Bug 583659

Summary: SELinux context wrong after using preugprade
Product: [Fedora] Fedora Reporter: Kamil Páral <kparal>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: awilliam, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-6.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-28 03:07:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 507681    
Attachments:
Description Flags
system logs none

Description Kamil Páral 2010-04-19 10:51:26 UTC 
Created attachment 407546 [details]
system logs

Description of problem:
Used preugprade from F12 to F13 Branched. After re-booting NFS statd and HAL fail to start. Xorg fails to start. Fully updated from updates-testing, rebooted. statd and HAL still fail to start, but at least Xorg works now. NetworkManager doesn't want to connect to network.

After inspecting logs it seems like SELinux issue. When booted with enforcing=0 kernel option, all services start up fine, everything works.

While updating packages with preupgrade there must have been some problem with SELinux and it is now blocking many services and programs.

All logs attached.

Version-Release number of selected component (if applicable):
libselinux-2.0.90-5.fc13.x86_64
libselinux-python-2.0.90-5.fc13.x86_64
libselinux-utils-2.0.90-5.fc13.x86_64
selinux-policy-3.7.15-4.fc13.noarch
selinux-policy-targeted-3.7.15-4.fc13.noarch

How reproducible:
did preugprade from F12 to F13 twice, happened everytime

Additional info:
This could be the same issue as reported in bug 505772.

Also please note that for verifying this issue the fix must be committed to stable F13 repository, not F13 updates-testing. Because preupgrade does not download packages from updates-testing.

I have no experience with using SELinux, but I can provide more information if you tell me how.
Comment 1 Daniel Walsh 2010-04-19 15:08:46 UTC 
selinux-policy-3.7.19-2.fc13.noarch is already a candidate and fixes most of the avc's reported.

The troublesome ones are the fontconfig.
Comment 2 Kamil Páral 2010-04-19 16:17:03 UTC 
Will updating to the newer version of selinux automatically fix the problems, or are there some manual steps required afterwards (re-labeling files with correct context and whatnot?).
Comment 3 Daniel Walsh 2010-04-20 13:25:09 UTC 
It should fix most if not all the problems.  Relabeling should happen automatically.  If you still have problems after update, please open bugs.

I would likt to get 19-2 into the iso so we could test the upgrade path though.
Comment 4 Kamil Páral 2010-04-20 14:04:23 UTC 
selinux-policy-3.7.19-2.fc13.noarch seems to solve all my problems. We would really prefer if this could get into stable f13 repo before preupgrade test day:
https://fedoraproject.org/wiki/Test_Day:2010-04-29_Preupgrade
Comment 5 Daniel Walsh 2010-04-20 14:26:40 UTC 
Increase its kama.
Comment 6 Adam Williamson 2010-04-23 19:40:27 UTC 
Discussed at the blocker review meeting today, we agree this is a blocker and will try to put feedback in Bodhi soon.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 7 Fedora Update System 2010-04-26 19:52:12 UTC 
selinux-policy-3.7.19-6.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-6.fc13
Comment 8 Fedora Update System 2010-04-27 05:49:25 UTC 
selinux-policy-3.7.19-6.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-6.fc13
Comment 9 Kamil Páral 2010-04-27 09:12:32 UTC 
I have updated to selinux-policy-3.7.19-6.fc13 and I see this avc denial in /var/log/messages after bootup:

Apr 27 05:08:17 localhost kernel: type=1400 audit(1272359290.665:4): avc:  denied  { mmap_zero } for  pid=420 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect

There is not denial in /var/log/audit/audit.log though.
Comment 10 Daniel Walsh 2010-04-27 13:01:02 UTC 
It happens before auditd is started, This bug has been reported against vbetool in the past.
Comment 11 Kamil Páral 2010-04-27 13:42:45 UTC 
Daniel, I can't find you on any IRC channel. Does this mean that selinux-policy-3.7.19-6.fc13 should get -1 karma from me? Do you have bug number for that vbetool bug?
Comment 12 Fedora Update System 2010-04-28 03:06:50 UTC 
selinux-policy-3.7.19-6.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.