SELinux silently disabled on boot under 2.6.14/2.6.14.2 on FC3 system ?

Stephen Smalley sds at tycho.nsa.gov
Mon Nov 14 13:56:47 UTC 2005 

On Sat, 2005-11-12 at 15:23 +0700, rhp wrote:
> I have a FC3 box which requires compiling the kernel from source to accomodate
> acpi & ec.c related hardware quirks, (its a generic laptop).
> 
> When compiling & installing the latest kernels, I have discovered an apparent
> problem with both the 2.6.14 & 2.6.14.2 kernels and SELinux.
> 
> After compiling these kernels, SELinux is silently disabled on boot;
> 
> e.g.:
> 
> sestatus shows SELinux as disabled regardless of /etc/selinux/config
> being set for 'Permissive-targeted'.

Yes, this is a known issue.  /sbin/init in FC3 (and FC4) only tries
loading the current binary policy format version supported by the kernel
and one version lower before giving up altogether, and there have been
two version increments since FC3 was shipped.  Note that if
your /etc/selinux/config was set to enforcing, /sbin/init should have
halted the system at that point; it was only because it was permissive
that it proceeded.  However I'd agree that the lack of any log message
about the inability to load policy is undesirable - not sure why that
is.

In rawhide, /sbin/init has been changed to use a libselinux helper
function to load policy that is more resilient in several respects, and
I think that the plan was to back port those changes to FC3 if/when a
2.6.14 kernel is released for it.  FC4 is still ok since there has only
been one version increment since it was shipped, but will encounter the
same issue when/if another version increment occurs and the
corresponding kernel is released for it, so it should also get the
new /sbin/init and libselinux helper code.  

> After a comparison of the '.config' files from the related builds,
> I've noticed that the 2.6.14 and 2.6.14.2 kernels no longer support
> extended attributes for the pseudo filesystems, while the 2.6.13.4 and
> 2.6.12-1.1381_FC3 kernels do support the extended attributes, this is
> the only significant difference I could find between these kernels'
> '.config' files.

That is a red herring; the xattr support for pseudo filesystems is still
present, but handled via a generic fallback in the VFS rather than
separate handlers (so the separate config option is no longer needed).

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list