Bug 1155468

Summary:	systemd does not properly report errors when booting fails because it cannot load selinux policy
Product:	[Fedora] Fedora	Reporter:	Till Maas <opensource>
Component:	systemd	Assignee:	Zbigniew Jędrzejewski-Szmek <zbyszek>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	20	CC:	dominick.grift, dwalsh, johannbg, jsynacek, jvanek, lnykryn, lvrabec, mgrepl, msekleta, opensource, plautrba, s, systemd-maint, vpavlin, zbyszek
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	systemd-208-29.fc20	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-01-09 11:53:34 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Till Maas 2014-10-22 08:00:33 UTC

Description of problem:
A F20 system fails to boot and the last boot message is:
[ OK ] Reached target Initrd Default Target

Then nothing happens. Booting with rhgb and quiet removed from the kernel command line and rd.debug added reveals an error message from systemd[1] that it freezes because the selinux policy fails to load. However it should be more obvious in the normal case when booting fails why this happens and that it happend, because there is no indication that nothing will happen in the default case.

Version-Release number of selected component (if applicable):
systemd-208-22.fc20
dracut-037-11.git20140402.fc20

How reproducible:
unknown, it is still unclear why the selinux policy fails to load

Comment 1 Till Maas 2014-10-27 12:23:23 UTC

To reproduce change in
/etc/selinux/config 
SELINUXTYPE=targeted
to
SELINUXTYPE=disabled

Comment 2 Jan Synacek 2014-11-05 08:16:14 UTC

Such SELinux configuration is invalid. If you want to disable SELinux, change the SELINUX variable, not SELINUXTYPE.

Comment 3 Till Maas 2014-11-05 08:27:06 UTC

(In reply to Jan Synacek from comment #2)
> Such SELinux configuration is invalid. If you want to disable SELinux,
> change the SELINUX variable, not SELINUXTYPE.

I agree, however this bug is about Fedora not properly telling that this configuration is invalid but only saying "[ OK ] Reached target Initrd Default Target" and failing to boot.

Comment 4 Zbigniew Jędrzejewski-Szmek 2014-11-06 03:10:25 UTC

We are loading the policy and it is our job to inform the user in big bold letters if that fails.

Comment 5 Jan Synacek 2014-11-07 10:09:00 UTC

OK, so this happens only when SELINUX=enforcing and SELINUXTYPE=<whatever invalid>. I'll dig into it.

Also, please excuse my quick decision on in Comment 2, I didn't know systemd actually loaded the policy.

Comment 6 Jan Synacek 2014-11-07 20:01:22 UTC

After all, freezing the system when systemd isn't able to load the policy in enforcing mode is expected.

http://lists.freedesktop.org/archives/systemd-devel/2014-November/025059.html

Closing as NOTABUG.

Comment 7 Till Maas 2014-11-09 14:46:19 UTC

(In reply to Jan Synacek from comment #6)
> After all, freezing the system when systemd isn't able to load the policy in
> enforcing mode is expected.
> 
> http://lists.freedesktop.org/archives/systemd-devel/2014-November/025059.html
> 
> Closing as NOTABUG.

Yes, it is good to freeze the system. However, the error reporting should be improved, since "Failed to load SELinux policy. Freezing." is not reliable displayed, but "[ OK ] Reached target Initrd Default Target" is the last message. See also comment:4 where Zbigniew agrees that a user should be properly notified.

Comment 8 Zbigniew Jędrzejewski-Szmek 2014-11-10 03:05:22 UTC

Yeah, I have a patch ready, but I want to test it a bit before committing.

Comment 9 Zbigniew Jędrzejewski-Szmek 2014-11-26 20:25:39 UTC

So, I pushed a patch upstream http://cgit.freedesktop.org/systemd/systemd/commit/?id=cb6531bee6, but it might not make it into F20... If it conflicts a lot, the fix will only go to F21.

Comment 10 jiri vanek 2014-12-05 14:45:06 UTC

*** Bug 1170665 has been marked as a duplicate of this bug. ***

Comment 11 Jan Synacek 2015-01-06 12:48:32 UTC

F21:
http://pkgs.fedoraproject.org/cgit/systemd.git/commit/?h=f21&id=ed5fc99b3c5977ab09d48442dc0be20845f3f81a

F20:
http://pkgs.fedoraproject.org/cgit/systemd.git/commit/?h=f20&id=4d68180abf28786f38b7ecbbee6d9f8714e13cb2

Comment 12 Fedora Update System 2015-01-06 13:51:46 UTC

systemd-208-29.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/systemd-208-29.fc20

Comment 13 Fedora Update System 2015-01-06 13:52:49 UTC

systemd-216-14.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/systemd-216-14.fc21

Comment 14 Fedora Update System 2015-01-07 01:24:34 UTC

Package systemd-216-14.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing systemd-216-14.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-0251/systemd-216-14.fc21
then log in and leave karma (feedback).

Comment 15 Fedora Update System 2015-01-09 11:53:34 UTC

systemd-216-14.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2015-01-14 23:57:14 UTC

systemd-208-29.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.