Bug 1263570 - Selinux prevents system from rebooting after update to new policy
Selinux prevents system from rebooting after update to new policy
Status: CLOSED DUPLICATE of bug 1224211
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
Blocks: F23FinalBlocker
  Show dependency treegraph
Reported: 2015-09-16 04:27 EDT by Petr Schindler
Modified: 2015-09-28 03:51 EDT (History)
16 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-09-28 03:51:36 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Petr Schindler 2015-09-16 04:27:35 EDT
Description of problem:
Output of journalctl after I tried to reboot (with `reboot`):
Sep 16 10:15:03 dhcp-28-126.brq.redhat.com polkitd[835]: Registered Authentication Agent for unix-process:27011:578421 (system bus name :1.29 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Sep 16 10:15:03 dhcp-28-126.brq.redhat.com audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=0 uid=0 gid=0 path="/usr/lib/systemd/system/reboot.target" cmdline="reboot" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service
                                                      exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Sep 16 10:15:03 dhcp-28-126.brq.redhat.com polkitd[835]: Unregistered Authentication Agent for unix-process:27011:578421 (system bus name :1.29, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

What I get:
# reboot
Failed to start reboot.target: Access denied

The same thing happens with poweroff.

I was able to reboot after I turned selinux off. After reboot I haven't met any problem. Everything seems to work after reboot.

Version-Release number of selected component (if applicable):

How reproducible:
I tested with virtual machine and bare metal machine

Steps to Reproduce:
1. Do installation from RC1 Server DVD
2. Boot to system and update it (dnf update)

Actual results:
User will be unable to reboot without setting selinux to permissive

Expected results:

Additional info:
I propose this as final blocker (as it is in updates-testing and probably won't get to beta) as it violates the alpha criterion: It must be possible to trigger a clean system shutdown using standard console commands.
Comment 1 Miroslav Grepl 2015-09-17 05:14:20 EDT
can you really confirm, you get this AVC with


#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t power_unit_file_t:service start;
Comment 2 Kamil Páral 2015-09-17 08:03:03 EDT
The same problem occurs on F22 with selinux-policy-3.13.1-128.13.fc22. Until reboot, systemctl can't be used (*any* command). After reboot, everything is fine. Offline updates are not affected, just live dnf updates.
Comment 3 Thomas Schneider 2015-09-17 16:38:43 EDT
I believe that I suffered from the same bug yesterday, and so did several users in #fedora.  It seems that the fix is as simple as `systemctl daemon-reexec`, I however do not know enough about SELinux to tell whether this is really sufficient, why it is even necessary etc.  A reboot, of course including a restart of systemd, also works.
#1261747 appears to be the very same problem.
Comment 4 Miroslav Grepl 2015-09-21 03:26:08 EDT
You are correct,

`systemctl daemon-reexec`

is needed. The problem is with policy update which is not paired with systemd update. There are backported policy changes which require also systemd reload to make SELinux+systemd working correctly.
Comment 5 Adam Williamson 2015-09-23 11:13:35 EDT
Discussed at 2015-09-22 blocker review meeting: https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2015-09-22/f23-blocker-review.2015-09-22-16.00.html . We agreed that there is not sufficient data to determine whether this is a release blocking issue.

The release blocker process mainly relates to the packages on the frozen release media - the live images, Server DVD and so on. Is there any circumstance in which this bug would cause a problem if some version of selinux-policy were on the frozen media, or is it an issue that can only happen when doing a package update, and that could thus always be fixed with an update? Thanks!
Comment 6 François Kooman 2015-09-28 03:51:36 EDT

*** This bug has been marked as a duplicate of bug 1224211 ***

Note You need to log in before you can comment on or make changes to this bug.