Bug 179092

Summary: unbootable becasue selinux denies access to ld.so.cache and libuuid.so.1.2
Product: [Fedora] Fedora Reporter: Andy Burns <fedora>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-01-28 16:55:57 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Andy Burns 2006-01-27 07:29:37 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1

Description of problem:
System upgraded to rawhide 2006-01-26

I was previosuly using selinux=0 due to baddly labelled security contexts

Today I realised that selinux=0 remained in my grub.conf, so removed it and rebooted, system not bootable due to ld.so.cache and libuuid.so.1.2 being blocked.



Version-Release number of selected component (if applicable):
rawhide 2006-01-26

How reproducible:
Didn't try

Steps to Reproduce:
1. happens every boot with selinux enabled, not tried fresh install ....
2.
3.
  

Actual Results:  security:  3 users, 6 roles, 1117 types, 132 bools, 1 sens, 256 cats
security:  55 classes, 37531 rules
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev dm-0, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts
Losing some ticks... checking if CPU frequency changed.
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev cpuset, type cpuset), not configured for labeling
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
INIT: version 2.86 booting
audit(1138364602.246:2): avc:  denied  { read } for  pid=437 comm="hostname" name="ld.so.cache" dev=dm-0 ino=69273384 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
audit(1138364602.370:3): avc:  denied  { execute } for  pid=440 comm="mount" name="libuuid.so.1.2" dev=dm-0 ino=93388904 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
mount: error while loadaudit(1138364602.390:4): avc:  denied  { execute } for  pid=441 comm="mount" name="libuuid.so.1.2" dev=dm-0 ino=93388904 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
ing shared libraaudit(1138364602.410:5): avc:  denied  { execute } for  pid=442 comm="mount" name="libuuid.so.1.2" dev=dm-0 ino=93388904 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
ries: libuuid.so.1: failed to map segment from shared object: Permission denied
mount: error while loading shared libraries: libuuid.so.1: failed to map segment from shared object: Permission denied
                Welcome to Fedora Core
                Press 'I' to enter interactive startup.
audit(1138364603.126:6): avc:  denied  { read } for  pid=455 comm="hwclock" name="ld.so.cache" dev=dm-0 ino=69273384 scontext=system_u:system_r:hwclock_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
Setting clock  (utc): Fri Jan 27 12:23:24 GMT 2006 [  OK  ]
Starting udev:[  OK  ]
mount: error while loading shared libraries: libuuid.so.1: failed to map segment from shared object: Permission denied
Setting hostname htpc.lan:  [  OK  ]
No RAID disks
Setting up Logical Volume Management:   2 logical volume(s) in volume group "vg00" now active
[  OK  ]
Checking filesystems
fsck: error while loading shared libraries: libuuid.so.1: cannot open shared object file: No such file or directory
[FAILED]

*** An error occurred during the file system check.
*** Dropping you to a shell; the system will reboot
*** when you leave the shell.
*** Warning -- SELinux is active
*** Disabling security enforcement for system recovery.
*** Run 'setenforce 1' to reenable.
Give root password for maintenance



Additional info:
Comment 1 Daniel Walsh 2006-01-28 16:20:28 EST
You need to relabel your system.

touch /.autorelabel
reboot
You might have to boot in permissive mode.  Any time you run with selinux=0
files will get mislabeled.  You are always better to boot with enforcing=0 so
that file contexts are maintained.
Comment 2 Andy Burns 2006-01-28 16:55:57 EST
the relabel fixed it, is the mere presence of the .autorelabel the trigger, or
it's timestamp relative to something else?

Thanks for the enforcing=0 tip too, I still have quite a blindspot about
selinux, so it seems that jumping to selinx=0 can be a short term cure, but
longer term headache, though many people on the devel and test lists recommend
selinux=0 at the first hint of an selinux issue :-(

Comment 3 Daniel Walsh 2006-01-28 17:09:11 EST
That is unfortunate.  Next time you see it maybe you can make this comment.