Your message dated Sun, 1 Feb 2026 19:22:54 +0100
with message-id
<caj2a_deymk6spq+yq3eroclf_w8kspphhnubryb0lqxfbqf...@mail.gmail.com>
and subject line Re: Bug #1037533: Inconsistent (default) SELinux setup
has caused the Debian Bug report #1037533,
regarding Inconsistent (default) SELinux setup
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1037533: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037533
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Version: Debian12, Bookworm (kernel: 6.1.0-9-cloud-amd64)
Package: libselinux1:amd64
Impact: cosmetic
I have noticed that the kernels shipped with Debian (or at least the flavor
mentioned above) don't provide the CONFIG_SECURITY_SELINUX_BOOTPARAM. This
essentially means that there's no way to disable SELinux via the kernel's
cmdline.
Even though Debian, by default, does not use SELinux, it does ship the
libselinux which, for instance, systemd is happily linking to. It does go
through the selinux_init_load_policy() which means that the libselinux
attempts to not only mount selinuxfs (which it successfully does) but it
also attempts to load its .policy. Naturally, for the system which does not
depend on SELinux, such .policy would not exist. This ends up with a very
confusing message, coming from libselinux, which can be seen right after
systemd kicks in:
SELinux: Could not open policy file <=
/etc/selinux/targeted/policy/policy.33: No such file or directory
(libselinux automagically determines this .N suffix at the end so I guess
the actual path may differ across different versions).
Since we cannot disable SELinux on the kernel level, and there's no way to
prevent libselinux from mounting selinuxfs (I believe based on that action
it actually determines if SELinux is disabled or not since it does not
lookup the "selinux=" in kernel's cmdline, just the "enforcing=" bit), we
need to actually create its /etc/selinux/config and explicitly set
"SELINUX=disabled" inside.
To me, this is the inconsistent part. :) User which is not using SELinux at
all, is required to put its config in place, to make sure the above loading
of the .policy does not happen (and to prevent this error from popping up
on the console). In my opinion, Debian should either provide the
/etc/selinux/config from the very get-go (with SELinux disabled) or at
least enable the CONFIG_SECURITY_SELINUX_BOOTPARAM. :)
Regards,
Michal
--- End Message ---
--- Begin Message ---
Closing.
--- End Message ---
