Bug 1692903 - Disabled SELinux && --norootpass produces unbootable images
Summary: Disabled SELinux && --norootpass produces unbootable images
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: fedora-arm-installer
Version: rawhide
Hardware: aarch64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Paul Whalen
QA Contact: Fedora Extras Quality Assurance
URL: https://pagure.io/arm-image-installer...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-26 16:34 UTC by Jan Kratochvil
Modified: 2019-07-06 04:09 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-06 04:09:14 UTC


Attachments (Terms of Use)
journalctl from SELINUX=enabled image created on SELINUX=disabled host (300.42 KB, text/plain)
2019-03-26 16:34 UTC, Jan Kratochvil
no flags Details

Description Jan Kratochvil 2019-03-26 16:34:00 UTC
Created attachment 1548154 [details]
journalctl from SELINUX=enabled image created on SELINUX=disabled host

Description of problem:
I was struggling to create a simple bootable image for Raspberry Pi 3B+:
  Raspberry Pi 3B+ fails to boot aarch64 image
  https://lists.fedoraproject.org/archives/list/arm@lists.fedoraproject.org/thread/TAQQM2BQTPHVEDAL5N4PLWVIZDADUK5H/
I have finally found why.

Version-Release number of selected component (if applicable):
arm-image-installer-2.10-1.fc29.noarch

How reproducible:
Always.

Steps to Reproduce:
echo >/etc/sysconfig/selinux SELINUX=disabled
reboot
fedora-arm-image-installer --image=...
Boot Raspberry Pi 3B+ with the image.

Actual results:
        https://www.jankratochvil.net/t/rpi3fail.jpg
        [FAILED] Failed to start Avahi mDNS/DNS-SD Stack.
        ...
        [FAILED] Failed to start Modem Manager

Expected results:
Booted system.

Additional info:
The fix is to mount the image and set SELINUX=disabled also in the image.
It then boots for me with "3" into a text login prompt.
The default graphical boot still does not work but that is some different problem.

Comment 1 Peter Robinson 2019-03-26 16:37:07 UTC
Why are you disabling SELinux? At worst you should be putting it in permissive mode. Also no sure what this has to do with arm-image-installer

Comment 2 Jan Kratochvil 2019-03-26 16:48:12 UTC
(In reply to Peter Robinson from comment #1)
> Why are you disabling SELinux?

That is offtopic for this Bug.  Fedora does have such option.

> At worst you should be putting it in permissive mode.

That is offtopic for this Bug.  Fedora does have such option.

> Also no sure what this has to do with arm-image-installer

Because one spends 10 hours and 52 minutes troubleshooting a mysterious bug instead of arm-image-installer for example just printing a fatal error:
  Building images on host with disabled SELinux is not supported.

I see now there are --selinux=off and --relabel options but I had no idea the failing Raspberry boots are due to SELinux.

(Only after realizing the failing boot records its messages to the USB drive itself which can be investigated afterwards, it looks simple but I did not realize it before.)

Comment 3 Peter Robinson 2019-03-26 16:52:21 UTC
(In reply to Jan Kratochvil from comment #2)
> (In reply to Peter Robinson from comment #1)
> > Why are you disabling SELinux?
> 
> That is offtopic for this Bug.  Fedora does have such option.
> 
> > At worst you should be putting it in permissive mode.
> 
> That is offtopic for this Bug.  Fedora does have such option.
> 
> > Also no sure what this has to do with arm-image-installer

Arguably you disabling SELinux and reporting the problem is "offtopic for this package" so it is completely relevant for this bug to ascertain whether the bug is actually in this package. Please do not be rude.

> Because one spends 10 hours and 52 minutes troubleshooting a mysterious bug
> instead of arm-image-installer for example just printing a fatal error:
>   Building images on host with disabled SELinux is not supported.
> 
> I see now there are --selinux=off and --relabel options but I had no idea
> the failing Raspberry boots are due to SELinux.

I believe SELinux is completely unrelated to the problem and that this has nothing to do what so ever with arm-image-installer

> (Only after realizing the failing boot records its messages to the USB drive
> itself which can be investigated afterwards, it looks simple but I did not
> realize it before.)

Comment 4 Jan Kratochvil 2019-03-26 17:06:05 UTC
(In reply to Peter Robinson from comment #3)
> I believe SELinux is completely unrelated to the problem and that this has
> nothing to do what so ever with arm-image-installer

This Bug is fixable on my host system configuration by:
  echo >/tmp/root/etc/sysconfig/selinux SELINUX=disabled

If this is not the proper fix you as the package owner should suggest a better one. But this fix does work for me.

Comment 5 Peter Robinson 2019-03-26 17:13:38 UTC
> This Bug is fixable on my host system configuration by:
>   echo >/tmp/root/etc/sysconfig/selinux SELINUX=disabled

Disabling SELinux is not a fix, it's a work around.

> If this is not the proper fix you as the package owner should suggest a
> better one. But this fix does work for me.

You need to describe the problem you are seeing that you believe this issue fixes when booting the image. You need state exactly which image you are using, the full file name would provide the details.

