1b 

This was also seen on a different RHEL6.4 install attempt in sys.log:

17:09:46,735 INFO kernel:semodule[2533]: segfault at 1246c7e2cba ip 00007f19c450b6e1 sp 00007fff7baad210 error 4 in libsepol.so.1[7f19c44fe000+3b000]
17:13:16,604 INFO kernel:yum[10816]: segfault at 19619ec54b7 ip 00007f6d99cb6629 sp 00007fff2375c780 error 4 in libpython2.6.so.1.0[7f6d99bab000+171000]

Comment 3 Harald Hoyer 2012-09-20 09:20:32 UTC

(In reply to comment #2)
> Any word on this one?
> 
> Here's a little more info from the failure I saw:
> 
> Kernel panic - not syncing: Attempted to kill init! 
> Pid: 1, comm: init Not tainted 2.6.32-306.el6.x86_64 #1 
> Call Trace: 
>  [<ffffffff81503dff>] ? panic+0xa0/0x168 
>  [<ffffffff81070eb2>] ? do_exit+0x862/0x870 
>  [<ffffffff8117f365>] ? fput+0x25/0x30 
>  [<ffffffff81070f18>] ? do_group_exit+0x58/0xd0 
>  [<ffffffff81070fa7>] ? sys_exit_group+0x17/0x20 
>  [<ffffffff8100b0f2>] ? system_call_fastpath+0x16/0x1b 


This happens, when dracut (process 1) stops. In this case because of:
dracut Warning: dracut: FATAL: Initial SELinux policy load failed. Machine in enforcing mode. To disable selinux, add selinux=0 to the kernel command line. 
dracut Warning: dracut: Refusing to continue

> 
> This was also seen on a different RHEL6.4 install attempt in sys.log:
> 
> 17:09:46,735 INFO kernel:semodule[2533]: segfault at 1246c7e2cba ip
> 00007f19c450b6e1 sp 00007fff7baad210 error 4 in
> libsepol.so.1[7f19c44fe000+3b000]
> 17:13:16,604 INFO kernel:yum[10816]: segfault at 19619ec54b7 ip
> 00007f6d99cb6629 sp 00007fff2375c780 error 4 in
> libpython2.6.so.1.0[7f6d99bab000+171000]

Well, seems like selinux is broken! Dracut cannot do anything about it.

Comment 4 Daniel Walsh 2012-09-26 21:12:03 UTC

Is selinux-policy package installed?

Comment 5 Scott Poore 2012-10-04 19:16:59 UTC

I'm guessing it was included in the image used for that phase of the kickstart boot/build.  I guess I don't know that for sure though.

This may be resolved now though.  I was able to successfully build a RHEL6.4 test with the latest build and it seems fine.

Comment 6 EricLee 2013-05-29 06:35:19 UTC

Hi All,

I got the same error when I install VMs, the strange thing is that: I use the same profile to install two guests which with different disk format(one is qcow2, the other one is raw), only raw format disk will get the error after installed and can not boot up normally. Please see the attachment.

Can somebody tell me what's the problem?

Thanks,
Ericlee

Comment 7 EricLee 2013-05-29 06:36:33 UTC

Created attachment 754199 [details]
print screen

Comment 8 Salim Talamas 2014-05-14 16:43:07 UTC

We also had experienced the same issue as noted above on rhel 6.4.  To resolve the issue we did the following:

Problem: after disabling selinux, we encountered the following kernel panic -not syncing: Attempting to kill init!

Solution: 
Step1 - boot into rescue mode via rhel ISO image
Step2: navigate to the filesystem: /mnt/sysimage/etc/selinux/config 
Step3 - modify selinux=0 then reboot
Step4 - boot normally to rhel OS
Step5 - from CLI getenforce will display "Permissive"
Step6 - navigate to /etc/selinux/config and modify selinux=disabled
Step7 - reboot normally to rhel OS. Kernel panic should not occur
Step 8 - confirm getenforce displays "Disabled"

Note You need to log in before you can comment on or make changes to this bug.