Bug 179092 - unbootable becasue selinux denies access to ld.so.cache and libuuid.so.1.2
Summary: unbootable becasue selinux denies access to ld.so.cache and libuuid.so.1.2
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-01-27 12:29 UTC by Andy Burns
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-01-28 21:55:57 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Andy Burns 2006-01-27 12:29:37 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1

Description of problem:
System upgraded to rawhide 2006-01-26

I was previosuly using selinux=0 due to baddly labelled security contexts

Today I realised that selinux=0 remained in my grub.conf, so removed it and rebooted, system not bootable due to ld.so.cache and libuuid.so.1.2 being blocked.



Version-Release number of selected component (if applicable):
rawhide 2006-01-26

How reproducible:
Didn't try

Steps to Reproduce:
1. happens every boot with selinux enabled, not tried fresh install ....
2.
3.
  

Actual Results:  security:  3 users, 6 roles, 1117 types, 132 bools, 1 sens, 256 cats
security:  55 classes, 37531 rules
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev dm-0, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts
Losing some ticks... checking if CPU frequency changed.
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev cpuset, type cpuset), not configured for labeling
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
INIT: version 2.86 booting
audit(1138364602.246:2): avc:  denied  { read } for  pid=437 comm="hostname" name="ld.so.cache" dev=dm-0 ino=69273384 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
audit(1138364602.370:3): avc:  denied  { execute } for  pid=440 comm="mount" name="libuuid.so.1.2" dev=dm-0 ino=93388904 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
mount: error while loadaudit(1138364602.390:4): avc:  denied  { execute } for  pid=441 comm="mount" name="libuuid.so.1.2" dev=dm-0 ino=93388904 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
ing shared libraaudit(1138364602.410:5): avc:  denied  { execute } for  pid=442 comm="mount" name="libuuid.so.1.2" dev=dm-0 ino=93388904 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
ries: libuuid.so.1: failed to map segment from shared object: Permission denied
mount: error while loading shared libraries: libuuid.so.1: failed to map segment from shared object: Permission denied
                Welcome to Fedora Core
                Press 'I' to enter interactive startup.
audit(1138364603.126:6): avc:  denied  { read } for  pid=455 comm="hwclock" name="ld.so.cache" dev=dm-0 ino=69273384 scontext=system_u:system_r:hwclock_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
Setting clock  (utc): Fri Jan 27 12:23:24 GMT 2006 [  OK  ]
Starting udev:[  OK  ]
mount: error while loading shared libraries: libuuid.so.1: failed to map segment from shared object: Permission denied
Setting hostname htpc.lan:  [  OK  ]
No RAID disks
Setting up Logical Volume Management:   2 logical volume(s) in volume group "vg00" now active
[  OK  ]
Checking filesystems
fsck: error while loading shared libraries: libuuid.so.1: cannot open shared object file: No such file or directory
[FAILED]

*** An error occurred during the file system check.
*** Dropping you to a shell; the system will reboot
*** when you leave the shell.
*** Warning -- SELinux is active
*** Disabling security enforcement for system recovery.
*** Run 'setenforce 1' to reenable.
Give root password for maintenance



Additional info:
Comment 1 Daniel Walsh 2006-01-28 21:20:28 UTC 
You need to relabel your system.

touch /.autorelabel
reboot
You might have to boot in permissive mode.  Any time you run with selinux=0
files will get mislabeled.  You are always better to boot with enforcing=0 so
that file contexts are maintained.
Comment 2 Andy Burns 2006-01-28 21:55:57 UTC 
the relabel fixed it, is the mere presence of the .autorelabel the trigger, or
it's timestamp relative to something else?

Thanks for the enforcing=0 tip too, I still have quite a blindspot about
selinux, so it seems that jumping to selinx=0 can be a short term cure, but
longer term headache, though many people on the devel and test lists recommend
selinux=0 at the first hint of an selinux issue :-(
Comment 3 Daniel Walsh 2006-01-28 22:09:11 UTC 
That is unfortunate.  Next time you see it maybe you can make this comment.
Note You need to log in before you can comment on or make changes to this bug.