On Thu, Apr 14, 2022 at 2:43 PM J. Bruce Fields <bfields@xxxxxxxxxxxx> wrote: > > My Fedora 33 test VMs stopped booting linux-next recently; reverting > 81200b0265b1 "selinux: checkreqprot is deprecated, add some ssleep() > discomfort" allows them to boot again. > > I'm guessing this warning wasn't intended to be quite *that* dramatic? Well, I dunno, we *really* want to get rid of that option ;) Jokes aside, I'm sorry that caught you out, but thanks for reporting it. I thought I tested all the combinations, but obviously I missed one. The obvious fix is to move the ssleep() call out of checkreqprot_set() and into sel_write_checkreqprot(); you'll still get the error message on the console, but you'll only hit the sleep when toggling the flag after boot, at runtime. It's similar to the runtime disable deprecation. I'll work up a patch as soon as I'm done with this email. However, a couple of quick questions: this looks like a custom/hand built kernel, yes? If so, is this an old kernel config that you just keep updating via 'make oldconfig' or something similar? I'm asking not to critique your kernel config choice (although this particular Kconfig knob *is* going away), but rather I want to make sure there isn't somebody/something out there still enabling this for a large user base. -- paul-moore.com
