2093133 – RHEL 8.6 for the reboot and shutdown .autorelabel generates systemd does not stop services correctly

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2093133 - RHEL 8.6 for the reboot and shutdown .autorelabel generates systemd does not stop services correctly

Summary: RHEL 8.6 for the reboot and shutdown .autorelabel generates systemd does not ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	policycoreutils
Sub Component:
Version:	8.6
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Vit Mojzis
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2108183
TreeView+	depends on / blocked

Reported:	2022-06-03 04:08 UTC by Lance Digby
Modified:	2022-11-08 12:55 UTC (History)
CC List:	8 users (show)
Fixed In Version:	policycoreutils-2.9-20.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	2108183 (view as bug list)
Environment:
Last Closed:	2022-11-08 10:56:37 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-124147	0	None	None	None	2022-06-03 04:14:26 UTC
Red Hat Product Errata	RHBA-2022:7805	0	None	None	None	2022-11-08 10:56:45 UTC

Comment 3 Zdenek Pytela 2022-06-14 18:27:12 UTC

There seems to be no information how this issue is related to selinux-policy.
Unfortunately, I was unable to reproduce the issue and gather additional data.
Did you try the same scenario in SELinux permissive mode?
Are there any AVC denials in journal or dmesg? Supposing auditd is not running any longer that time.

Comment 10 Renaud Métrich 2022-06-28 11:39:10 UTC

Hello,

So I went with reproducing the issue. The reproducer is very simple:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# vgcreate data /dev/vdb
# lvcreate -T -L 5G --name test_volume data

# touch /.autorelabel
# reboot
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Having a thin pool makes the dm-event.socket be triggered, hence related dm-event.service (dmeventd daemon).

Upon relabeling, the /usr/libexec/selinux/selinux-autorelabel script reboots the system using forced flag (line 66):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
 32 relabel_selinux() {
 :
 65     sync
 66     systemctl --force reboot
 67 }
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This ends up NOT triggering normal unit shutdown, but only send TERM signal, then KILL later.

Due to dmeventd NOT quitting on receiving TERM signal, we get the delay then systemd sends the KILL signal.

I think this needs to be fixed on both sides:
1. dmeventd should probably quit (unless there is a good reason not to do so)
2. the script should not use "--force" because not going through unit shutdown may be bad, who knows ...

Ideally the script should perform a "systemctl reboot" and retry with "--force" flag after some time, e.g.:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
 65     sync
 66     systemctl reboot
 67     sleep 30
 68     systemctl --force reboot
 69 }
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Comment 12 Zdenek Kabelac 2022-06-28 16:56:18 UTC

User is supposed to  *UNMONITOR*  LVs  before  quiting dmeventd.

'dmveventd' is protected  against signal - so processed commands which *MAY* freeze your system (i.e.  suspend devices) aren't leaving  system in unusable state.

So I'm not sure what  '--force reboot' is doing - but  it should run   'vgchange --monitor n' first.

Comment 14 Renaud Métrich 2022-06-29 07:33:20 UTC

From discussion BZ #2101793, it appears selinux-autorelabel script needs to stop using "systemctl --force reboot", which is not suitable at all.

I think we just need to remove the "--force" flag, there is nothing to do:
in case something bad happens, the reboot will anyway happen automatically on "reboot.target" timeout, as on a normal system reboot.

Comment 15 Petr Lautrbach 2022-06-29 07:34:59 UTC

selinux-autorelabel script was originally written for SysV initscripts and hasn't much changed since than.

(In reply to Renaud Métrich from comment #10)
> 
> Ideally the script should perform a "systemctl reboot" and retry with
> "--force" flag after some time, e.g.:
> -------- 8< ---------------- 8< ---------------- 8< ---------------- 8<
> --------
>  65     sync
>  66     systemctl reboot
>  67     sleep 30
>  68     systemctl --force reboot
>  69 }
> -------- 8< ---------------- 8< ---------------- 8< ---------------- 8<
> --------


`systemctl reboot` should do it itself in 30 minutes:

    $ cat /usr/lib/systemd/system/reboot.target
    ...
    [Unit]
    Description=System Reboot
    Documentation=man:systemd.special(7)
    DefaultDependencies=no
    Requires=systemd-reboot.service
    After=systemd-reboot.service
    AllowIsolate=yes
    JobTimeoutSec=30min
    JobTimeoutAction=reboot-force
    
    [Install]
    Alias=ctrl-alt-del.target

I would try to drop `--force` first. And if 30min timeout too long, users could use their own reboot.target with lower timeout

Comment 16 Renaud Métrich 2022-06-29 07:38:20 UTC

OK great!
At this step anyway there is not many services running, so it's unlikely some service will hang.

Comment 26 errata-xmlrpc 2022-11-08 10:56:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (policycoreutils bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7805

Note You need to log in before you can comment on or make changes to this bug.