Bug 119198 - make [re]load fails from the single-user shell
Summary: make [re]load fails from the single-user shell
Alias: None
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Whiteboard: triage|leonardjo|closed|rawhide
Depends On:
Blocks: 122683
TreeView+ depends on / blocked
Reported: 2004-03-26 08:44 UTC by Aleksey Nogin
Modified: 2007-11-30 22:10 UTC (History)
4 users (show)

Fixed In Version: 1.9.1-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-05-10 17:45:09 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Aleksey Nogin 2004-03-26 08:44:12 UTC
If I boot into single user, cd to /etc/security/selinux/src/policy and
try "make load" or "make reload", it fails in enforcing mode.
Specifically, it can not execute checkpolicy. The log messages are:

Mar 25 23:45:38 dell kernel: security_compute_sid:  invalid context
system_u:system_r:checkpolicy_t for
tcontext=system_u:object_r:checkpolicy_exec_t tclass=process
Mar 25 23:45:38 dell kernel: security:  context
system_u:system_r:checkpolicy_t is invalid

Comment 1 Stephen Smalley 2004-03-26 15:28:20 UTC
sulogin should be setting the admin shell context to
root:sysadm_r:sysadm_t, which would be able to run checkpolicy.
From the message above, it appears that your single user shell is
running as system_u:system_r:sysadm_t, and system_r is not authorized
for checkpolicy_t.  First question is:  Why isn't sulogin being run,
or is there a problem with the sulogin patch?

A workaround would be to add 'role system_r types checkpolicy_t;' to
checkpolicy.te to authorize the role for the domain.  Or you could add
'role_transition system_r checkpolicy_exec_t sysadm_r;' to force a
transition in role upon executing checkpolicy.

Comment 2 Aleksey Nogin 2004-03-26 19:43:35 UTC
> First question is:  Why isn't sulogin being run,

The sulogin is only run AFAIK when there is some problem with fsck or
RAID. I am not talking about that - I am talking about the shell
promps you get (w/o having to enter the rool password) when booting
into the single-user mode.

Comment 3 Daniel Walsh 2004-04-01 17:59:09 UTC
This should be fixed by the latest policy 1.9.1-2

Comment 4 Stephen Smalley 2004-04-01 18:17:46 UTC
sulogin can be run for single-user boots via inittab; this ensures
that even a single-user boot requires root password.  A good idea, IMHO,
but your choice...

Note You need to log in before you can comment on or make changes to this bug.