Bug 971097
| Summary: | selinux blocks booting into single user mode (systemd.unit=emergency.target) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jeff Bastian <jbastian> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 19 | CC: | dominick.grift, dwalsh, emcnabb, jbastian, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.12.1-52.fc19 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-06-15 03:06:48 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I booted into emergency.target with enforcing=0 and ran audit2allow against the dmesg logs:
# audit2allow -d -M single
# cat single.te
module single 1.0;
require {
type clock_device_t;
type loop_control_device_t;
type netcontrol_device_t;
type kmsg_device_t;
type fixed_disk_device_t;
type autofs_device_t;
type ptmx_t;
type sulogin_t;
type scsi_generic_device_t;
type usbmon_device_t;
class blk_file getattr;
class chr_file getattr;
}
#============= sulogin_t ==============
allow sulogin_t autofs_device_t:chr_file getattr;
allow sulogin_t clock_device_t:chr_file getattr;
allow sulogin_t fixed_disk_device_t:blk_file getattr;
allow sulogin_t kmsg_device_t:chr_file getattr;
allow sulogin_t loop_control_device_t:chr_file getattr;
allow sulogin_t netcontrol_device_t:chr_file getattr;
allow sulogin_t ptmx_t:chr_file getattr;
allow sulogin_t scsi_generic_device_t:chr_file getattr;
allow sulogin_t usbmon_device_t:chr_file getattr;
This looks similar to bug 865399 from Fedora 18 So you needed to switch to permissive mode to boot into emergency.target, right? Yes, I booted with enforcing=0 in order to get the logs to generate the policy module. 9eae5d54b4c6688a8bfb0251069ab245ac1437ab fixes this in git, although not sure why it was not able to step into /root. sulogin: /root: change directory failed: Permission denied Logging in with home = "/". 6768d2163b9bf6f68d42692def4f0ae05bf614c6 allows sulogin to search /root selinux-policy-3.12.1-52.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19 selinux-policy-3.12.1-52.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: I tried to boot Fedora 19 Beta into single user mode and got a number of AVCs on the console and root did not have access to the /root home directory. Welcome to Fedora 19 (Schrödinger’s Cat)! [ 8.559768] LVM: Logical Volume autoactivation enabled. [ 8.564998] LVM: Activation generator successfully completed. [ OK ] Stopped Journal Service. [ OK ] Stopped Switch Root. [ OK ] Stopped target Switch Root. [ Welcome to emergency mode! After logging in, type "journalctl -xb" to view system logs, "systemctl reboot" to reboot, "systemctl default" to try again to boot into default mode. [ 8.800180] type=1400 audit(1370464115.409:4): avc: denied { getattr } for pid=285 comm="sulogin" path="/dev/dm-1" dev="devtmpfs" ino=9444 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file [ 8.823533] type=1400 audit(1370464115.439:5): avc: denied { getattr } for pid=285 comm="sulogin" path="/dev/dm-0" dev="devtmpfs" ino=9443 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file [ 8.846604] type=1400 audit(1370464115.459:6): avc: denied { getattr } for pid=285 comm="sulogin" path="/dev/sda2" dev="devtmpfs" ino=9391 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file [ 8.869642] type=1400 audit(1370464115.479:7): avc: denied { getattr } for pid=285 comm="sulogin" path="/dev/sda1" dev="devtmpfs" ino=9390 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file [ 8.892677] type=1400 audit(1370464115.509:8): avc: denied { getattr } for pid=285 comm="sulogin" path="/dev/sda" dev="devtmpfs" ino=9389 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file [ 8.915677] type=1400 audit(1370464115.529:9): avc: denied { getattr } for pid=285 comm="sulogin" path="/dev/sg0" dev="devtmpfs" ino=8584 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file [ 8.938953] type=1400 audit(1370464115.549:10): avc: denied { getattr } for pid=285 comm="sulogin" path="/dev/rtc0" dev="devtmpfs" ino=1124 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file [ 8.962568] type=1400 audit(1370464115.579:11): avc: denied { getattr } for pid=285 comm="sulogin" path="/dev/network_throughput" dev="devtmpfs" ino=1129 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=chr_file [ 8.986918] type=1400 audit(1370464115.599:12): avc: denied { getattr } for pid=285 comm="sulogin" path="/dev/network_latency" dev="devtmpfs" ino=1128 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=chr_file Give root password for maintenance (or type Control-D to continue): sulogin: /root: change directory failed: Permission denied Logging in with home = "/". bash-4.2# Version-Release number of selected component (if applicable): selinux-policy-3.12.1-47.fc19.noarch How reproducible: every time Steps to Reproduce: 1. boot into single user mode, i.e., add systemd.unit=emergency.target to the kernel command line options 2. enter root password Actual results: lots of AVCs and root is denied access to /root home dir Expected results: no AVCs, root can access /root Additional info: I was testing on an ARM system, but the AVCs appear to generic to all architectures.