Bug 304281 - fsck'ed up selinux
fsck'ed up selinux
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
6
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-24 20:18 EDT by Alexei Podtelezhnikov
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-26 11:09:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alexei Podtelezhnikov 2007-09-24 20:18:01 EDT
Description of problem:

What wrong with rpm -e selinux-policy; rpm -Uvh selinux-policy?
It is a recipe for disaster!!! Somehow with selinux enforcing I can no longer 
check filesystems on boot. 

It hapens with both -88.fc6 and -94.fc6
At least, -94.fc6 installs cleanly, but I guess -88.fc6 did the damage 
already. How do I fix it now?

Version-Release

 number of selected component (if applicable):


How reproducible:
100%, go ahead try it

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
I guess I will go ahead and start living without selinux now.
Comment 1 Daniel Walsh 2007-09-25 08:49:25 EDT
What avc's are you seeing?  Have you tried to relabel?

No privs should have dissapeared in this release.
Comment 2 Alexei Podtelezhnikov 2007-09-25 19:10:16 EDT
Ok. I managed to recover after selinux went into relabeling under permissive 
config. So how do I force relabeling on demand?


Here is avc's from the yesterday's log file showing fsck being denied.


 audit(1190677392.136:5): avc:  denied  { read } for  pid=1713 comm="dmsetup" 
name="config" dev=dm-0 ino=2852
671 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:file_t:s0 
tclass=file
Sep 24 19:43:26 somehost kernel: audit(1190677392.136:6): avc:  denied  { 
getattr } for  pid=1713 comm="dmsetup" name="config" dev=dm-0 ino=2
852671 scontext=system_u:system_r:lvm_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=file
Sep 24 19:43:26 somehost kernel: audit(1190677392.739:7): avc:  denied  { 
read } for  pid=1722 comm="fsck" name="config" dev=dm-0 ino=2852671
 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 
tclass=file
Sep 24 19:43:26 somehost kernel: audit(1190677392.739:8): avc:  denied  { 
getattr } for  pid=1722 comm="fsck" name="config" dev=dm-0 ino=2852
671 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 
tclass=file
Sep 24 19:43:26 somehost kernel: EXT3 FS on dm-0, internal journal
Sep 24 19:43:26 somehost kernel: audit(1190677392.939:9): avc:  denied  { 
read } for  pid=1728 comm="restorecon" name="config" dev=dm-0 ino=2
852671 scontext=system_u:system_r:restorecon_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=file
Comment 3 Daniel Walsh 2007-09-26 09:47:22 EDT
Looks like the file "config" was created somehow without labeling (file_t).  Did
you mv this file off of another machine or a device that had no labeling?  Did
you boot with selinux=0?  
Comment 4 Alexei Podtelezhnikov 2007-09-26 10:23:54 EDT
Yes. More precisely I removed (rpm -e) selinux-policy and
selinux-policy-targeted, then I removed (rm -rf) /etc/selinux, then I
re-installed (rpm -Uvh) selinux-policy and selinux-policy-targeted. Upon reboot
I couldn't move past fsck, so I rebooted with selinux=0, then I changed to
"permissive", then next reboot triggered relabeling. Anyhow it works now with
"enforcing".

I understand that I created a crazy scenario, but I suspect that rpm -Uvh should
permit booting past fsck to relabeling.  
Comment 5 Daniel Walsh 2007-09-26 11:09:34 EDT
Well the problem here is you have lvm trying to read /etc/selinux/config which
is unlabeled and the kernel is in enforcing mode.  So lvm is blowing up before
relabeling commences.
Comment 6 Daniel Walsh 2007-09-26 11:24:18 EDT
selinux-policy-2.6.4-45.fc7 has fixes to allow new version of setroubleshoot to run.

Note You need to log in before you can comment on or make changes to this bug.