Bug 2182033
| Summary: | SELinux prevents Fedora to boot in systemd.volatile=overlay mode | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Marc Muehlfeld <mmuehlfe> | ||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||
| Status: | ASSIGNED --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 38 | CC: | dwalsh, filip9843, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | Type: | Bug | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Problem still exists with latest updates: selinux-policy-38.10-1.fc38.noarch systemd-253.2-1.fc38.x86_64 Marc, This seems to be a less used scenario, can you give us a use case example? Do you happen to know what has changed since the fix for bz#2128246 was confirmed working? > This seems to be a less used scenario, can you give us a use case example? My use case for having a temporary overlay filesystem on root is that I use this feature to test things when I don't want to mess up my system. I can install software or do other things and, after the next reboot, the changes are gone. Another use case I know from a friend: They have some Linux hosts that random people use. It's a kind of public host to access the internet. They boot the machines with the systemd.volatile=overlay option. Once they reboot, the system is back in its previous clean state. > Do you happen to know what has changed since the fix for bz#2128246 was confirmed working? I don't know what has changed. On a laptop with an up-to-date Fedora 37 (this was the version for which I filed bz#2128246), the feature works. On an up-to-date Fedora 38 (fresh install, no upgrade), the system hangs during the boot. Meanwhile, I tried the following workaround (and it works): 1) Download the latest selinux-policy and selinux-policy-targeted packages from Fedora 37: # wget https://ftp.halifax.rwth-aachen.de/fedora/linux/updates/37/Everything/x86_64/Packages/s/selinux-policy-37.19-1.fc37.noarch.rpm # wget https://ftp.halifax.rwth-aachen.de/fedora/linux/updates/37/Everything/x86_64/Packages/s/selinux-policy-targeted-37.19-1.fc37.noarch.rpm 2) Remove smartmontools (it has some selinux dependencies): # dnf remove smartmontools 3) Install the F37 packages on F38: # dnf install selinux-policy*.rpm 4) Reboot and add "systemd.volatile=overlay" to the kernel command line. Result: System boots as expected and the root file system is an overlayfs. From a quick check, the system seems to work as expected. So the problem is in the diff of the F37 and F38 packages. Last time, debugging was easier because the system booted and only systemd-resolved didn't work, so I could provide logs. This time, the system hangs during the boot. Therefore, I'm not sure how I can get any logs. Because of the tmpfs overlay, the log entries that were written during the boot when it hangs are gone as soon as I reboot without systemd.volatile=overlay. I suppose it is in a state when debug-shell works: boot the system with the volatile options and systemd.unit=debug-shell.service then ctrl-alt-f9 I will try to reproduce and find the details on my own. Zdenek, I am also affected by this regression. I've tested if with the latest versions of those packages and can confirm that the bug still persists: selinux-policy-38.17-1.fc38 systemd-253.5-1.fc38 |
Created attachment 1953921 [details] screenshot console Description of problem: The systemd.volatile=overlay mode is useful for testing purposes. However, Fedora 38 hangs during the startup if you boot the kernel with the systemd.volatile=overlay option. It works, if SELinux is disabled. Version-Release number of selected component (if applicable): selinux-policy-38.8-2.fc38.noarch systemd-253-6.fc38.x86_64 How reproducible: Always on F38. Steps to Reproduce: 1. Install F38 beta. 2. Boot F38. 3. Optional: Install the latest updates (dnf update). 4. Add the "overlay" driver to the initrd: # echo 'add_drivers+=" overlay "' > /etc/dracut.conf.d/01-overlay.conf # dracut -vf --regenerate-all 5. Reboot. 6. Append "systemd.volatile=overlay" to the kernel command line in GRUB, and boot. Actual results: System hangs during boot. The last line shown on the console is: Starting systemd-hostnamed.service - Hostname Service. Expected results: System should boot and overlay mode should work as in previous Fedora versions. Additional info: - It works on Fedora 37 and previous versions. - If you disable SELinux in /etc/sysconfig/selinux, the overlay mode works.