Bug 119198 - make [re]load fails from the single-user shell
make [re]load fails from the single-user shell
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
Blocks: 122683
  Show dependency treegraph
Reported: 2004-03-26 03:44 EST by Aleksey Nogin
Modified: 2007-11-30 17:10 EST (History)
4 users (show)

See Also:
Fixed In Version: 1.9.1-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-05-10 13:45:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Aleksey Nogin 2004-03-26 03:44:12 EST
If I boot into single user, cd to /etc/security/selinux/src/policy and
try "make load" or "make reload", it fails in enforcing mode.
Specifically, it can not execute checkpolicy. The log messages are:

Mar 25 23:45:38 dell kernel: security_compute_sid:  invalid context
system_u:system_r:checkpolicy_t for
tcontext=system_u:object_r:checkpolicy_exec_t tclass=process
Mar 25 23:45:38 dell kernel: security:  context
system_u:system_r:checkpolicy_t is invalid
Comment 1 Stephen Smalley 2004-03-26 10:28:20 EST
sulogin should be setting the admin shell context to
root:sysadm_r:sysadm_t, which would be able to run checkpolicy.
From the message above, it appears that your single user shell is
running as system_u:system_r:sysadm_t, and system_r is not authorized
for checkpolicy_t.  First question is:  Why isn't sulogin being run,
or is there a problem with the sulogin patch?

A workaround would be to add 'role system_r types checkpolicy_t;' to
checkpolicy.te to authorize the role for the domain.  Or you could add
'role_transition system_r checkpolicy_exec_t sysadm_r;' to force a
transition in role upon executing checkpolicy.
Comment 2 Aleksey Nogin 2004-03-26 14:43:35 EST
> First question is:  Why isn't sulogin being run,

The sulogin is only run AFAIK when there is some problem with fsck or
RAID. I am not talking about that - I am talking about the shell
promps you get (w/o having to enter the rool password) when booting
into the single-user mode.
Comment 3 Daniel Walsh 2004-04-01 12:59:09 EST
This should be fixed by the latest policy 1.9.1-2
Comment 4 Stephen Smalley 2004-04-01 13:17:46 EST
sulogin can be run for single-user boots via inittab; this ensures
that even a single-user boot requires root password.  A good idea, IMHO,
but your choice...

Note You need to log in before you can comment on or make changes to this bug.