Bug 1692903

Summary: Disabled SELinux && --norootpass produces unbootable images
Product: [Fedora] Fedora Reporter: Jan Kratochvil <jan.kratochvil>
Component: fedora-arm-installerAssignee: Paul Whalen <pwhalen>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jan.kratochvil, jonc_mailbox, oliver, pbrobinson, pwhalen
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: aarch64   
OS: Linux   
URL: https://pagure.io/arm-image-installer/pull-request/38
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-06 04:09:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
journalctl from SELINUX=enabled image created on SELINUX=disabled host none

Description Jan Kratochvil 2019-03-26 16:34:00 UTC
Created attachment 1548154 [details]
journalctl from SELINUX=enabled image created on SELINUX=disabled host

Description of problem:
I was struggling to create a simple bootable image for Raspberry Pi 3B+:
  Raspberry Pi 3B+ fails to boot aarch64 image
  https://lists.fedoraproject.org/archives/list/arm@lists.fedoraproject.org/thread/TAQQM2BQTPHVEDAL5N4PLWVIZDADUK5H/
I have finally found why.

Version-Release number of selected component (if applicable):
arm-image-installer-2.10-1.fc29.noarch

How reproducible:
Always.

Steps to Reproduce:
echo >/etc/sysconfig/selinux SELINUX=disabled
reboot
fedora-arm-image-installer --image=...
Boot Raspberry Pi 3B+ with the image.

Actual results:
        https://www.jankratochvil.net/t/rpi3fail.jpg
        [FAILED] Failed to start Avahi mDNS/DNS-SD Stack.
        ...
        [FAILED] Failed to start Modem Manager

Expected results:
Booted system.

Additional info:
The fix is to mount the image and set SELINUX=disabled also in the image.
It then boots for me with "3" into a text login prompt.
The default graphical boot still does not work but that is some different problem.

Comment 1 Peter Robinson 2019-03-26 16:37:07 UTC
Why are you disabling SELinux? At worst you should be putting it in permissive mode. Also no sure what this has to do with arm-image-installer

Comment 2 Jan Kratochvil 2019-03-26 16:48:12 UTC
(In reply to Peter Robinson from comment #1)
> Why are you disabling SELinux?

That is offtopic for this Bug.  Fedora does have such option.

> At worst you should be putting it in permissive mode.

That is offtopic for this Bug.  Fedora does have such option.

> Also no sure what this has to do with arm-image-installer

Because one spends 10 hours and 52 minutes troubleshooting a mysterious bug instead of arm-image-installer for example just printing a fatal error:
  Building images on host with disabled SELinux is not supported.

I see now there are --selinux=off and --relabel options but I had no idea the failing Raspberry boots are due to SELinux.

(Only after realizing the failing boot records its messages to the USB drive itself which can be investigated afterwards, it looks simple but I did not realize it before.)

Comment 3 Peter Robinson 2019-03-26 16:52:21 UTC
(In reply to Jan Kratochvil from comment #2)
> (In reply to Peter Robinson from comment #1)
> > Why are you disabling SELinux?
> 
> That is offtopic for this Bug.  Fedora does have such option.
> 
> > At worst you should be putting it in permissive mode.
> 
> That is offtopic for this Bug.  Fedora does have such option.
> 
> > Also no sure what this has to do with arm-image-installer

Arguably you disabling SELinux and reporting the problem is "offtopic for this package" so it is completely relevant for this bug to ascertain whether the bug is actually in this package. Please do not be rude.

> Because one spends 10 hours and 52 minutes troubleshooting a mysterious bug
> instead of arm-image-installer for example just printing a fatal error:
>   Building images on host with disabled SELinux is not supported.
> 
> I see now there are --selinux=off and --relabel options but I had no idea
> the failing Raspberry boots are due to SELinux.

I believe SELinux is completely unrelated to the problem and that this has nothing to do what so ever with arm-image-installer

> (Only after realizing the failing boot records its messages to the USB drive
> itself which can be investigated afterwards, it looks simple but I did not
> realize it before.)

Comment 4 Jan Kratochvil 2019-03-26 17:06:05 UTC
(In reply to Peter Robinson from comment #3)
> I believe SELinux is completely unrelated to the problem and that this has
> nothing to do what so ever with arm-image-installer

This Bug is fixable on my host system configuration by:
  echo >/tmp/root/etc/sysconfig/selinux SELINUX=disabled

If this is not the proper fix you as the package owner should suggest a better one. But this fix does work for me.

Comment 5 Peter Robinson 2019-03-26 17:13:38 UTC
> This Bug is fixable on my host system configuration by:
>   echo >/tmp/root/etc/sysconfig/selinux SELINUX=disabled

Disabling SELinux is not a fix, it's a work around.

> If this is not the proper fix you as the package owner should suggest a
> better one. But this fix does work for me.

You need to describe the problem you are seeing that you believe this issue fixes when booting the image. You need state exactly which image you are using, the full file name would provide the details.

Comment 6 Jan Kratochvil 2019-03-26 17:35:52 UTC
The problem I was seeing before my proposed fix is described in Comment 0.
It fixed for me booting from Fedora-Workstation-29-1.2.aarch64.raw.xz and from Fedora-Workstation-30-20190316.n.1.aarch64.raw.xz on Raspberry Pi 3B+ from my Fedora 29 x86_64 host.

