Bug 1263570 - Selinux prevents system from rebooting after update to new policy
Summary: Selinux prevents system from rebooting after update to new policy
Status: CLOSED DUPLICATE of bug 1224211
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 23
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: F23FinalBlocker
TreeView+ depends on / blocked
Reported: 2015-09-16 08:27 UTC by Petr Schindler
Modified: 2015-09-28 07:51 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-09-28 07:51:36 UTC
Type: Bug

Attachments (Terms of Use)

Description Petr Schindler 2015-09-16 08:27:35 UTC
Description of problem:
Output of journalctl after I tried to reboot (with `reboot`):
Sep 16 10:15:03 dhcp-28-126.brq.redhat.com polkitd[835]: Registered Authentication Agent for unix-process:27011:578421 (system bus name :1.29 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Sep 16 10:15:03 dhcp-28-126.brq.redhat.com audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=0 uid=0 gid=0 path="/usr/lib/systemd/system/reboot.target" cmdline="reboot" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service
                                                      exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Sep 16 10:15:03 dhcp-28-126.brq.redhat.com polkitd[835]: Unregistered Authentication Agent for unix-process:27011:578421 (system bus name :1.29, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

What I get:
# reboot
Failed to start reboot.target: Access denied

The same thing happens with poweroff.

I was able to reboot after I turned selinux off. After reboot I haven't met any problem. Everything seems to work after reboot.

Version-Release number of selected component (if applicable):

How reproducible:
I tested with virtual machine and bare metal machine

Steps to Reproduce:
1. Do installation from RC1 Server DVD
2. Boot to system and update it (dnf update)

Actual results:
User will be unable to reboot without setting selinux to permissive

Expected results:

Additional info:
I propose this as final blocker (as it is in updates-testing and probably won't get to beta) as it violates the alpha criterion: It must be possible to trigger a clean system shutdown using standard console commands.

Comment 1 Miroslav Grepl 2015-09-17 09:14:20 UTC
can you really confirm, you get this AVC with


#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t power_unit_file_t:service start;

Comment 2 Kamil Páral 2015-09-17 12:03:03 UTC
The same problem occurs on F22 with selinux-policy-3.13.1-128.13.fc22. Until reboot, systemctl can't be used (*any* command). After reboot, everything is fine. Offline updates are not affected, just live dnf updates.

Comment 3 Thomas Schneider 2015-09-17 20:38:43 UTC
I believe that I suffered from the same bug yesterday, and so did several users in #fedora.  It seems that the fix is as simple as `systemctl daemon-reexec`, I however do not know enough about SELinux to tell whether this is really sufficient, why it is even necessary etc.  A reboot, of course including a restart of systemd, also works.
#1261747 appears to be the very same problem.

Comment 4 Miroslav Grepl 2015-09-21 07:26:08 UTC
You are correct,

`systemctl daemon-reexec`

is needed. The problem is with policy update which is not paired with systemd update. There are backported policy changes which require also systemd reload to make SELinux+systemd working correctly.

Comment 5 Adam Williamson 2015-09-23 15:13:35 UTC
Discussed at 2015-09-22 blocker review meeting: https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2015-09-22/f23-blocker-review.2015-09-22-16.00.html . We agreed that there is not sufficient data to determine whether this is a release blocking issue.

The release blocker process mainly relates to the packages on the frozen release media - the live images, Server DVD and so on. Is there any circumstance in which this bug would cause a problem if some version of selinux-policy were on the frozen media, or is it an issue that can only happen when doing a package update, and that could thus always be fixed with an update? Thanks!

Comment 6 François Kooman 2015-09-28 07:51:36 UTC

*** This bug has been marked as a duplicate of bug 1224211 ***

Note You need to log in before you can comment on or make changes to this bug.