Bug 734274

Summary: please support boots without initrd
Product: [Fedora] Fedora Reporter: Lennart Poettering <lpoetter>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: camilo, dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-13 18:48:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lennart Poettering 2011-08-30 00:29:54 UTC 
Fedora currently officially only supports initrd boots hence this bug report is mostly a wishlist item, but it would be cool nonetheless if we could boot fedora without initrd and things would still work just fine.

systemd works very well in both initrd and initrd-less boots. The missing bits are SELinux and Plymouth which do not cope as well with it.

Currently, if you boot without initrd some files are mislabelled, as the policy doesn't appear to be ready for this.

You can easily test your system in an initrd-less boot by passing arguments like the following on the kernel cmdline: "root=/dev/sda7 rootfstype=ext4" where /dev/sda7 is the right partition. It is important to use symbolic names like /dev/sda7 here, and not UUIDs since the kernel does not understand UUIDs when booting without initrd. Of course, this will only work if your system is not installed on an LVM or crypto root disk (or any other kind of fancier storage).

On my system I see the following AVCs when booting without initrd:

[   25.389353] type=1400 audit(1314661961.451:3): avc:  denied  { read } for  pid=76 comm="systemd-logger" name="libsystemd-daemon.so.0" dev=sda7 ino=77 scontext=system_u:system_r:systemd_logger_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=lnk_file
[   34.986680] type=1400 audit(1314661971.048:4): avc:  denied  { create } for  pid=93 comm="udevd" name="rtc" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   34.987309] type=1400 audit(1314661971.049:5): avc:  denied  { associate } for  pid=93 comm="udevd" name="rtc" scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[   40.927846] type=1400 audit(1314661976.989:6): avc:  denied  { open } for  pid=341 comm="systemd-tty-ask" name="console" dev=devtmpfs ino=1039 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
[   40.928421] type=1400 audit(1314661976.990:7): avc:  denied  { sys_tty_config } for  pid=341 comm="systemd-tty-ask" capability=26  scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:system_r:systemd_passwd_agent_t:s0 tclass=capability
[   41.316342] type=1400 audit(1314661977.377:8): avc:  denied  { mmap_zero } for  pid=348 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect
[   52.525677] dbus[496]: avc:  netlink poll: error 4
[   55.039688] type=1400 audit(1314661991.101:9): avc:  denied  { unlink } for  pid=544 comm="rpcbind" name="rpcbind.sock" dev=tmpfs ino=10445 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
[   59.249284] type=1400 audit(1314661995.311:10): avc:  denied  { read } for  pid=462 comm="systemd-logind" name="cpu" dev=tmpfs ino=5502 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=lnk_file
[   59.281703] type=1400 audit(1314661995.343:11): avc:  denied  { setattr } for  pid=462 comm="systemd-logind" name="rfkill" dev=devtmpfs ino=6731 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file
[   66.881168] type=1400 audit(1314662002.942:12): avc:  denied  { read } for  pid=753 comm="systemd-notify" name="libsystemd-daemon.so.0" dev=sda7 ino=77 scontext=system_u:system_r:systemd_notify_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=lnk_file
[   77.843349] type=1400 audit(1314662014.115:13): avc:  denied  { read } for  pid=462 comm="systemd-logind" name="cpu" dev=tmpfs ino=5502 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=lnk_file
[   77.866667] type=1400 audit(1314662014.138:14): avc:  denied  { setattr } for  pid=462 comm="systemd-logind" name="rfkill" dev=devtmpfs ino=6731 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file
[  526.237862] type=1400 audit(1314662462.509:15): avc:  denied  { read } for  pid=462 comm="systemd-logind" name="cpu" dev=tmpfs ino=5502 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=lnk_file
Comment 1 Daniel Walsh 2011-08-30 00:55:13 UTC 
Why is "libsystemd-daemon.so.0 a lnk_file labeled usr_t?  Where is it located it should be labeled lib_t.  I have no problem allowing these daemons to read usr_t, but this looks like a mislabel.

What is rtc and why is udev trying to mount a file system on it?

type=1400 audit(1314661971.048:4): avc:  denied  { create } for  pid=93 comm="udevd" name="rtc" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [   34.987309] 
type=1400 audit(1314661971.049:5): avc:  denied  { associate } for  pid=93 comm="udevd" name="rtc" scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [   40.927846] 

vbetool should probably be removed from your system, you probably do not need it.


Does systemd_logind_t need setattr on all dev chr_files?

type=1400 audit(1314661991.101:9): avc:  denied  { unlink } for  pid=544 comm="rpcbind" name="rpcbind.sock" dev=tmpfs ino=10445 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file [   59.249284]

This happens because systemd did not create the sock file with the correct label.

All other fixes will be in selinux-policy-3.10.0-23.fc16
Comment 2 cam 2011-11-19 16:05:52 UTC 
One minor issue I've noticed is that certain tools (including whatever chain of tools are used to install a new kernel as a result of yum upgrading) require a link /dev/root which happens as a side effect of initrd boots.

Without it, an initrdless system will continue to fail to upgrade the kernel - or will upgrade it but not make the necessary grub2 configurations to allow it to boot the new kernel.

I have to remember to manually make a symlink to /dev/sda3 in /dev/root before yum updating.

I have no idea what package should be responsible for adding such a link, or if the tools should be updated to find the root device another way (like grepping /proc/cmdline)
Comment 3 Fedora End Of Life 2013-01-16 15:41:32 UTC 
This message is a reminder that Fedora 16 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 16. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '16'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 16's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 16 is end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" and open it against that version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 4 Fedora End Of Life 2013-02-13 18:48:51 UTC 
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.