Bug 1385272 - rhel-autorelabel service corrupts filesystem
Summary: rhel-autorelabel service corrupts filesystem
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: initscripts
Version: 7.2
Hardware: x86_64
OS: Unspecified
Target Milestone: rc
: ---
Assignee: David Kaspar // Dee'Kej
QA Contact: Leos Pol
Filip Hanzelka
Depends On:
Blocks: 1380361 1393867 1400961
TreeView+ depends on / blocked
Reported: 2016-10-15 20:40 UTC by Enrico Scholz
Modified: 2017-08-02 07:36 UTC (History)
3 users (show)

Fixed In Version: initscripts-9.49.39-1.el7
Doc Type: Release Note
Doc Text:
*rhel-autorelabel* no longer corrupts the filesystem In previous versions of Red Hat Enterprise Linux 7, forcing the SELinux autorelabel by creating the `/.autorelabel` file sometimes partially corrupted the filesystem. This made the system unbootable. A patch has been applied to prevent this behaviour. As a result, applying the *autorelabel* operation using the "touch /.autorelabel" command is no more expected to corrupt the filesystem.
Clone Of:
Last Closed: 2017-08-01 07:29:01 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2286 0 normal SHIPPED_LIVE initscripts bug fix and enhancement update 2017-08-01 11:26:43 UTC

Description Enrico Scholz 2016-10-15 20:40:44 UTC
Description of problem:

Forcing an autorelabel operation (touch /.autorelabel) can break the system:

* boot loops; recovery only by booting into init 1 level and removing /.autorelabel manually

* various files (all SELinux .pp modules) are zeroed

This might be a bug in systemctl's "reboot" command which shutdowns the system in an unclean way although only a single "--force" has been given.

E.g. in the file /lib/systemd/rhel-autorelabel there is executed:

|    rm -f  /.autorelabel
|    /usr/lib/dracut/dracut-initramfs-restore
|    systemctl --force reboot

I did a

| ls -l /etc/selinux/targeted/modules/active/base.pp

at the beginning of the file and immediately before the 'systemctl reboot'.  On a fresh system where autorelabel has been forced, both 'ls' showed 'base.pp' with a correct size.

System rebooted, jumped into the autorelabel service again and 'ls' showed 'base.pp' with a size of '0'.

Putting a 'sync' before 'systemctl' seems to solve the problem.

Kernel cmdline is

| BOOT_IMAGE=/vmlinuz-3.10.0-327.36.2.el7.x86_64 root=/dev/mapper/vg00-root ro panic=180 crashkernel=auto rd.lvm.lv=vg00/root rd.lvm.lv=vg01/swap console=ttyS0 LANG=en_US.UTF-8

*NOTE*  / is on an LVM volume;  system is an KVM guests

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. touch /.autorelabel
2. reboot

Actual results:

* system boots over and over again and relabels filesystem everytime

* some files (all SELinux policy .pp modules) are corrupted

Expected results:

* systems reboots only once

Comment 1 Enrico Scholz 2016-10-15 20:56:15 UTC
'strace -f -p 1' and 'systemctl --force reboot' shows

| munmap(0x7f72bd53c000, 1359872)         = 0
| open("/dev/watchdog", O_WRONLY|O_CLOEXEC) = 3
| ioctl(3, SNDRV_RAWMIDI_IOCTL_PVERSION or WDIOC_GETSUPPORT, 0x7ffe87d3b9d0) = 0
| sendmsg(37, {msg_name(0)=NULL, msg_iov(4)=[{"PRIORITY=6\nSYSLOG_FACILITY=3\nCODE_FILE=src/shared/watchdog.c\nCODE_LINE=87\nCODE_FUNCTION=open_watchdog\nSYSLOG_IDENTIFIER=systemd\n", 128}, {"MESSAGE=", 8}, {"Hardware watchdog 'i6300ESB timer', version 0", 45}, {"\n", 1}], msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 182
| ioctl(3, WDIOC_SETTIMEOUT, 0x7ffe87d3b95ESC[HESC

  [the "ESC[..." strings are the grub boot menu)]

without a prior unmounting or syncing of disks.

Comment 4 David Kaspar // Dee'Kej 2017-04-20 10:51:42 UTC
The pull-request for this change is now merged into RHEL-7 branch:

Comment 5 David Kaspar // Dee'Kej 2017-05-03 10:24:57 UTC
This is now part of RHEL-7 branch:

Comment 13 errata-xmlrpc 2017-08-01 07:29:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.