Bug 971097
Summary: | selinux blocks booting into single user mode (systemd.unit=emergency.target) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jeff Bastian <jbastian> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 19 | CC: | dominick.grift, dwalsh, emcnabb, jbastian, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.12.1-52.fc19 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-06-15 03:06:48 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jeff Bastian
2013-06-05 16:36:04 UTC
I booted into emergency.target with enforcing=0 and ran audit2allow against the dmesg logs: # audit2allow -d -M single # cat single.te module single 1.0; require { type clock_device_t; type loop_control_device_t; type netcontrol_device_t; type kmsg_device_t; type fixed_disk_device_t; type autofs_device_t; type ptmx_t; type sulogin_t; type scsi_generic_device_t; type usbmon_device_t; class blk_file getattr; class chr_file getattr; } #============= sulogin_t ============== allow sulogin_t autofs_device_t:chr_file getattr; allow sulogin_t clock_device_t:chr_file getattr; allow sulogin_t fixed_disk_device_t:blk_file getattr; allow sulogin_t kmsg_device_t:chr_file getattr; allow sulogin_t loop_control_device_t:chr_file getattr; allow sulogin_t netcontrol_device_t:chr_file getattr; allow sulogin_t ptmx_t:chr_file getattr; allow sulogin_t scsi_generic_device_t:chr_file getattr; allow sulogin_t usbmon_device_t:chr_file getattr; This looks similar to bug 865399 from Fedora 18 So you needed to switch to permissive mode to boot into emergency.target, right? Yes, I booted with enforcing=0 in order to get the logs to generate the policy module. 9eae5d54b4c6688a8bfb0251069ab245ac1437ab fixes this in git, although not sure why it was not able to step into /root. sulogin: /root: change directory failed: Permission denied Logging in with home = "/". 6768d2163b9bf6f68d42692def4f0ae05bf614c6 allows sulogin to search /root selinux-policy-3.12.1-52.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19 selinux-policy-3.12.1-52.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |