Bug 178125 - rc.sysinit complaining after selinux policy rebuild
Summary: rc.sysinit complaining after selinux policy rebuild
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: initscripts (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Brock Organ
URL:
Whiteboard:
Keywords: SELinux
Depends On:
Blocks: FC5Target
TreeView+ depends on / blocked
 
Reported: 2006-01-17 21:32 UTC by Nicolas Mailhot
Modified: 2014-03-17 02:57 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-01-27 06:20:48 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
system dmesg after relabel boot (34.46 KB, text/plain)
2006-01-17 22:06 UTC, Nicolas Mailhot
no flags Details
audit.log on the same system, starting with last auditd start (5.80 KB, application/x-bzip)
2006-01-17 22:07 UTC, Nicolas Mailhot
no flags Details

Description Nicolas Mailhot 2006-01-17 21:32:31 UTC
Description of problem:

after a policy rebuild rc.sysinit will complain about a write error invalid
argument on line 73

Version-Release number of selected component (if applicable):

initscripts-8.20-1

How reproducible:

always

Steps to Reproduce:
1. touch /.autorelabel
2. reboot
3. read system messages after the relabeling ended

Comment 1 Daniel Walsh 2006-01-17 21:49:01 UTC
What error messages are you seeing?  Are you seeing any AVC messages in
/var/log/audit/audit.log or /var/log/messages?

Comment 2 Nicolas Mailhot 2006-01-17 21:58:01 UTC
Well, I don't know if it's relevant or not - I usually ignore the avcs during
the policy relabel boot. Anyway, my dmesg says has a lot of things in it
(luckily I haven't rebooted yet)

This is using policy 2.1.12-2, I think the problem is older

Comment 3 Daniel Walsh 2006-01-17 22:05:50 UTC
Could you attach those avc messages?

Comment 4 Nicolas Mailhot 2006-01-17 22:06:44 UTC
Created attachment 123336 [details]
system dmesg after relabel boot

Comment 5 Nicolas Mailhot 2006-01-17 22:07:29 UTC
Created attachment 123337 [details]
audit.log on the same system, starting with last auditd start

Comment 6 Nicolas Mailhot 2006-01-17 22:20:47 UTC
The actual sysinit error deos not seem to have been logged anywhere (sorry about
the lag, network is fluctuating wildly there)

Comment 7 Bill Nottingham 2006-01-17 22:34:29 UTC
Hm, line 73 is where it resets the SELinux mode (enforcing, permissive, etc.)

So this would imply that before it started relabeling, it's running in the wrong
domain, and can't change the mode back? I suppose we would need to catch that
and then reboot, but without the error message, not sure what we'd check for. :/

Comment 8 Daniel Walsh 2006-01-17 22:49:14 UTC
It Should be running in initrc_t.  

Many fixes in policy for fetchmail problems.

if id -Z not = initrc_t reboot.

Or if it could tell init to start the rc script again?
Of course init needs to be running as init_t...




Comment 9 Bill Nottingham 2006-01-17 22:59:53 UTC
The test at the moment is:

REBOOTFLAG=`restorecon -v /sbin/init`

(i.e., if init has the wrong context on the file, then reboot.)

Should we just check for initrc_t instead?

Comment 10 Daniel Walsh 2006-01-27 06:20:48 UTC
No that is fine.  


Note You need to log in before you can comment on or make changes to this bug.