2.6.14-rc2-git6 vs FC3

[Stephen Smalley]

On Tue, 2005-09-27 at 18:01 +0200, Zoltan Boszormenyi wrote:
> Tony Nelson írta:
> > At 1:08 PM +0200 9/27/05, Zoltan Boszormenyi wrote:
> > 
> >>Hi,
> >>
> >>I have an FC3/x86-64 system and I wanted to try
> >>the latest-greatest mainstream test kernel.
> >>The compilation went OK but it didn't boot successfully,
> >>which seems to be an FC3 bug. The last lines on the
> >>console are:
> >>
> >>-------------------------------------------------
> >>Switching to new root
> >>Enforcing mode requested but no policy loaded. Halting now.
> >>Kernel panic - not syncing: Attempted to kil init!
> >>-------------------------------------------------
> >>
> >>At that point, the initrd userspace already started up
> >>and loaded the required modules, e.g. ext3, SATA drivers, etc.
> >>
> >>Is FC3 (or its mkinitrd) that old to be incompatible with
> >>the latest kernel? At this moment I cannot upgrade to FC4
> >>to confirm this.
> > 
> > 
> > That's SELinux.  Note that the name SELinux doesn't appear in SELinux error
> > messages; this may be the Security Mindset at work.  The key words in the
> > error message are "enforcing mode" and "policy".  Turn off SELinux'
> > enforcing mode.  If you run any servers you will want to be behind some
> > other firewall and pay attention to the machine's firewall.
> 
> Yes, thank you. I know it's SELinux, I already switched off
> enforcing mode, but I cannot reboot to try it at the moment.
> My machine is the only computer in the house, so I am a bit
> uneasy about switching it off.
> 
> BTW, I am running 2.6.13-rc1-mm1 (kernel-2.6.11-1.14_FC3 is installed)
> and setting enforcing mode on boot works with these kernel versions.

/sbin/init tries to load the current policy version (for the binary
policy format, not the package version) supported by the kernel (based
on reading /selinux/policyvers), and then tries the next oldest version
if that doesn't exist.  I think the issue here is that the policy
version has changed twice from what shipped in FC3, and /sbin/init
doesn't keep trying older policy versions if the current one and its
predecessor don't exist.  The kernel itself will always accept older
binary policy versions, so it would take the policy if /sbin/init loaded
it.  Naturally, there could be permission denials due to new permissions
being introduced in the newer kernel that weren't allowed by the older
policy, but you should at least be able to boot the system.

/sbin/init should likely keep trying older versions down to the oldest
supported version in the 2.6 series.  It would then ultimately load the
policy that you have in FC3, which would likely work modulo new
permission check denials.

cc'd fedora-selinux-list, as that is the best place to ask questions re
SELinux.

-- 
Stephen Smalley
National Security Agency