Bug 1263570
Summary: | Selinux prevents system from rebooting after update to new policy | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Petr Schindler <pschindl> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 23 | CC: | awilliam, canyon, dominick.grift, dwalsh, fkooman, germano.massullo, kparal, lvrabec, mgrepl, mike, plautrba, pschindl, rdieter, redhat-bz, rmy, robatino |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-09-28 07:51:36 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1170821 |
Description
Petr Schindler
2015-09-16 08:27:35 UTC
Petr, can you really confirm, you get this AVC with selinux-policy{,-targeted}-3.13.1-147.fc23.noarch #============= unconfined_t ============== #!!!! This avc is allowed in the current policy allow unconfined_t power_unit_file_t:service start; The same problem occurs on F22 with selinux-policy-3.13.1-128.13.fc22. Until reboot, systemctl can't be used (*any* command). After reboot, everything is fine. Offline updates are not affected, just live dnf updates. I believe that I suffered from the same bug yesterday, and so did several users in #fedora. It seems that the fix is as simple as `systemctl daemon-reexec`, I however do not know enough about SELinux to tell whether this is really sufficient, why it is even necessary etc. A reboot, of course including a restart of systemd, also works. #1261747 appears to be the very same problem. You are correct, `systemctl daemon-reexec` is needed. The problem is with policy update which is not paired with systemd update. There are backported policy changes which require also systemd reload to make SELinux+systemd working correctly. Discussed at 2015-09-22 blocker review meeting: https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2015-09-22/f23-blocker-review.2015-09-22-16.00.html . We agreed that there is not sufficient data to determine whether this is a release blocking issue. The release blocker process mainly relates to the packages on the frozen release media - the live images, Server DVD and so on. Is there any circumstance in which this bug would cause a problem if some version of selinux-policy were on the frozen media, or is it an issue that can only happen when doing a package update, and that could thus always be fixed with an update? Thanks! *** This bug has been marked as a duplicate of bug 1224211 *** |