Bug 1838762 - error "Failed to load selinux policy, freezing" on boot due to corrupted SELinux policy files
Summary: error "Failed to load selinux policy, freezing" on boot due to corrupted SELi...
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: libsemanage
Version: 8.4
Hardware: x86_64
OS: Linux
Target Milestone: rc
: 8.0
Assignee: Petr Lautrbach
QA Contact: Milos Malik
Depends On: 1835254
TreeView+ depends on / blocked
Reported: 2020-05-21 18:12 UTC by Lukas Vrabec
Modified: 2020-11-04 02:12 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1835254
Last Closed: 2020-11-04 02:12:00 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:4589 0 None None None 2020-11-04 02:12:03 UTC

Description Lukas Vrabec 2020-05-21 18:12:43 UTC
+++ This bug was initially created as a clone of Bug #1835254 +++

Description of problem:
I have a code which runs a bunch of `semanage fcontext -a -t <type> <file>` commands on every initialising, and on one occurrence, a power outage happened while the command was still running.
After the power came back, I booted the server and this error message appeared, and the boot hanged.

I successfully booted the server by setting `selinux=0` to the kernel parameters, and then I noticed that selinux targeted policy files:

were empty (0 size).

It successfully reproduced almost every time.
Reinstalling selinux-policy-targeted, running `touch /.autorelabel` and than reboot, resolved the issue.

Version-Release number of selected component (if applicable):

How reproducible:
Almost every time

Steps to Reproduce:
1. Create a file: `touch /tmp/abc`
2. Run `semanage fcontext -a -t var_t "/tmp/abc"`
3. DO NOT LET THE COMMAND FINISHED - it will take about 2-3 seconds, during that time, force shutdown the server.

Actual results:
Server is not bootable unless disabling SELinux using the kernel parameters

Expected results:
Server boot normally

Additional info:
I noticed that if I add to `semanage fcontext` the flag `-N` it does not reproduced, so the issue is probably related to the policy reload which this flag prevents. It probably does not sync the filesystem after the reload and does not do safe writes.

--- Additional comment from RHEL Program Management on 2020-05-13 15:50:45 CEST ---

Since this bug report was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Zdenek Pytela on 2020-05-13 16:12:47 CEST ---

Also refer to:

--- Additional comment from Stephen Smalley on 2020-05-14 14:38:59 CEST ---

Upstream fix proposed here:

Comment 12 errata-xmlrpc 2020-11-04 02:12:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libsemanage bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.