[Debian-eeepc-devel] debian-eeepc selinuxfs boot failure message (followup)

Manoj Srivastava srivasta at acm.org
Fri Sep 5 15:19:41 UTC 2008 

On Wed, 27 Feb 2008 13:12:45 +0100, Jelle de Jong
<jelledejong at powercraft.nl> said:  

> Dear Manoj, The Debian EeePC team is trying to get all the hardware of
> the ASUS EeePC fully working without error or warning messages.

> We have encountered the following messages:

> mount failed for selinuxfs on /selinux: no such file or directory

> cat /proc/cmdline root=/dev/sda1 ro quiet irqpoll noswap noresume
> selinux=0

        Well, /selinux is provided by policycoreutils, and it seems you
 have not loaded that (standard) package.


> We are hoping you would be willing to solve this problem when
> selinux=0 is set on the boot options.

        The sequence of events is this:
 0. Init looks at env var SELINUX_INIT, and if that is zero, skips the
    rest of the steps below.
 1. init tries to load security policy.
 2. First, selinux configuration (from /etc/selinux/config) is re-read.
 3. We check to see if we are in enforcing mode in the config file
 4. mount the /proc file system
 5. look at /proc/cmdline, parse it to see if have an enforcing=
    overrides. 
 6. umount /proc is we mounted it
 7. determine desired mode (enforcing or not based on above)
 8. try to mount selinuxfs on /selinux (tests whether kernel knows of
    selinux
   a. If ENODEV, selinux is disabled in kernel
   b. ERROR: We do not know if selinux is enabled or not, but this is an
      error.
 9. if selinux is disabled in the config, 
   a. disable security
   b. unmount selinuxfs
   c go to end
10. Change kernel enforcing status to match
11. load security policy

        The problem is step 8, since the only way to know whether the
 kernel  knows about selinux is to try to mount selinuxfs
 _somewhere_. The somewhere happens to be /selinux. 

> With the correct upper case the SELINUX_INIT=O boot option will make
> the error message go away. However i think this is not a mainstream
> solution. Something like "noselinux" would be much more logical.

        Well, with SELINUX_INIT=O init itself does not try to load
 policy.  That is one solution. installing policycoreutils is
 another. Living with the error message is yet another. Having
 libselinux try and create a temp directory, mount selinuxfs there, and
 remove the directory later, is yet another option. I don't think that
 last option is really the best one here.

        manoj
-- 
"Pull the wool over your own eyes!" J.R. "Bob" Dobbs
Manoj Srivastava <srivasta at acm.org> <http://www.golden-gryphon.com/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

More information about the Debian-eeepc-devel mailing list