Bug 1118808 - SELinux breaks boot process
Summary: SELinux breaks boot process
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-11 14:51 UTC by Patrick Proche
Modified: 2014-07-14 10:13 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-07-14 08:50:20 UTC


Attachments (Terms of Use)

Description Patrick Proche 2014-07-11 14:51:11 UTC
Description of problem:
With SELinux enabled ("SELINUX=enforcing" in /etc/selinux/config), the boot process with all the Fedora ("plain-vanilla") kernels with are installed on the system hangs forever. All partitions except /boot encrypted with LUKS.

Self compiled kernels (from kernel.org) work always.

The boot process shows several errors before it completely hangs, for example:
"journald.service fails"
"Start create static device nodes in /dev failed"
at the end:
""A start job is running for [luks-encrypted device] ..."
which runs forever.

Setting SELinux in permissive mode, then booting and waiting for the relabeling, then booting again works also for the Fedora kernels, even when setting SELinux back to enforcing mode. I suspect that the relabeling during the boot process fails if some files have been modified in the meantime while working under a self compiled kernel.

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-176.fc20.noarch
(hope my guess is right)

The system consists of a 60GB SSD HDD, partitioned into:

/boot
/ (LUKS-encrypted)
/tmp (LUKS-encrypted)

and a separate HDD with the /home partition on it, also LUKS-encrypted.

How reproducible:
So far every boot with a Fedora kernel, currently kernel-3.15.4-200.fc20.x86_64, before the "permissive" mode let the boot process relabel the system.

Steps to Reproduce:
1. Boot the system with a Fedora kernel
2. System hangs with last message: "A start job is running for [luks-encryted device]".

Actual results:
System hangs.

Expected results:
System should always boot properly, also when one switches between different kernels from one session to the other.

Additional info:
I cannot add the detailed boot messages because I do not know how or where to find it. "journalctl" does not show the failed boots.

Comment 1 Miroslav Grepl 2014-07-11 15:39:22 UTC
Do you get AVC msgs if you boot in permissive mode?

Comment 2 Patrick Proche 2014-07-11 16:19:34 UTC
Sorry, not sure what AVC messages are. Googled it, if you mean messages from auditd, then no, I did not notice any.

I just booted the system again with a Fedora kernel to check boot.log, and something interesting happened: I had the system up with a self compiled kernel again, then rebooted with a Fedora kernel (in enforcing mode) to check for boot messages. Now the system relabels the file system without any problem, no error messages, and boots normally.

Now changed to permissive mode again and rebooted, but same --> boots normally. Also tried an older fedora kernel (3.15.3) --> OK. (but I do not believe it was a kernel problem)

So it seems to work normally again. Nevertheless, something must have prevented the normal boot before. Only I cannot reproduce it anymore.

Comment 3 Patrick Proche 2014-07-14 09:45:24 UTC
Sorry for this, but: just because it works now does not, in my humble opinion, mean that there is no bug. It did not work for several days. Something must have definitely prevented my system from booting normally. Maybe somebody else will have this problem with encrypted disks, too!? I also admit that I do not really have a clue about SELinux, I just came across it at all because it is built into Fedora. Nevertheless, thank you for taking my case into consideration. Best regards, Patrick

Comment 4 Miroslav Grepl 2014-07-14 10:13:41 UTC
(In reply to Patrick Proche from comment #3)
> Sorry for this, but: just because it works now does not, in my humble
> opinion, mean that there is no bug. It did not work for several days.
> Something must have definitely prevented my system from booting normally.
> Maybe somebody else will have this problem with encrypted disks, too!? I
> also admit that I do not really have a clue about SELinux, I just came
> across it at all because it is built into Fedora. Nevertheless, thank you
> for taking my case into consideration. Best regards, Patrick

Yeap. Basically lets reopen the bug if you get it again. Hard to find an issue if it works now.


Note You need to log in before you can comment on or make changes to this bug.