Hide Forgot
Description of problem: Forcing an autorelabel operation (touch /.autorelabel) can break the system: * boot loops; recovery only by booting into init 1 level and removing /.autorelabel manually * various files (all SELinux .pp modules) are zeroed This might be a bug in systemctl's "reboot" command which shutdowns the system in an unclean way although only a single "--force" has been given. E.g. in the file /lib/systemd/rhel-autorelabel there is executed: | rm -f /.autorelabel | /usr/lib/dracut/dracut-initramfs-restore | systemctl --force reboot I did a | ls -l /etc/selinux/targeted/modules/active/base.pp at the beginning of the file and immediately before the 'systemctl reboot'. On a fresh system where autorelabel has been forced, both 'ls' showed 'base.pp' with a correct size. System rebooted, jumped into the autorelabel service again and 'ls' showed 'base.pp' with a size of '0'. Putting a 'sync' before 'systemctl' seems to solve the problem. Kernel cmdline is | BOOT_IMAGE=/vmlinuz-3.10.0-327.36.2.el7.x86_64 root=/dev/mapper/vg00-root ro panic=180 crashkernel=auto rd.lvm.lv=vg00/root rd.lvm.lv=vg01/swap console=ttyS0 LANG=en_US.UTF-8 *NOTE* / is on an LVM volume; system is an KVM guests Version-Release number of selected component (if applicable): initscripts-9.49.30-1.el7_2.3.x86_64 systemd-219-19.el7_2.13.x86_64 selinux-policy-3.13.1-60.el7_2.9.noarch How reproducible: 100% Steps to Reproduce: 1. touch /.autorelabel 2. reboot Actual results: * system boots over and over again and relabels filesystem everytime * some files (all SELinux policy .pp modules) are corrupted Expected results: * systems reboots only once
'strace -f -p 1' and 'systemctl --force reboot' shows | munmap(0x7f72bd53c000, 1359872) = 0 | open("/dev/watchdog", O_WRONLY|O_CLOEXEC) = 3 | ioctl(3, SNDRV_RAWMIDI_IOCTL_PVERSION or WDIOC_GETSUPPORT, 0x7ffe87d3b9d0) = 0 | sendmsg(37, {msg_name(0)=NULL, msg_iov(4)=[{"PRIORITY=6\nSYSLOG_FACILITY=3\nCODE_FILE=src/shared/watchdog.c\nCODE_LINE=87\nCODE_FUNCTION=open_watchdog\nSYSLOG_IDENTIFIER=systemd\n", 128}, {"MESSAGE=", 8}, {"Hardware watchdog 'i6300ESB timer', version 0", 45}, {"\n", 1}], msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 182 | ioctl(3, WDIOC_SETTIMEOUT, 0x7ffe87d3b95ESC[HESC [the "ESC[..." strings are the grub boot menu)] without a prior unmounting or syncing of disks.
The pull-request for this change is now merged into RHEL-7 branch: https://github.com/fedora-sysv/initscripts/pull/91
This is now part of RHEL-7 branch: https://github.com/fedora-sysv/initscripts/pull/95
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2286