1228200 – initial boot from netinstall fails, systemd-tempfiles fails with selinux permissions failures

Bug 1228200 - initial boot from netinstall fails, systemd-tempfiles fails with selinux permissions failures

Summary: initial boot from netinstall fails, systemd-tempfiles fails with selinux perm...

Keywords:
Status:	CLOSED DUPLICATE of bug 1228489
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	22
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-06-04 11:52 UTC by Noa Resare
Modified:	2015-06-09 10:50 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-06-09 10:50:10 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Noa Resare 2015-06-04 11:52:59 UTC

Description of problem:

Attempted to create a plain minimal Fedora 22 Server install in a VMware Fusion VM. The installation succeeds but after reboot the system ends up in a locked up state.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-126.fc22.noarch

How reproducible:
Always (tried it twice)

Steps to Reproduce:
1. Install a new system using SHA1(Fedora-Server-netinst-x86_64-22.iso)= 617213dbcb55b18caf3937fa6562661d03effa8a
2. Select the "Minimal install" option pulling packages from the closest mirror
3. Reboot the system when done

Actual results:
Graphical boot with blue bar at the bottom stalls. Pressing escape shows a boot log with a few failures printed, "Failed to start Login Service" and "Failed to start OpenSSH Server Key Generation". The topmost FAILED line shown is "Failed to start Create Volatile Files and Directories".

Expected results:
A usable system.

Additional info:
Booting into single user by providing the "S" as kernel parameter in grub gives some insight. Issuing "systemctl status systemd-tmpfiles-setup.service" gives some clue about what is going on, systemd-tempfiles prints "Unkonwn group systemd-journal" and "Unknown group utmp". Issuing "systemctl start systemd-tmpfiles-setup.service" fails printing selinux denied lines where systemd-tempfiles like this one:

Jun 04 14:37:01 localhost.localdomain audit[535]: <audit-1400> avc: denied { read } for pid=535 comm="systemd-tmpfile" name="group" dev="dm-1" ino=33851108 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0

Booting into single user, issuing 'touch /.autorelabel' and rebooting the system resolves the problem.

Comment 1 jamespharvey20 2015-06-07 21:06:17 UTC

Same error, using a minimal Fedora 22 netinst server install in a virtio VPS.  (Specifically, the least expensive VPS vultr offers.)

Noa Resare's fix of booting into single user, touching /.autorelabel, and rebooting, also resolves my problem.

A minimal Fedora 22 netinst server install on a local VMWare Workstation 11.1 works fine for me.

A "Fedora Server" rather than "Minimal Install" Fedora 22 netinst server works fine for me.

A minimal Fedora **21** netinst server install on the same virtio VPS platform works fine for me.

I'll add a bit more errors using journalctl through booting from the ISO and chroot:

audit[480]: <audit-1400> avc:  denied  { read } for  pid=480 comm="systemd-tmpfile" name="group" dev="dm-1" ino=34095484 scontex=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0
audit[480]: <audit-1300> arch=c000003e syscall=2 success=no exit=-13 a0-7f6e81708e7 a1=80000 a2=1b6 a3=ac items=0 ppid=1 pid=480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-tmpfile" exe="/usr/bin/systemd-tmpfiles" subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null)
audit: <audit=1327> proctitle=2F757372...... <i'm re-typing this, hope this really long hex number doesn't matter>
systemd-tmpfiles[480]: [/usr/lib/tmpfiles.d/legacy.conf:27] Unknown group 'lock'.
audit[480]: <audit-1400> avc:  denied...
audit[480]: <audit-1300> arch=...
audit: <audit=1327> proctitle=...
systemd-tmpfiles[480]: [/usr/lib/tmpfiles.d/man-db.conf:1] Unknown group 'man'.
...
systemd-tmpfiles[480]: [/usr/lib/tmpfiles.d/man-db.conf:1] Unknown group 'utmp'
...
systemd-tmpfiles[480]: [/usr/lib/tmpfiles.d/man-db.conf:1] Unknown group 'systemd-network'
...
systemd-tmpfiles[480]: [/usr/lib/tmpfiles.d/man-db.conf:1] Unknown group 'systemd-network'
...
systemd-tmpfiles[480]: [/usr/lib/tmpfiles.d/man-db.conf:1] Unknown group 'systemd-network'
...
systemd-tmpfiles[480]: [/usr/lib/tmpfiles.d/man-db.conf:1] Unknown group 'systemd-journal'.
...
systemd-tmpfiles[480]: [/usr/lib/tmpfiles.d/man-db.conf:1] Unknown group 'systemd-journal'.
systemd-tmpfiles[480]: Failed to parse ACL "d:group:adm:r-x,d:group:wheel:r-x": Invalid argument. Ignoring
...
systemd-tmpfiles[480]: Failed to parse ACL "group:adm:r-x,group:wheel:r-x": Invalid argument. Ignoring
systemd-tmpfiles[480]: [/usr/lib/tmpfiles.d/man-db.conf:1] Unknown group 'systemd-journal'.
systemd-tmpfiles[480]: [/usr/lib/tmpfiles.d/man-db.conf:1] Unknown group 'systemd-journal'.
systemd-tmpfiles[480]: Failed to parse ACL "d:group:adm:r-x,group:wheel:r-x": Invalid argument. Ignoring
systemd-tmpfiles[480]: Failed to parse ACL "group:adm:r-x,group:wheel:r-x": Invalid argument. Ignoring
systemd-tmpfiles[480]: [/usr/lib/tmpfiles.d/man-db.conf:1] Unknown group 'utmp'.
systemd-tmpfiles[480]: [/usr/lib/tmpfiles.d/man-db.conf:1] Unknown group 'utmp'.

Comment 2 Michal Schmidt 2015-06-09 10:50:10 UTC


*** This bug has been marked as a duplicate of bug 1228489 ***

Note You need to log in before you can comment on or make changes to this bug.