| Summary: | selinux prevents system boot with boot parameter of selinux=0 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | darrell pfeifer <darrellpf> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rawhide | CC: | dominick.grift, dwalsh, mgrepl, pebolle, zaitcev | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-08-02 19:59:14 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
|
Description
darrell pfeifer
2011-07-30 01:59:16 UTC
(In reply to comment #0) > Workaround is to use a boot parameter of enforcing=0 instead. 0) Might be related, or might not be related, but after upgrading to selinux-policy-3.10.0-11.fc17.noarch I need "enforcing=0" to login (at runlevel 3). Without "enforcing=0" any attempt at logging in results in getting kicked back to the login prompt (almost immediately). 1) Please feel free to prod for details, as all selinux related messages appear to be logged. Please attach the avc's from the audit.log file? There are no avc's in my audit.log file. This is happening very early on in system boot so I'm assuming selinux is preventing systemd from starting up logging. It is only the most recent version of selinux that has started showing this behaviour. At graphic boot time, every time the escape key is hit to switch to text console there is a message about failing to mount selinuxfs. There are no other messages that appear on the console. Could you boot with enforcing=0 and then execute # dmesg |grep avc [ 14.940363] type=1400 audit(1312286776.050:3): avc: denied { dyntransition } for pid=1 comm="systemd" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process
[ 22.604532] type=1400 audit(1312311983.725:4): avc: denied { read } for pid=699 comm="systemd-sysctl" name="sysctl.conf" dev=dm-1 ino=1049422 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
[ 22.604714] type=1400 audit(1312311983.725:5): avc: denied { open } for pid=699 comm="systemd-sysctl" name="sysctl.conf" dev=dm-1 ino=1049422 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
[ 22.604985] type=1400 audit(1312311983.725:6): avc: denied { getattr } for pid=699 comm="systemd-sysctl" path="/etc/sysctl.conf" dev=dm-1 ino=1049422 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
[ 28.638208] type=1400 audit(1312311989.768:7): avc: denied { relabelto } for pid=858 comm="systemd-tmpfile" name="seats" dev=tmpfs ino=12684 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=dir
[ 28.640646] type=1400 audit(1312311989.770:8): avc: denied { relabelto } for pid=858 comm="systemd-tmpfile" name="sessions" dev=tmpfs ino=12688 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=dir
[ 36.931182] type=1400 audit(1312311998.073:9): avc: denied { read } for pid=1096 comm="ksmtuned" path="/bin/bash" dev=dm-1 ino=2752558 scontext=system_u:system_r:ksmtuned_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
[ 38.054367] type=1400 audit(1312311999.198:10): avc: denied { name_bind } for pid=1117 comm="dhclient" src=61349 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
[ 39.305947] type=1400 audit(1312312000.451:11): avc: denied { read } for pid=1152 comm="systemd-sysctl" name="sysctl.conf" dev=dm-1 ino=1049422 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
[ 39.306058] type=1400 audit(1312312000.451:12): avc: denied { open } for pid=1152 comm="systemd-sysctl" name="sysctl.conf" dev=dm-1 ino=1049422 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
[ 39.306227] type=1400 audit(1312312000.451:13): avc: denied { getattr } for pid=1152 comm="systemd-sysctl" path="/etc/sysctl.conf" dev=dm-1 ino=1049422 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
[ 99.711922] type=1400 audit(1312312060.530:14): avc: denied { execute } for pid=1849 comm="plugin-config" path="/home/darrell/jdk1.7.0/jre/lib/amd64/libnpjp2.so" dev=dm-2 ino=9308364 scontext=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
[ 134.983753] type=1400 audit(1312312095.854:15): avc: denied { name_connect } for pid=2365 comm="npviewer.bin" dest=54686 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
Give me some minutes. I will build a new rawhide release which should fix these issues. There is a new build http://koji.fedoraproject.org/koji/buildinfo?buildID=256873 (In reply to comment #8) > http://koji.fedoraproject.org/koji/buildinfo?buildID=256873 Looks like that fixes it over here. It didn't fix it for me. Still doesn't boot unless I use enforcing=0 rather than selinux = 0. Not much for avc errors except for
[ 34.674692] dbus[941]: avc: netlink poll: error 4
[ 38.702492] type=1400 audit(1312330124.344:3): avc: denied { read } for pid=1109 comm="ksmtuned" path="/bin/bash" dev=dm-1 ino=2752558 scontext=system_u:system_r:ksmtuned_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Are you saying it will not boot with selinux=0? (In reply to comment #11) > Are you saying it will not boot with selinux=0? Perhaps related to http://zaitcev.livejournal.com/210477.html ? (I can't comment there so I've cc'ed Pete Zaitcev.) fails to boot with selinux=0 using kernel 3.1.0-0.rc0.git19.1.fc17 systemd 33-1.fc16 Successful boot using enforcing=0 I do not think my case is the same as Darrell's, because in my case the boot stops after an error of selinux_init_load_policy(). It is much earlier than Darrell's system manages to reach. Please see bz#727068 for one which may be more relevant. I finally gotten it so you can disable SELinux. World domination is mine. :^) Updated to selinux-policy-3.10.0-16. Same problem still. Try selinux-policy-3.10.0-16.fc17 See comment #16. Still fails with the same behaviour. Requires enforcing=0 for successful boot. Could you execute # semodule -DB which will turn off the dontaudit rules. Reboot in permissive mode, Collect the AVC messages # semodule -B To turn on the dontaudit messages And attach a compressed version of the AVC messages. This could be a systemd problem. Created attachment 516897 [details]
dmesg output
There were no avc messages in the audit log. Attached the dmesg output which does have avc's I don't see anything that is obvious. Could you build a custom module from those AVCs and see if the machine can boot in enforcing mode. # dmesg | grep -v sys_module | audit2allow -M mybrokenboot # semodule -i mybrokenboot.pp It fails to boot. I'm using graphic boot. When I hit escape I get a message about selinuxfs failing to mount. Still wondering if that is a clue. You could see if mkdir /selinux Fixes the problem. Are you using an older kernel? When you are booted, you should see the directory /sys/fs/selinux Per comment #1, a 3.1 kernel. Bingo! mkdir fixes the problem. (The /sys/fs/seliunx directory was there with enforcing=0) I've never removed /selinux. Now the questions are, what has changed that it is now required, or what will ensure that it is there as required? Updated a 3 approximately 2 week old rawhide system today and it had the same problem. Before the update, /selinux was there, After the update /selinux was gone so the reboot failed (until I' changed selinux=0 to enforcing=0) Are you sure you are fully updated to Rawhide and are booting with a rawhide kernel? Yes and yes. Booted with enforcing=0, mkdir /selinux (which had disappeared) and rebooted. At this point I seem to be the only one who has been affected. I'm ok with keeping the bug closed, making an mental flag and waiting to see if anyone else has the problem. I am looking for components that have /selinux hard coded in them. A new version of dracut was just released but I don't know if this would fix your problem. I know there is another problem with dracut. But I don't think that is the problem. |