Bug 1710083

Summary: Selinux policy 0:3.13.1-229.el7_6.12 causes "Login Incorrect" (system unusable)
Product: [oVirt] ovirt-engine Reporter: Strahil Nikolov <hunter86_bg>
Component: BLL.HostedEngineAssignee: Doron Fediuck <dfediuck>
Status: CLOSED INSUFFICIENT_DATA QA Contact: meital avital <mavital>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.3.3.7CC: bugs
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-05 15:47:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Rel-Eng RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
VNC console of HostedEngine after step 5
none
VNC console of HostedEngine after step 5 none

Description Strahil Nikolov 2019-05-14 20:28:17 UTC 
Created attachment 1568651 [details]
VNC console of HostedEngine after step 5

Description of problem:
After updating the selinux packages (needed several tries until figuring the guilty) the VNC console receives always "Login Incorrect" and the system never comes up.
No login prompt available.

Version-Release number of selected component (if applicable):

---> Пакет selinux-policy.noarch 0:3.13.1-229.el7_6.9  ---> Old
---> Пакет selinux-policy.noarch 0:3.13.1-229.el7_6.12 ---> BROKEN
---> Пакет selinux-policy-targeted.noarch 0:3.13.1-229.el7_6.9 ---> Old
---> Пакет selinux-policy-targeted.noarch 0:3.13.1-229.el7_6.12 ---> BROKEN

How reproducible:
Rolled back several times until pinpointing SELINUX

Steps to Reproduce:
1.Update from 0:3.13.1-229.el7_6.9 to 0:3.13.1-229.el7_6.12
2.Force relabel on next boot:
touch /.autorelable
3.Power down the HostedEngine VM
4.Power up the system
5.After relabel power up


Actual results:
Receive a constant flow of "Login Incorrect" message on the console

Expected results:
Login prompt and proper booting of the system to happen.

Additional info:
Workaround1: Add "enforcing=0" kernel parameter if grub timeout is larger than the default
Workaround2: Boot the HostedEngine from a rescue DVD and rollback  (from a chroot) the latest update via 'yum history undo last'
Comment 1 Strahil Nikolov 2019-05-14 20:50:40 UTC 
Step 2 contains error. 
Should be: touch /.autorelabel
Comment 2 Strahil Nikolov 2019-05-15 11:42:38 UTC 
Note: The attached screenshot is wrong , I will provide the correct one later today.
Comment 3 Strahil Nikolov 2019-05-15 17:03:06 UTC 
Created attachment 1569113 [details]
VNC console of HostedEngine after step 5

The first attachment was wrong, so now I'm attaching the real one.
Comment 4 Strahil Nikolov 2019-07-05 15:47:18 UTC 
Fixed this via reinstall of selinux rpms and full relabel