Bug 178125

Summary: rc.sysinit complaining after selinux policy rebuild
Product: [Fedora] Fedora Reporter: Nicolas Mailhot <nicolas.mailhot>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED RAWHIDE QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, rvokal
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-01-27 06:20:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 150221    
Attachments:
Description Flags
system dmesg after relabel boot
none
audit.log on the same system, starting with last auditd start none

Description Nicolas Mailhot 2006-01-17 21:32:31 UTC 
Description of problem:

after a policy rebuild rc.sysinit will complain about a write error invalid
argument on line 73

Version-Release number of selected component (if applicable):

initscripts-8.20-1

How reproducible:

always

Steps to Reproduce:
1. touch /.autorelabel
2. reboot
3. read system messages after the relabeling ended
Comment 1 Daniel Walsh 2006-01-17 21:49:01 UTC 
What error messages are you seeing?  Are you seeing any AVC messages in
/var/log/audit/audit.log or /var/log/messages?
Comment 2 Nicolas Mailhot 2006-01-17 21:58:01 UTC 
Well, I don't know if it's relevant or not - I usually ignore the avcs during
the policy relabel boot. Anyway, my dmesg says has a lot of things in it
(luckily I haven't rebooted yet)

This is using policy 2.1.12-2, I think the problem is older
Comment 3 Daniel Walsh 2006-01-17 22:05:50 UTC 
Could you attach those avc messages?
Comment 4 Nicolas Mailhot 2006-01-17 22:06:44 UTC 
Created attachment 123336 [details]
system dmesg after relabel boot
Comment 5 Nicolas Mailhot 2006-01-17 22:07:29 UTC 
Created attachment 123337 [details]
audit.log on the same system, starting with last auditd start
Comment 6 Nicolas Mailhot 2006-01-17 22:20:47 UTC 
The actual sysinit error deos not seem to have been logged anywhere (sorry about
the lag, network is fluctuating wildly there)
Comment 7 Bill Nottingham 2006-01-17 22:34:29 UTC 
Hm, line 73 is where it resets the SELinux mode (enforcing, permissive, etc.)

So this would imply that before it started relabeling, it's running in the wrong
domain, and can't change the mode back? I suppose we would need to catch that
and then reboot, but without the error message, not sure what we'd check for. :/
Comment 8 Daniel Walsh 2006-01-17 22:49:14 UTC 
It Should be running in initrc_t.  

Many fixes in policy for fetchmail problems.

if id -Z not = initrc_t reboot.

Or if it could tell init to start the rc script again?
Of course init needs to be running as init_t...
Comment 9 Bill Nottingham 2006-01-17 22:59:53 UTC 
The test at the moment is:

REBOOTFLAG=`restorecon -v /sbin/init`

(i.e., if init has the wrong context on the file, then reboot.)

Should we just check for initrc_t instead?
Comment 10 Daniel Walsh 2006-01-27 06:20:48 UTC 
No that is fine.