Bug 865399

Summary:	Maintenance mode fails
Product:	[Fedora] Fedora	Reporter:	Tim Waugh <twaugh>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	18	CC:	dominick.grift, dwalsh, johannbg, lnykryn, metherid, mgrepl, mschmidt, msekleta, notting, plautrba, systemd-maint, vpavlin
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-12-20 15:37:31 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Tim Waugh 2012-10-11 10:47:11 UTC

Description of problem:
When a filesystem configured in /etc/fstab cannot be mounted, rescue mode fails.  The root password is requested, but when given the login fails.

Version-Release number of selected component (if applicable):
systemd-194-1.fc18.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Configure a filesystem in /etc/fstab that cannot be mounted.
2.Boot.

Alternatively: configure an encrypted filesystem, but do not provide the password at boot.

Comment 1 Bill Nottingham 2012-10-11 14:23:36 UTC

Merely the password authentication fails, or something else?

Comment 2 Tim Waugh 2012-10-11 15:49:12 UTC

Welcome to emergency mode. Use "systemctl default" or ^D to enter default mode.
Give root password for maintenance
(or type Control-D to continue)
sulogin: /root: change directory failed: Permission denied
Logging in with home = "/"
sulogin: /bin/bash: exec failed: Permission denied
sulogin: /bin/sh: exec failed: Permission denied
Login incorrect

Give root password for maintenance
(or type Control-D to continue)

Comment 3 Michal Schmidt 2012-10-11 15:51:09 UTC

Does booting with "enforcing=0" help?

Comment 4 Tim Waugh 2012-10-11 16:21:35 UTC

It does.

dmesg reveals:

[  110.316332] type=1400 audit(1349975360.395:3): avc:  denied  { transition } for  pid=499 comm="sulogin" path="/usr/bin/bash" dev="sda8" ino=674983 scontext=system_u:system_r:sulogin_t:s0 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process

selinux-policy-targeted-3.11.1-32.fc18.noarch

Comment 5 Tim Waugh 2012-10-11 16:26:13 UTC

Also, I'm not sure if it's intentional that failing to provide a password within about 80 seconds drops you into maintenance mode..?

Comment 6 Tim Waugh 2012-10-11 16:28:50 UTC

(Sorry, not clear: failing to provide an *encryption* password drops you into maintenance mode, which asks for the root password)

Comment 7 Lennart Poettering 2012-10-12 22:07:48 UTC

(In reply to comment #4)
> It does.
> 
> dmesg reveals:
> 
> [  110.316332] type=1400 audit(1349975360.395:3): avc:  denied  { transition
> } for  pid=499 comm="sulogin" path="/usr/bin/bash" dev="sda8" ino=674983
> scontext=system_u:system_r:sulogin_t:s0
> tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
> 
> selinux-policy-targeted-3.11.1-32.fc18.noarch

OK, reassigning to selinux-policy.

(In reply to comment #6)
> (Sorry, not clear: failing to provide an *encryption* password drops you
> into maintenance mode, which asks for the root password)

See https://bugzilla.redhat.com/show_bug.cgi?id=861123 regarding this.

Comment 8 Miroslav Grepl 2012-10-15 09:26:51 UTC

We allow this but this is

#============= sulogin_t ==============
#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Constraint rule: 
#	Possible cause source context and target context 'user' differ
#	Possible cause source context and target context 'level' differ
allow sulogin_t unconfined_t:process transition;

Comment 9 Miroslav Grepl 2012-10-15 09:33:55 UTC

It would work with

mcs_process_set_categories(sulogin_t)

which is a "hack".

Dan,
I believe we should get ranged sulogin_t.

Comment 10 Daniel Walsh 2012-10-16 03:58:24 UTC

i agree it should be ranged.


Fixed in selinux-policy-3.11.1-40.fc18.noarch

Comment 11 Fedora Update System 2012-10-23 20:34:08 UTC

selinux-policy-3.11.1-43.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-43.fc18

Comment 12 Fedora Update System 2012-10-26 15:37:03 UTC

selinux-policy-3.11.1-46.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-46.fc18

Comment 13 Fedora Update System 2012-10-26 19:26:23 UTC

Package selinux-policy-3.11.1-46.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-46.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16862/selinux-policy-3.11.1-46.fc18
then log in and leave karma (feedback).

Comment 14 Tim Waugh 2012-11-05 12:51:43 UTC

Fixes it here. Thanks.

Comment 15 Fedora Update System 2012-12-20 15:37:34 UTC

selinux-policy-3.11.1-46.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.