On 09/17/2009 09:39 PM, Yuan Yijun wrote: > 2009/9/18 Steve Grubb <sgrubb@xxxxxxxxxx>: >> hi, >> >> What's happened in our rawhide boot sequence that cause selinux to not be >> running anymore? Selinux is not disabled in the grub.conf kernel line and >> sestatus shows its disabled. There is nothing in the system logs saying that >> there was a problem. >> > > I encountered this problem as well, but don't know why. It happens > when I am trying different kernels among some recent builds (starting > from 0.104 to 1.14). I guess there is a incompatible between older > kernels and the policy; when you install a kernel while SELinux is > disabled, it may cause future problems. Do you expect SELinux to be > enabled automatically? I usually enable SELinux by doing a relabel, > then install the kernel again. > > > Hopefully this is just a problem of coordination between the old way of doing things and the new new. Dracut found a bug where it could not load_policy on separate /usr partitions because it needed to execute /usr/sbin/load_policy (obviously). I moved load_policy from /usr/sbin to /sbin. This caused some other apps problems because they were hard coded to look for /usr/sbin. Recently I fixed this by adding a symbolic link and fixing the libraries that blew up. I am not sure why Steve's Machine is still disabled. But Dracut should be logging an error telling the system why SELinux did not get loaded. Bottom line is a bug in the dracut scripts. The scripts should execute load_policy and if for ANY reason load_policy fails and the machine is in enforcing mode the machine needs to crash. (It should also log the error). If the kernel has SELinux and it is not in permissive mode, it should execute load_policy Load_policy will exit with 0 on success or 2 on failure and SELinux in permissive mode. man load_policy ... EXIT STATUS 0 Success 1 Invalid option 2 Policy load failed 3 Initial policy load failed and enforcing mode requested Any other error code or load_policy being missing should cause the machine to crash. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list