# [SOLVED] System doesn't boot after SELinux packages upgrade

## KrissN

After upgrading SELinux related packages from version 1.x to 2.0 (libsepol, libselinux, policycoreutils) the system doesn't boot any more. On startup, the kernel initializes correctly and launches init. But then init instead of launching the services, just enters runlevel 3 and lanuches agetty:

```
EXT3-fs: mounted filesystem with ordered data mode.

VFS: Mounted root (ext3 filesystem) readonly.

Freeing unused kernel memory: 6140k freed

grsec: mount of none to /proc by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper:0] uid/euid:0/0 gid/egid:0/0

grsec: unmount of none by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper:0] uid/euid:0/0 gid/egid:0/0

grsec: mount of none to /selinux by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper:0] uid/euid:0/0 gid/egid:0/0

Clocksource tsc unstable (delta = -322612877 ns)

SELinux: policy loaded with handle_unknown=deny

type=1403 audit(1250625200.012:2): policy loaded auid=4294967295 ses=4294967295

type=1400 audit(1250625200.036:3): avc:  denied  { read } for  pid=1 comm="init" name="ld.so.cache" dev=sda6 ino=65551 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=file

type=1400 audit(1250625200.056:4): avc:  denied  { getattr } for  pid=1 comm="init" path="/etc/ld.so.cache" dev=sda6 ino=65551 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=file

INIT: version 2.86 booting

type=1400 audit(1250625200.177:5): avc:  denied  { read } for  pid=1066 comm="rc" name="ld.so.cache" dev=sda6 ino=65551 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=file

INIT: Entering runlevel: 3

type=1400 audit(1250625200.428:6): avc:  denied  { read } for  pid=1075 comm="agetty" name="ld.so.cache" dev=sda6 ino=65551 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:file_t tclass=file

type=1400 audit(1250625200.449:7): avc:  denied  { getattr } for  pid=1073 comm="agetty" path="/etc/ld.so.cache" dev=sda6 ino=65551 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:file_t tclass=file

type=1400 audit(1250625200.469:8): avc:  denied  { search } for  pid=1074 comm="agetty" name="var" dev=sda6 ino=16385 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:file_t tclass=dir

type=1400 audit(1250625201.540:9): avc:  denied  { create } for  pid=1072 comm="agetty" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=netlink_route_socket

type=1400 audit(1250625201.557:10): avc:  denied  { bind } for  pid=1076 comm="agetty" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=netlink_route_socket

type=1400 audit(1250625201.573:11): avc:  denied  { getattr } for  pid=1077 comm="agetty" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=netlink_route_socket

This is (none).unknown_domain (Linux i686 2.6.25-hardened-r10) 21:53:21

(none) login:

```

System used to boot fine even in enforcing mode, but now fails even in permissive mode, so those denials have no meaning.

System is x86 stable (with just the exception of SELinux policies, which are ~x86).

----------

## rjtupas

Hmm... I am certainly no expert, but I too run SELinux on Gentoo (except I do not use the hardened kernel). Perhaps Chris PeBenito on #gentoo-hardened on irc.freenode.net could help.

When I upgraded from 1.x to 2.x, Chris sent me a script to reload policy modules, since portage doesn't handle large updates to SELinux well. I've included the script below (refresh_policy.sh):

```

#!/bin/bash

TYPES="strict targeted"

for i in $TYPES; do

        module_entries="/usr/share/selinux/$i"

        command_line="/usr/sbin/semodule -s $i -b $module_entries/base.pp"

        loaded_mods=$(/usr/sbin/semodule -l -s $i | awk '{ print $1 ".pp" }')

        for j in $loaded_mods; do

                if [ -f "$module_entries/$j" ]; then

                        command_line="$command_line -i $module_entries/$j"

                elif [ -f "$j" ]; then

                        command_line="$command_line -i $j"

                else

                        echo "Couldn't find a match for ${j/.pp}"

                fi

        done

        $command_line \

                && echo "$i policy refresh succeeded." \

                || echo "$i policy refresh failed."

done

```

Hopefully this helps, else contact Chris on chat.

Cheers,

Randy

----------

## KrissN

Unfortunately this didn't help  :Sad:  (but thanks anyway  :Smile:  )

The system appears severely borked. I got into it by adding init=/bin/bash and mounting everything by hand. I can see no filesystem labels, id -Z claims there is no SELinux kernel running (the kernel is the same as previously, when the system still worked). I tried to upgrade the kernel to 2.6.28, but it throws a kernel BUG in selinux/avc.c. I don't know what the h... is going on there, but I'm slowly running out of options.

EDIT: Finally Chris's script + emerge -e system + relabel made the system bootable again.

----------

