Skip to content

re-generated initramfs is missing essential files if selinux is disabled #5483

New issue
New issue
Open
Open
re-generated initramfs is missing essential files if selinux is disabled#5483
@Mershl

Description

@Mershl
Mershl
opened on Sep 6, 2025

Describe the bug

A override replace that triggers a re-generation of the initramfs will lead to an unbootable deployment on systems with disabled selinux. The generated initramfs on an affected system is missing a lot of essential files.

Reproduction steps

  1. clean install SB42 (tested iso 42.1.1) on bare metal or VM
  2. rpm-ostree update -r
  3. rpm-ostree kargs --append=selinux=0
  4. reboot
  5. override replace a package that triggers an re-generation of the initramfs
    rpm-ostree override replace 'https://bodhi.fedoraproject.org/updates/FEDORA-2025-261e8b1553'
    (tested replacing kernel 6.16.4 with 6.15.10)
  6. on step "Generating initramfs..." the journal logs cp and dracut-install errors and mention selinux permissions
rpm-ostree: cp: setting attribute 'security.selinux' for 'security.selinux': Operation not permitted
rpm-ostree: dracut-install: ERROR: 'cp --reflink=auto --sparse=auto --preserve=mode,xattr,timestamps,ownership -fL /usr/lib/modules/6.15.10-200.fc42.x86_64/modules.builtin /tmp/dracut/dracut.d8mUv57/initramfs/lib/modules/6.15.10-200.fc42.x86_64/modules.builtin' failed with 1
rpm-ostree: dracut-install: ERROR: installing '/usr/lib/modules/6.15.10-200.fc42.x86_64/modules.builtin' to '/lib/modules/6.15.10-200.fc42.x86_64/modules.builtin'
[...]
  1. reboot
  2. the new deployment will enter systemd emergency mode as essential files are missing

Expected behavior

re-generated initramfs is mostly equal between an selinux=enforcing and selinux=disabled system.

Actual behavior

The generated initramfs is missing essential files leading to an unbootable deployment.

System details

rpm-ostree --version
rpm-ostree:
 Version: '2025.10'
 Git: b70e74e17ee41b058b4646de326084a3f84f9553
 Features:
  - rust
  - compose
  - container
  - fedora-integration

tested with Silverblue 42.20250906.0

Additional information

the first essential that is missing, that causes an emergency mode is usr/lib/systemd/systemd-sysroot-fstab-check

an healthy initramfs will show an entry for
sudo lsinitrd /boot/ostree/fedora-<ID>/initramfs*.fc42.x86_64.img 2>/dev/null | grep fstab-check

an unhealthy/affected initramfs will show none.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions