Bug 692436

Summary: Incorrect SELinux labelling of new /run directory prevents system boot
Product: [Fedora] Fedora Reporter: Kamil Páral <kparal>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 15CC: amcnabb, awilliam, bruce, cunio, dwalsh, jbastian, jjardon, madko, marbolangos, mgrepl, mnowak, mschmidt, rdieter, robatino, tflink, thomas.mey, vonbrand
Target Milestone: ---Keywords: Reopened, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedBlocker
Fixed In Version: systemd-22-1.fc15, selinux-policy-3.9.16-10.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-04 19:39:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 657618    
Attachments:
Description Flags
messages
none
audit.log
none
secure none

Description Kamil Páral 2011-03-31 11:11:14 UTC 
Description of problem:
After latest yum update in Fedora 15 the system won't boot at all. It's stuck with the last message being "Starting monitoring LVM2 mirrors, snapshots, etc." (or similar). When enforce=0 is put into kernel boot line, system works fine.

Version-Release number of selected component (if applicable):
systemd-21-2.fc15.x86_64
libselinux-2.0.98-2.fc15.x86_64
selinux-policy-3.9.16-6.fc15.noarch
systemd-units-21-2.fc15.x86_64
selinux-policy-targeted-3.9.16-6.fc15.noarch
libselinux-utils-2.0.98-2.fc15.x86_64
libselinux-python-2.0.98-2.fc15.x86_64

How reproducible:
always
Comment 1 Kamil Páral 2011-03-31 11:13:13 UTC 
Created attachment 489037 [details]
messages
Comment 2 Kamil Páral 2011-03-31 11:13:34 UTC 
Created attachment 489038 [details]
audit.log
Comment 3 Kamil Páral 2011-03-31 11:13:48 UTC 
Created attachment 489039 [details]
secure
Comment 4 Miroslav Grepl 2011-03-31 11:33:38 UTC 
*** Bug 692137 has been marked as a duplicate of this bug. ***
Comment 5 Miroslav Grepl 2011-03-31 11:34:21 UTC 
*** Bug 692440 has been marked as a duplicate of this bug. ***
Comment 6 Michal Schmidt 2011-03-31 13:23:09 UTC 
*** Bug 692475 has been marked as a duplicate of this bug. ***
Comment 7 Adam Williamson 2011-03-31 16:44:29 UTC 
Better summary.
Comment 8 Michal Schmidt 2011-03-31 17:08:45 UTC 
*** Bug 692600 has been marked as a duplicate of this bug. ***
Comment 9 Fedora Update System 2011-04-01 14:35:38 UTC 
systemd-22-1.fc15, selinux-policy-3.9.16-9.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-9.fc15,systemd-22-1.fc15
Comment 10 Andrew McNabb 2011-04-01 19:10:13 UTC 
I have updated to systemd-22-1.fc15 and selinux-policy-3.9.16-10.fc15, and the system still fails to boot. If these updates are working for others, then it may be important to mention that my system has selinux disabled.
Comment 11 Tim Flink 2011-04-01 20:25:08 UTC 
Discussed during the 2011-04-01 blocker review meeting. One of the release criteria this hits is:

after firstboot is completed and on subsequent boots, a system installed according to any of the above criteria (or the appropriate Beta or Final criteria, when applying this criterion to those releases) must boot to a working graphical environment without unintended user intervention.

Proposed fix has been pushed to updates, not clear if it fixes the problem. More testing of the proposed update is needed to verify that it does/does not work.
Comment 12 Horst H. von Brand 2011-04-01 23:48:21 UTC 
Updated to selinux-policy-3.9.16-10.fc15.noarch, systemd-22-1.fc15.x86_64; after relabeling boot went fine. So it works for me.
Comment 13 Fedora Update System 2011-04-02 05:54:46 UTC 
systemd-22-1.fc15, selinux-policy-3.9.16-10.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Andrew McNabb 2011-04-04 17:19:26 UTC 
Why was this bug closed? I clearly stated that my system still fails to boot.
Comment 15 Daniel Walsh 2011-04-04 19:18:34 UTC 
Andrew is it failing to boot in enforcing=0?
Comment 16 Andrew McNabb 2011-04-04 19:26:44 UTC 
It still fails to boot if I set enforcing=0 (with the "Failed to load SELinux policy" from bug #692537), but it does boot if I specify selinux=0.
Comment 17 Michal Schmidt 2011-04-04 19:35:52 UTC 
(In reply to comment #10)
> it may be important to mention that my system has selinux disabled.

Very important. This bug affected SELinux-enabled systemds. Broken systems with SELinux disabled using /etc/config/selinux is bug 692573.
Comment 18 Michal Schmidt 2011-04-04 19:39:02 UTC 
So I am closing this again. Anyone is still seeing problems booting *with SELinux enabled*, please reopen or file a new bug.
Comment 19 Daniel Walsh 2011-04-04 19:40:51 UTC 
That is a different bug then this one, related to systemd, which you found the
link to.

We are working to fix the labeling of /run which is mostly fixed by this
update.

systemd-23-1 is supposed to be released tonight to fix the rest of the
labeling.
Comment 20 Andrew McNabb 2011-04-04 20:10:59 UTC 
In the other bug, it was stated that this one was for the failure to boot, and the other was for the selinux-related error message. I will try to clarify the situation for all who are following the other bug.
Comment 21 Michal Schmidt 2011-04-04 20:19:22 UTC 
Both bugs could cause a failure to boot.
Comment 22 Andrew McNabb 2011-04-04 20:35:05 UTC 
(In reply to comment #21)
> Both bugs could cause a failure to boot.

Both indeed do. :)