Ondrej Mosnacek <omosnace@xxxxxxxxxx> writes: > On Fri, Jul 28, 2023 at 4:12 AM Michael Ellerman <mpe@xxxxxxxxxxxxxx> wrote: >> >> Ondrej Mosnacek <omosnace@xxxxxxxxxx> writes: >> > Currently, SELinux doesn't allow distinguishing between kernel threads >> > and userspace processes that are started before the policy is first >> > loaded - both get the label corresponding to the kernel SID. The only >> > way a process that persists from early boot can get a meaningful label >> > is by doing a voluntary dyntransition or re-executing itself. >> >> Hi, >> >> This commit breaks login for me when booting linux-next kernels with old >> userspace, specifically Ubuntu 16.04 on ppc64le. 18.04 is OK. >> >> The symptom is that login never accepts the root password, it just >> always says "Login incorrect". >> >> Bisect points to this commit. >> >> Reverting this commit on top of next-20230726, fixes the problem >> (ie. login works again). >> >> Booting with selinux=0 also fixes the problem. >> >> Is this expected? The change log below suggests backward compatibility >> was considered, is 16.04 just too old? > > Hi Michael, > > I can reproduce it on Fedora 38 when I boot with SELINUX=disabled in > /etc/selinux/config (+ a kernel including that commit), so it likely > isn't caused by the userspace being old. Can you check what you have > in /etc/selinux/config (or if it exists at all)? Not sure if you still need it, but /etc/selinux/config doesn't exist in the 16.04 image. cheers
