Bug 728409
Summary: | selinux freezing boot | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Bill C. Riemers <briemers> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 15 | CC: | dominick.grift, dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-10-07 14:56:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Bill C. Riemers
2011-08-05 02:41:21 UTC
Could you add outputs of # dmesg |grep avc # ausearch -m avc -ts recent # systemctl status auditd.service after booting in permissive mode. Here is the requested information. The first command is reporting denials which probably are related. The next two seem to be reporting a dnsmasq problem that has existed for awhile, and I already reported as a separate bug. I forgot to mention one of the other deamons that could not complete start-up in enforce mode was autofs. Another thing I should mention is one of the many things I tried was a fresh install. However, after a yum update the new install base had the same problem as the old one. [root@docbillthink sbin]# dmesg |grep avc [ 21.121765] type=1400 audit(1312510879.973:3): avc: denied { mmap_zero } for pid=607 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect [ 26.220844] type=1400 audit(1312510885.071:4): avc: denied { mac_admin } for pid=1 comm="systemd" capability=33 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2 [ 30.462827] dbus[1088]: avc: netlink poll: error 4 [root@docbillthink sbin]# ausearch -m avc -ts recent ---- time->Fri Aug 5 08:31:27 2011 type=SYSCALL msg=audit(1312547487.332:83): arch=c000003e syscall=16 success=no exit=-19 a0=9 a1=8915 a2=7fffee423e90 a3=0 items=0 ppid=1 pid=1348 auid=4294967295 uid=99 gid=40 euid=99 suid=99 fsuid=99 egid=40 sgid=40 fsgid=40 tty=(none) ses=4294967295 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=system_u:system_r:dnsmasq_t:s0 key=(null) type=AVC msg=audit(1312547487.332:83): avc: denied { module_request } for pid=1348 comm="dnsmasq" kmod="netdev-tun0,tap0" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system [root@docbillthink sbin]# systemctl status auditd.service auditd.service - SYSV: This starts the Linux Auditing System Daemon, which collects security related events in a dedicated audit log. If this daemon is turned off, audit events will be sent to syslog. Loaded: loaded (/etc/rc.d/init.d/auditd) Active: active (running) since Thu, 04 Aug 2011 22:21:35 -0400; 10h ago Process: 1155 ExecStart=/etc/rc.d/init.d/auditd start (code=exited, status=0/SUCCESS) Main PID: 1167 (auditd) CGroup: name=systemd:/system/auditd.service ├ 1167 auditd ├ 1169 /sbin/audispd └ 1171 /usr/sbin/sedispatch Remove vbetool, most likely you do not need this. The mac_admin one is curious and we probably want to talk to Lennart about this one. mac_admin means that systemd is trying to place a label on the system that the kernel does not understand. I believe a fix for dnsmasq is in the works. The vbetool failure is probably why my laptop display ends up very dim in console mode... I have been told that vbetool is not needed for most hardware, you could test this theory out by makeing vbetool permissive and seeing if this fixes you console problem. semanage permissive -a vbetool_t |