(In reply to Peter Robinson from comment #5)
> Disabling SELinux is not a fix, it's a work around.

As long as normal Fedora supports SELINUX=disabled (which AFAIK it does) fedora-arm-image-installer should also support creating ARM images with SELINUX=disabled.

Currently fedora-arm-image-installer creating SELINUX=enabled image on SELINUX=disabled host will quietly create an unbootable image.  That is this Bug.

fedora-arm-image-installer should either exit with error in such case or fix up the image somehow - maybe automatically enable --relabel? I haven't tried that.

Comment 7 Paul Whalen 2019-03-26 18:03:25 UTC
(In reply to Jan Kratochvil from comment #6)
> The problem I was seeing before my proposed fix is described in Comment 0.
> It fixed for me booting from Fedora-Workstation-29-1.2.aarch64.raw.xz and
> from Fedora-Workstation-30-20190316.n.1.aarch64.raw.xz on Raspberry Pi 3B+
> from my Fedora 29 x86_64 host.
> 
> (In reply to Peter Robinson from comment #5)
> > Disabling SELinux is not a fix, it's a work around.
> 
> As long as normal Fedora supports SELINUX=disabled (which AFAIK it does)
> fedora-arm-image-installer should also support creating ARM images with
> SELINUX=disabled.

The arm-image-installer writes out the arm images and makes some small tweaks
to the media. It is not a true 'installer'. 

> 
> Currently fedora-arm-image-installer creating SELINUX=enabled image on
> SELINUX=disabled host will quietly create an unbootable image.  That is this
> Bug.

It will write what ever image you give it, there is no guarantee it will boot
on your hardware. If you do run into bugs, please file it on the appropriate
package. 

> 
> fedora-arm-image-installer should either exit with error in such case or fix
> up the image somehow - maybe automatically enable --relabel? I haven't tried
> that.

On the Fedora 30 aarch64 Workstation image, there is a gnome-shell crash on the
rpi3. It is unrelated to this package.

Comment 8 Jan Kratochvil 2019-03-26 18:32:36 UTC
(In reply to Paul Whalen from comment #7)
> The arm-image-installer writes out the arm images and makes some small tweaks
> to the media. It is not a true 'installer'.

If it is not an installer rename it to arm-image-tweaker.  But that still would not solve its bugs.


> It will write what ever image you give it, there is no guarantee it will boot
> on your hardware. If you do run into bugs, please file it on the appropriate
> package. 

The bug is in fedora-arm-installer because --norootpass modifies image's /etc/passwd corrupting its SELinux context.


I sure disagree with closing this Bug but next people facing this Bug can at least google out this bugreport how to fix it.

Comment 9 Paul Whalen 2019-03-26 18:43:17 UTC
(In reply to Jan Kratochvil from comment #8)
> (In reply to Paul Whalen from comment #7)
> > The arm-image-installer writes out the arm images and makes some small tweaks
> > to the media. It is not a true 'installer'.
> 
> If it is not an installer rename it to arm-image-tweaker.  But that still
> would not solve its bugs.

I am happy to fix the bugs you encounter, but the description thus far has been of 
issues outside the script. 

> 
> 
> > It will write what ever image you give it, there is no guarantee it will boot
> > on your hardware. If you do run into bugs, please file it on the appropriate
> > package. 
> 
> The bug is in fedora-arm-installer because --norootpass modifies image's
> /etc/passwd corrupting its SELinux context.

This is the first you mentioned using that option in this bug. Indeed that would
be an issue with the installer. I can look at that. 

> 
> I sure disagree with closing this Bug but next people facing this Bug can at
> least google out this bugreport how to fix it.

In the future it would be helpful for you to include all relevant information in
the bug- the command and image used at a minimum.

Comment 10 Jan Kratochvil 2019-03-26 20:01:02 UTC
(In reply to Paul Whalen from comment #9)
> In the future it would be helpful for you to include all relevant
> information in the bug- the command and image used at a minimum.

OK, sorry, only later I realized it is due to --norootpass which I have always used.
Originally I expected any usage of fedora-arm-image-installer from SELINUX=disabled host does reproduce this problem.

fedora-arm-image-installer --image=Fedora-Workstation-30-20190315.n.0.aarch64.raw.xz --media=/dev/sda --resizefs --target=rpi3 --norootpass

Comment 11 Jan Kratochvil 2019-06-25 11:13:42 UTC
https://pagure.io/arm-image-installer/pull-request/38

Comment 12 Fedora Update System 2019-06-26 18:54:18 UTC
FEDORA-2019-2dd9f78d69 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-2dd9f78d69

Comment 13 Fedora Update System 2019-06-27 01:41:45 UTC
arm-image-installer-2.13-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7cd0e1fc4b

Comment 14 Fedora Update System 2019-06-27 02:43:47 UTC
arm-image-installer-2.13-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-2dd9f78d69

Comment 15 Fedora Update System 2019-07-06 04:09:14 UTC
arm-image-installer-2.13-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.