Bug 1838762 - error "Failed to load selinux policy, freezing" on boot due to corrupted SELinux policy files
Summary: error "Failed to load selinux policy, freezing" on boot due to corrupted SELi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: libsemanage
Version: 8.4
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: 8.0
Assignee: Petr Lautrbach
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 1835254
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-21 18:12 UTC by Lukas Vrabec
Modified: 2020-11-04 02:12 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1835254
Environment:
Last Closed: 2020-11-04 02:12:00 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:4589 0 None None None 2020-11-04 02:12:03 UTC

Description Lukas Vrabec 2020-05-21 18:12:43 UTC
+++ This bug was initially created as a clone of Bug #1835254 +++

Description of problem:
I have a code which runs a bunch of `semanage fcontext -a -t <type> <file>` commands on every initialising, and on one occurrence, a power outage happened while the command was still running.
After the power came back, I booted the server and this error message appeared, and the boot hanged.

I successfully booted the server by setting `selinux=0` to the kernel parameters, and then I noticed that selinux targeted policy files:
/etc/selinux/targeted/policy/policy.31
/etc/selinux/targeted/active/modules/100/*

were empty (0 size).

It successfully reproduced almost every time.
Reinstalling selinux-policy-targeted, running `touch /.autorelabel` and than reboot, resolved the issue.

Version-Release number of selected component (if applicable):
libsemanage-2.5-14.el7.x86_64
selinux-policy-3.13.1-252.el7_7.6.noarch
selinux-policy-targeted-3.13.1-252.el7_7.6.noarch
policycoreutils-2.5-33.el7.x86_64
policycoreutils-python-2.5-33.el7.x86_64


How reproducible:
Almost every time

Steps to Reproduce:
1. Create a file: `touch /tmp/abc`
2. Run `semanage fcontext -a -t var_t "/tmp/abc"`
3. DO NOT LET THE COMMAND FINISHED - it will take about 2-3 seconds, during that time, force shutdown the server.

Actual results:
Server is not bootable unless disabling SELinux using the kernel parameters

Expected results:
Server boot normally

Additional info:
I noticed that if I add to `semanage fcontext` the flag `-N` it does not reproduced, so the issue is probably related to the policy reload which this flag prevents. It probably does not sync the filesystem after the reload and does not do safe writes.

--- Additional comment from RHEL Program Management on 2020-05-13 15:50:45 CEST ---

Since this bug report was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Zdenek Pytela on 2020-05-13 16:12:47 CEST ---

Also refer to:
https://bugzilla.redhat.com/show_bug.cgi?id=1490324
https://bugzilla.redhat.com/show_bug.cgi?id=1688129

--- Additional comment from Stephen Smalley on 2020-05-14 14:38:59 CEST ---

Upstream fix proposed here:
https://lore.kernel.org/selinux/5ebc4bc6.1c69fb81.a8850.464e@mx.google.com/T/#u

Comment 12 errata-xmlrpc 2020-11-04 02:12:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libsemanage bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4589


Note You need to log in before you can comment on or make changes to this bug.