On 09/17/2009 09:39 PM, Yuan Yijun wrote:
> 2009/9/18 Steve Grubb <[email protected]>:
>> hi,
>>
>> What's happened in our rawhide boot sequence that cause selinux to not be
>> running anymore? Selinux is not disabled in the grub.conf kernel line and
>> sestatus shows its disabled. There is nothing in the system logs saying that
>> there was a problem.
>>
>
> I encountered this problem as well, but don't know why. It happens
> when I am trying different kernels among some recent builds (starting
> from 0.104 to 1.14). I guess there is a incompatible between older
> kernels and the policy; when you install a kernel while SELinux is
> disabled, it may cause future problems. Do you expect SELinux to be
> enabled automatically? I usually enable SELinux by doing a relabel,
> then install the kernel again.
>
>
>
Hopefully this is just a problem of coordination between the old way of doing
things and the new new.
Dracut found a bug where it could not load_policy on separate /usr partitions
because it needed to execute
/usr/sbin/load_policy (obviously). I moved load_policy from /usr/sbin to
/sbin. This caused some other apps
problems because they were hard coded to look for /usr/sbin. Recently I fixed
this by adding a symbolic link
and fixing the libraries that blew up.
I am not sure why Steve's Machine is still disabled. But Dracut should be
logging an error telling the system why SELinux did not get loaded.
Bottom line is a bug in the dracut scripts. The scripts should execute
load_policy and if for ANY reason load_policy fails and the
machine is in enforcing mode the machine needs to crash. (It should also log
the error).
If the kernel has SELinux and it is not in permissive mode, it should execute
load_policy
Load_policy will exit with 0 on success or 2 on failure and SELinux in
permissive mode.
man load_policy
...
EXIT STATUS
0 Success
1 Invalid option
2 Policy load failed
3 Initial policy load failed and enforcing mode requested
Any other error code or load_policy being missing should cause the machine to
crash.
--
fedora-devel-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-devel-list
