[Debian-eeepc-devel] debian-eeepc selinuxfs boot failure message (followup)
srivasta at acm.org
Fri Sep 5 15:19:41 UTC 2008
On Wed, 27 Feb 2008 13:12:45 +0100, Jelle de Jong
<jelledejong at powercraft.nl> said:
> Dear Manoj, The Debian EeePC team is trying to get all the hardware of
> the ASUS EeePC fully working without error or warning messages.
> We have encountered the following messages:
> mount failed for selinuxfs on /selinux: no such file or directory
> cat /proc/cmdline root=/dev/sda1 ro quiet irqpoll noswap noresume
Well, /selinux is provided by policycoreutils, and it seems you
have not loaded that (standard) package.
> We are hoping you would be willing to solve this problem when
> selinux=0 is set on the boot options.
The sequence of events is this:
0. Init looks at env var SELINUX_INIT, and if that is zero, skips the
rest of the steps below.
1. init tries to load security policy.
2. First, selinux configuration (from /etc/selinux/config) is re-read.
3. We check to see if we are in enforcing mode in the config file
4. mount the /proc file system
5. look at /proc/cmdline, parse it to see if have an enforcing=
6. umount /proc is we mounted it
7. determine desired mode (enforcing or not based on above)
8. try to mount selinuxfs on /selinux (tests whether kernel knows of
a. If ENODEV, selinux is disabled in kernel
b. ERROR: We do not know if selinux is enabled or not, but this is an
9. if selinux is disabled in the config,
a. disable security
b. unmount selinuxfs
c go to end
10. Change kernel enforcing status to match
11. load security policy
The problem is step 8, since the only way to know whether the
kernel knows about selinux is to try to mount selinuxfs
_somewhere_. The somewhere happens to be /selinux.
> With the correct upper case the SELINUX_INIT=O boot option will make
> the error message go away. However i think this is not a mainstream
> solution. Something like "noselinux" would be much more logical.
Well, with SELINUX_INIT=O init itself does not try to load
policy. That is one solution. installing policycoreutils is
another. Living with the error message is yet another. Having
libselinux try and create a temp directory, mount selinuxfs there, and
remove the directory later, is yet another option. I don't think that
last option is really the best one here.
"Pull the wool over your own eyes!" J.R. "Bob" Dobbs
Manoj Srivastava <srivasta at acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
More information about the Debian-eeepc-devel