Comment 6 Jan Kratochvil 2019-03-26 17:35:52 UTC
The problem I was seeing before my proposed fix is described in Comment 0.
It fixed for me booting from Fedora-Workstation-29-1.2.aarch64.raw.xz and from Fedora-Workstation-30-20190316.n.1.aarch64.raw.xz on Raspberry Pi 3B+ from my Fedora 29 x86_64 host.

(In reply to Peter Robinson from comment #5)
> Disabling SELinux is not a fix, it's a work around.

As long as normal Fedora supports SELINUX=disabled (which AFAIK it does) fedora-arm-image-installer should also support creating ARM images with SELINUX=disabled.

Currently fedora-arm-image-installer creating SELINUX=enabled image on SELINUX=disabled host will quietly create an unbootable image.  That is this Bug.

fedora-arm-image-installer should either exit with error in such case or fix up the image somehow - maybe automatically enable --relabel? I haven't tried that.

Comment 7 Paul Whalen 2019-03-26 18:03:25 UTC
(In reply to Jan Kratochvil from comment #6)
> The problem I was seeing before my proposed fix is described in Comment 0.
> It fixed for me booting from Fedora-Workstation-29-1.2.aarch64.raw.xz and
> from Fedora-Workstation-30-20190316.n.1.aarch64.raw.xz on Raspberry Pi 3B+
> from my Fedora 29 x86_64 host.
> 
> (In reply to Peter Robinson from comment #5)
> > Disabling SELinux is not a fix, it's a work around.
> 
> As long as normal Fedora supports SELINUX=disabled (which AFAIK it does)
> fedora-arm-image-installer should also support creating ARM images with
> SELINUX=disabled.

The arm-image-installer writes out the arm images and makes some small tweaks
to the media. It is not a true 'installer'. 

> 
> Currently fedora-arm-image-installer creating SELINUX=enabled image on
> SELINUX=disabled host will quietly create an unbootable image.  That is this
> Bug.

It will write what ever image you give it, there is no guarantee it will boot
on your hardware. If you do run into bugs, please file it on the appropriate
package. 

> 
> fedora-arm-image-installer should either exit with error in such case or fix
> up the image somehow - maybe automatically enable --relabel? I haven't tried
> that.

On the Fedora 30 aarch64 Workstation image, there is a gnome-shell crash on the
rpi3. It is unrelated to this package.

Comment 8 Jan Kratochvil 2019-03-26 18:32:36 UTC
(In reply to Paul Whalen from comment #7)
> The arm-image-installer writes out the arm images and makes some small tweaks
> to the media. It is not a true 'installer'.

If it is not an installer rename it to arm-image-tweaker.  But that still would not solve its bugs.


> It will write what ever image you give it, there is no guarantee it will boot
> on your hardware. If you do run into bugs, please file it on the appropriate
> package. 

The bug is in fedora-arm-installer because --norootpass modifies image's /etc/passwd corrupting its SELinux context.


I sure disagree with closing this Bug but next people facing this Bug can at least google out this bugreport how to fix it.

Comment 9 Paul Whalen 2019-03-26 18:43:17 UTC
(In reply to Jan Kratochvil from comment #8)
> (In reply to Paul Whalen from comment #7)
> > The arm-image-installer writes out the arm images and makes some small tweaks
> > to the media. It is not a true 'installer'.
> 
> If it is not an installer rename it to arm-image-tweaker.  But that still
> would not solve its bugs.

I am happy to fix the bugs you encounter, but the description thus far has been of 
issues outside the script. 

> 
> 
> > It will write what ever image you give it, there is no guarantee it will boot
> > on your hardware. If you do run into bugs, please file it on the appropriate
> > package. 
> 
> The bug is in fedora-arm-installer because --norootpass modifies image's
> /etc/passwd corrupting its SELinux context.

This is the first you mentioned using that option in this bug. Indeed that would
be an issue with the installer. I can look at that. 

> 
> I sure disagree with closing this Bug but next people facing this Bug can at
> least google out this bugreport how to fix it.

In the future it would be helpful for you to include all relevant information in
the bug- the command and image used at a minimum.

Comment 10 Jan Kratochvil 2019-03-26 20:01:02 UTC
(In reply to Paul Whalen from comment #9)
> In the future it would be helpful for you to include all relevant
> information in the bug- the command and image used at a minimum.

OK, sorry, only later I realized it is due to --norootpass which I have always used.
Originally I expected any usage of fedora-arm-image-installer from SELINUX=disabled host does reproduce this problem.

fedora-arm-image-installer --image=Fedora-Workstation-30-20190315.n.0.aarch64.raw.xz --media=/dev/sda --resizefs --target=rpi3 --norootpass

Comment 11 Jan Kratochvil 2019-06-25 11:13:42 UTC
https://pagure.io/arm-image-installer/pull-request/38

Comment 12 Fedora Update System 2019-06-26 18:54:18 UTC
FEDORA-2019-2dd9f78d69 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-2dd9f78d69

Comment 13 Fedora Update System 2019-06-27 01:41:45 UTC
arm-image-installer-2.13-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7cd0e1fc4b

Comment 14 Fedora Update System 2019-06-27 02:43:47 UTC
arm-image-installer-2.13-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-2dd9f78d69

Comment 15 Fedora Update System 2019-07-06 04:09:14 UTC
arm-image-installer-2.13-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.