Re: SELinux silently disabled on boot under 2.6.14: msg#00087

On Sat, 2005-11-12 at 15:23 +0700, rhp wrote:
> I have a FC3 box which requires compiling the kernel from source to accomodate
> acpi & ec.c related hardware quirks, (its a generic laptop).
> 
> When compiling & installing the latest kernels, I have discovered an apparent
> problem with both the 2.6.14 & 2.6.14.2 kernels and SELinux.
> 
> After compiling these kernels, SELinux is silently disabled on boot;
> 
> e.g.:
> 
> sestatus shows SELinux as disabled regardless of /etc/selinux/config
> being set for 'Permissive-targeted'.

Yes, this is a known issue.  /sbin/init in FC3 (and FC4) only tries
loading the current binary policy format version supported by the kernel
and one version lower before giving up altogether, and there have been
two version increments since FC3 was shipped.  Note that if
your /etc/selinux/config was set to enforcing, /sbin/init should have
halted the system at that point; it was only because it was permissive
that it proceeded.  However I'd agree that the lack of any log message
about the inability to load policy is undesirable - not sure why that
is.

In rawhide, /sbin/init has been changed to use a libselinux helper
function to load policy that is more resilient in several respects, and
I think that the plan was to back port those changes to FC3 if/when a
2.6.14 kernel is released for it.  FC4 is still ok since there has only
been one version increment since it was shipped, but will encounter the
same issue when/if another version increment occurs and the
corresponding kernel is released for it, so it should also get the
new /sbin/init and libselinux helper code.  

> After a comparison of the '.config' files from the related builds,
> I've noticed that the 2.6.14 and 2.6.14.2 kernels no longer support
> extended attributes for the pseudo filesystems, while the 2.6.13.4 and
> 2.6.12-1.1381_FC3 kernels do support the extended attributes, this is
> the only significant difference I could find between these kernels'
> '.config' files.

That is a red herring; the xattr support for pseudo filesystems is still
present, but handled via a generic fallback in the VFS rather than
separate handlers (so the separate config option is no longer needed).

-- 
Stephen Smalley
National Security Agency

<Prev in Thread]	Current Thread	[Next in Thread>

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: Apache, Virtual Servers and SELinux, Michael Shaw
Next by Date:	Re: [patch] CUPS 1.2 SELinux policy changes..., Stephen Smalley
Previous by Thread:	SELinux silently disabled on boot under 2.6.14/2.6.14.2 on FC3 system ?, rhp
Next by Thread:	Re: SELinux silently disabled on boot under 2.6.14/2.6.14.2 on FC3 system ?, Bill Nottingham
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re: Apache, Virtual Servers and SELinux, Michael Shaw

Next by Date:

Re: [patch] CUPS 1.2 SELinux policy changes..., Stephen Smalley

Previous by Thread:

SELinux silently disabled on boot under 2.6.14/2.6.14.2 on FC3 system ?, rhp

Next by Thread:

Re: SELinux silently disabled on boot under 2.6.14/2.6.14.2 on FC3 system ?, Bill Nottingham

Indexes:

[Date] [Thread] [Top] [All Lists]

Free Magazines

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe

Re: SELinux silently disabled on boot under 2.6.14/2.6.14.2 on FC3 system ?: msg#00087

Free Magazines