Bug 119198

Summary: make [re]load fails from the single-user shell
Product: [Fedora] Fedora Reporter: Aleksey Nogin <aleksey>
Component: policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: gczarcinski, leonard-rh-bugzilla, pgraner, sdsmall
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: triage|leonardjo|closed|rawhide
Fixed In Version: 1.9.1-2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-05-10 17:45:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 122683    

Description Aleksey Nogin 2004-03-26 08:44:12 UTC 
If I boot into single user, cd to /etc/security/selinux/src/policy and
try "make load" or "make reload", it fails in enforcing mode.
Specifically, it can not execute checkpolicy. The log messages are:

Mar 25 23:45:38 dell kernel: security_compute_sid:  invalid context
system_u:system_r:checkpolicy_t for
scontext=system_u:system_r:sysadm_t
tcontext=system_u:object_r:checkpolicy_exec_t tclass=process
Mar 25 23:45:38 dell kernel: security:  context
system_u:system_r:checkpolicy_t is invalid
Comment 1 Stephen Smalley 2004-03-26 15:28:20 UTC 
sulogin should be setting the admin shell context to
root:sysadm_r:sysadm_t, which would be able to run checkpolicy.
From the message above, it appears that your single user shell is
running as system_u:system_r:sysadm_t, and system_r is not authorized
for checkpolicy_t.  First question is:  Why isn't sulogin being run,
or is there a problem with the sulogin patch?

A workaround would be to add 'role system_r types checkpolicy_t;' to
checkpolicy.te to authorize the role for the domain.  Or you could add
'role_transition system_r checkpolicy_exec_t sysadm_r;' to force a
transition in role upon executing checkpolicy.
Comment 2 Aleksey Nogin 2004-03-26 19:43:35 UTC 
> First question is:  Why isn't sulogin being run,

The sulogin is only run AFAIK when there is some problem with fsck or
RAID. I am not talking about that - I am talking about the shell
promps you get (w/o having to enter the rool password) when booting
into the single-user mode.
Comment 3 Daniel Walsh 2004-04-01 17:59:09 UTC 
This should be fixed by the latest policy 1.9.1-2
Comment 4 Stephen Smalley 2004-04-01 18:17:46 UTC 
sulogin can be run for single-user boots via inittab; this ensures
that even a single-user boot requires root password.  A good idea, IMHO,
but your choice...