Bug 304281 - fsck'ed up selinux
Summary: fsck'ed up selinux
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 6
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-09-25 00:18 UTC by Alexei Podtelezhnikov
Modified: 2007-11-30 22:12 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2007-09-26 15:09:34 UTC


Attachments (Terms of Use)

Description Alexei Podtelezhnikov 2007-09-25 00:18:01 UTC
Description of problem:

What wrong with rpm -e selinux-policy; rpm -Uvh selinux-policy?
It is a recipe for disaster!!! Somehow with selinux enforcing I can no longer 
check filesystems on boot. 

It hapens with both -88.fc6 and -94.fc6
At least, -94.fc6 installs cleanly, but I guess -88.fc6 did the damage 
already. How do I fix it now?

Version-Release

 number of selected component (if applicable):


How reproducible:
100%, go ahead try it

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
I guess I will go ahead and start living without selinux now.

Comment 1 Daniel Walsh 2007-09-25 12:49:25 UTC
What avc's are you seeing?  Have you tried to relabel?

No privs should have dissapeared in this release.

Comment 2 Alexei Podtelezhnikov 2007-09-25 23:10:16 UTC
Ok. I managed to recover after selinux went into relabeling under permissive 
config. So how do I force relabeling on demand?


Here is avc's from the yesterday's log file showing fsck being denied.


 audit(1190677392.136:5): avc:  denied  { read } for  pid=1713 comm="dmsetup" 
name="config" dev=dm-0 ino=2852
671 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:file_t:s0 
tclass=file
Sep 24 19:43:26 somehost kernel: audit(1190677392.136:6): avc:  denied  { 
getattr } for  pid=1713 comm="dmsetup" name="config" dev=dm-0 ino=2
852671 scontext=system_u:system_r:lvm_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=file
Sep 24 19:43:26 somehost kernel: audit(1190677392.739:7): avc:  denied  { 
read } for  pid=1722 comm="fsck" name="config" dev=dm-0 ino=2852671
 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 
tclass=file
Sep 24 19:43:26 somehost kernel: audit(1190677392.739:8): avc:  denied  { 
getattr } for  pid=1722 comm="fsck" name="config" dev=dm-0 ino=2852
671 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 
tclass=file
Sep 24 19:43:26 somehost kernel: EXT3 FS on dm-0, internal journal
Sep 24 19:43:26 somehost kernel: audit(1190677392.939:9): avc:  denied  { 
read } for  pid=1728 comm="restorecon" name="config" dev=dm-0 ino=2
852671 scontext=system_u:system_r:restorecon_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=file

Comment 3 Daniel Walsh 2007-09-26 13:47:22 UTC
Looks like the file "config" was created somehow without labeling (file_t).  Did
you mv this file off of another machine or a device that had no labeling?  Did
you boot with selinux=0?  

Comment 4 Alexei Podtelezhnikov 2007-09-26 14:23:54 UTC
Yes. More precisely I removed (rpm -e) selinux-policy and
selinux-policy-targeted, then I removed (rm -rf) /etc/selinux, then I
re-installed (rpm -Uvh) selinux-policy and selinux-policy-targeted. Upon reboot
I couldn't move past fsck, so I rebooted with selinux=0, then I changed to
"permissive", then next reboot triggered relabeling. Anyhow it works now with
"enforcing".

I understand that I created a crazy scenario, but I suspect that rpm -Uvh should
permit booting past fsck to relabeling.  

Comment 5 Daniel Walsh 2007-09-26 15:09:34 UTC
Well the problem here is you have lvm trying to read /etc/selinux/config which
is unlabeled and the kernel is in enforcing mode.  So lvm is blowing up before
relabeling commences.

Comment 6 Daniel Walsh 2007-09-26 15:24:18 UTC
selinux-policy-2.6.4-45.fc7 has fixes to allow new version of setroubleshoot to run.


Note You need to log in before you can comment on or make changes to this bug.