[DSE-Dev] Bug#756729: Bug#756729: selinux-policy-default: Setting SELinux to enforce results in not configured network interface at boot time

Andreas Florath andre at flonatel.org
Sat Aug 2 05:38:30 UTC 2014 

Hello Mika,

looks that my yesterday's reply was lost - maybe because of the attachments.
Attached to this mail you find the lost mail.

The dhcp module was already loaded:

root at debselinux01:~# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             default
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     denied
Max kernel policy version:      26

root at debselinux01:~# semodule -l
apm	1.11.0	
dbus	1.15.0	
devicekit	1.1.0	
dhcp	1.9.0	
dmidecode	1.4.0	
gpg	2.4.0	
lvm	1.13.0	
netutils	1.11.0	
ptchown	1.1.0	
ssh	2.2.0	
tcpd	1.4.0	
tzdata	1.4.0	
unconfined	3.3.0	
usbmodules	1.2.0


Trying to load it again does not change things - the problem still
exists:

root at debselinux01:~# semodule -i /usr/share/selinux/default/dhcp.pp
root at debselinux01:~# semodule -l
apm	1.11.0	
dbus	1.15.0	
devicekit	1.1.0	
dhcp	1.9.0	
dmidecode	1.4.0	
gpg	2.4.0	
lvm	1.13.0	
netutils	1.11.0	
ptchown	1.1.0	
ssh	2.2.0	
tcpd	1.4.0	
tzdata	1.4.0	
unconfined	3.3.0	
usbmodules	1.2.0	

Then I tried:

root at debselinux01:~# cd /usr/share/selinux/default
root at debselinux01:/usr/share/selinux/default# for f in *.pp; do echo "Loading $f" ; semodule -i $f; done
Loading acct.pp
Loading ada.pp
Loading afs.pp
[...]

Some are failing because of unmet dependencies; therefore another round:

root at debselinux01:/usr/share/selinux/default# for f in *.pp; do echo "Loading $f" ; semodule -u $f; done

With the result that it now reliable fails :-)
Every time after reboot eth0 is not available.

The only AVC I found in the logging is the one about mounts and modules.dep.

Also here: after disabling SELinux (setting it to permissive) the
problem is not reproducible. (Tried 47 reboots).

Kind regards

Andre

P.S.: I tried to reproduce this with Jessie: 428 reboots without any
      occurrence of the problem.



----- The lost mail -----

Hello Mika,

very strange things happen: yesterday this bug happened (as I
remember) every time I booted.  Today this changed somehow: it only
happens from time to time - but at least it happens

Because the network interface is not working when the problem appears,
I attached some console screenshots with the output of the commands
you suggested.

My idea then was that this might not be a problem of the
selinux-policy package. Therefore I set SELINUX=permissive and wrote a
small script which connects via network interface to the machine and
reboots it.  I stopped the test after 238 reboots - not one occurrence
of the problem.  I set SELINUX back to enforcing, and the
problem occurs any some 1-4 boots.

So there might be the possibility that is has something to
do with the selinux-policy.

I manage to create a minimal Debian 7 VM with SELinux set to enforced
where this problem occurs (from time to time).  If you want, I can
provide the VM - and my reboot-test script.  (The size of the
compressed image is about 265MiByte.)

Kind regards

Andre

More information about the SELinux-devel mailing list