[DSE-Dev] Bug#864479: marked as forwarded (boot failure due to ambiguous SELinux config)

Fri, 09 Jun 2017 04:27:29 -0700 

Your message dated Fri, 9 Jun 2017 13:25:36 +0200
with message-id <3bc76902-e183-ef43-7528-901e579d1...@debian.org>
has caused the   report #864479,
regarding boot failure due to ambiguous SELinux config
to be marked as having been forwarded to the upstream software
author(s) seli...@tycho.nsa.gov

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864479: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864479
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Hello,
I just got the following bugreport in debian that I've been able to reproduce myself: 

When booting with a kernel cmdline 'security=selinux' and a
/etc/selinux/config setting 'SELINUX=disabled', dbus fails to start
and thereby systemd-logind and the system is unusable:

Jun 08 16:23:43 server02 systemd[1]: Started D-Bus System Message Bus.
Jun 08 16:23:43 server02 dbus-daemon[703]: Failed to set up security
class mapping (selinux_set_mapping():Invalid argument).
Jun 08 16:24:08 server02 systemd[1]: dbus.service: Main process
exited, code=exited, status=1/FAILURE
Jun 08 16:24:08 server02 systemd[1]: dbus.service: Unit entered failed state.
Jun 08 16:24:08 server02 systemd[1]: dbus.service: Failed with result
'exit-code'.
When accessing the system using a debug shell, I can see that the selinuxfs is mounted and sestatus is telling me that selinux is enabled. I can manually unmount the selinuxfs and then sestatus is telling me that selinux is disabled on the system.
Looking quickly at the code, the selinux_init_load_policy() function (which is used in systemd) is supposed to unmount the selinuxfs itself if the SELINUX parameter is set to disabled in /etc/selinux/config file. I'm not too sure why it's not happening or maybe something else is remounting it? I don't think anything else on the system is trying to load the policy though. 

An idea?

Laurent Bigonville

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864479

--- End Message ---
_______________________________________________
SELinux-devel mailing list
SELinux-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel

Reply via email to