1710083 – Selinux policy 0:3.13.1-229.el7_6.12 causes "Login Incorrect" (system unusable)

Bug 1710083 - Selinux policy 0:3.13.1-229.el7_6.12 causes "Login Incorrect" (system unusable)

Summary: Selinux policy 0:3.13.1-229.el7_6.12 causes "Login Incorrect" (system unusable)

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	BLL.HostedEngine
Sub Component:
Version:	4.3.3.7
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Doron Fediuck
QA Contact:	meital avital
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-05-14 20:28 UTC by Strahil Nikolov
Modified:	2019-07-05 15:47 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-07-05 15:47:18 UTC
oVirt Team:	Rel-Eng
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
VNC console of HostedEngine after step 5 (258.27 KB, image/png) 2019-05-14 20:28 UTC, Strahil Nikolov	no flags	Details
VNC console of HostedEngine after step 5 (11.16 KB, image/png) 2019-05-15 17:03 UTC, Strahil Nikolov	no flags	Details
Show Obsolete (1) View All

Description Strahil Nikolov 2019-05-14 20:28:17 UTC

Created attachment 1568651 [details]
VNC console of HostedEngine after step 5

Description of problem:
After updating the selinux packages (needed several tries until figuring the guilty) the VNC console receives always "Login Incorrect" and the system never comes up.
No login prompt available.

Version-Release number of selected component (if applicable):

---> Пакет selinux-policy.noarch 0:3.13.1-229.el7_6.9  ---> Old
---> Пакет selinux-policy.noarch 0:3.13.1-229.el7_6.12 ---> BROKEN
---> Пакет selinux-policy-targeted.noarch 0:3.13.1-229.el7_6.9 ---> Old
---> Пакет selinux-policy-targeted.noarch 0:3.13.1-229.el7_6.12 ---> BROKEN

How reproducible:
Rolled back several times until pinpointing SELINUX

Steps to Reproduce:
1.Update from 0:3.13.1-229.el7_6.9 to 0:3.13.1-229.el7_6.12
2.Force relabel on next boot:
touch /.autorelable
3.Power down the HostedEngine VM
4.Power up the system
5.After relabel power up


Actual results:
Receive a constant flow of "Login Incorrect" message on the console

Expected results:
Login prompt and proper booting of the system to happen.

Additional info:
Workaround1: Add "enforcing=0" kernel parameter if grub timeout is larger than the default
Workaround2: Boot the HostedEngine from a rescue DVD and rollback  (from a chroot) the latest update via 'yum history undo last'

Comment 1 Strahil Nikolov 2019-05-14 20:50:40 UTC

Step 2 contains error. 
Should be: touch /.autorelabel

Comment 2 Strahil Nikolov 2019-05-15 11:42:38 UTC

Note: The attached screenshot is wrong , I will provide the correct one later today.

Comment 3 Strahil Nikolov 2019-05-15 17:03:06 UTC

Created attachment 1569113 [details]
VNC console of HostedEngine after step 5

The first attachment was wrong, so now I'm attaching the real one.

Comment 4 Strahil Nikolov 2019-07-05 15:47:18 UTC

Fixed this via reinstall of selinux rpms and full relabel

Note You need to log in before you can comment on or make changes to this bug.