On Sat, 2005-11-12 at 15:23 +0700, rhp wrote: > I have a FC3 box which requires compiling the kernel from source to accomodate > acpi & ec.c related hardware quirks, (its a generic laptop). > > When compiling & installing the latest kernels, I have discovered an apparent > problem with both the 2.6.14 & 2.6.14.2 kernels and SELinux. > > After compiling these kernels, SELinux is silently disabled on boot; > > e.g.: > > sestatus shows SELinux as disabled regardless of /etc/selinux/config > being set for 'Permissive-targeted'. Yes, this is a known issue. /sbin/init in FC3 (and FC4) only tries loading the current binary policy format version supported by the kernel and one version lower before giving up altogether, and there have been two version increments since FC3 was shipped. Note that if your /etc/selinux/config was set to enforcing, /sbin/init should have halted the system at that point; it was only because it was permissive that it proceeded. However I'd agree that the lack of any log message about the inability to load policy is undesirable - not sure why that is. In rawhide, /sbin/init has been changed to use a libselinux helper function to load policy that is more resilient in several respects, and I think that the plan was to back port those changes to FC3 if/when a 2.6.14 kernel is released for it. FC4 is still ok since there has only been one version increment since it was shipped, but will encounter the same issue when/if another version increment occurs and the corresponding kernel is released for it, so it should also get the new /sbin/init and libselinux helper code. > After a comparison of the '.config' files from the related builds, > I've noticed that the 2.6.14 and 2.6.14.2 kernels no longer support > extended attributes for the pseudo filesystems, while the 2.6.13.4 and > 2.6.12-1.1381_FC3 kernels do support the extended attributes, this is > the only significant difference I could find between these kernels' > '.config' files. That is a red herring; the xattr support for pseudo filesystems is still present, but handled via a generic fallback in the VFS rather than separate handlers (so the separate config option is no longer needed). -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
