Bug 359701 - RHEL5: The system doesn't boot after updating selinux policy to selinux-policy-2.4.6-106.el5
RHEL5: The system doesn't boot after updating selinux policy to selinux-polic...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
low Severity urgent
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-31 03:00 EDT by manoj
Modified: 2008-05-21 22:41 EDT (History)
3 users (show)

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 12:05:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
attching dmesg log file (126.23 KB, text/plain)
2007-10-31 09:09 EDT, manoj
no flags Details

  None (edit)
Description manoj 2007-10-31 03:00:33 EDT
Steps to Reproduce:

1.On Pristine RHEL5 system with selinux-policy-2.4.6-30.el5 which comes as
default with RHEL5, Update  selinux policy to selinux-policy-2.4.6-80.el5 by
installing selinux-policy-2.4.6-80.el5 and selinux-policy-targeted 2.4.6-80.el5(
which I confirmed(rpm -qa |grep selinux)).

2.Enforce selinux (/etc/sysconfig/selinux , SELINUX=enforcing).

3.Reboot the system so that the filesystem is labelled as per SELinux policies.

 Actual results: The system while booting continously throws below messages and
doesn't boots up successfully.

audit(1189690957.438:1085817): avc:  denied  { search } for  pid=1906
comm="klogd" name="/" dev=tmpfs ino=695 scontext=system_u:system_r:klogd_t:s0
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Comment 1 manoj 2007-10-31 05:25:21 EDT
However on a RHEL5 system with already selinux policy
enforced(2.4.6-30.el5,policies applied) when I upgraded selinux policy to
selinux-policy-2.4.6-80.el5 and then rebooted the system, the system booted
successfully.
Comment 2 Daniel Walsh 2007-10-31 08:02:02 EDT
I am not sure where you got selinux-policy-2.4.6-80.el5

But please grab the u1 policy on 

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch

And see if this fixes your problem.  

Not sure what the problem you are seeing here.  No idea why you have a tmpfs_t
file system that klogd is trying to search.  This could ba a labeling problem.
Comment 3 manoj 2007-10-31 08:25:54 EDT
I got selinux-policy-2.4.6-80.el5 from RHN site.Also note that 
selinux-policy-2.4.6-80.el5 is by default installed on RHEL5 u1(Beta stage)
Comment 4 manoj 2007-10-31 09:09:10 EDT
Created attachment 244511 [details]
attching dmesg log file

I could reproduce this bug again when I upgraded to
selinux-policy-2.4.6-106.el5 available on
http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch.
I'm attaching /var/log/dmesg output(tested system)for debugging which clearly
shows the error messages
Comment 5 Daniel Walsh 2007-10-31 09:22:32 EDT
THis log shows you have a badly labeled system.

touch /.autorelabel
reboot.

your /dev is not labeled correctly and you have file_t contexts.
Comment 6 manoj 2007-11-01 03:06:54 EDT
Thanks the solution given in above comment worked (though
I wonder why my sytem was badly labelled since I had tested this on pristine
system without playing with selinux policies).
Comment 7 Daniel Walsh 2007-11-01 13:39:43 EDT
Not sure was there anything you did special during the install?  Did you add
disks after the install?

Comment 8 manoj 2007-11-01 23:11:17 EDT
No I had not added any hardware.Moreover I could reproduce this on 2 pristine
systems after fresh install of RHEL5.Definately I sense there is some issue and
would request you to get it verified at your end after following the original
method given in this ticket.

Thank's
Manoj
Comment 9 Daniel Walsh 2007-11-05 15:43:25 EST
We test pristine machines all the time with SELinux installed and do not see
this behaviour.  That is why this is curious.  We have testsuites that do
nothing but install systems, and look for avc messages.

Comment 10 manoj 2007-11-06 00:30:19 EST
Okies you can close this bug :-).

However today again when I tried on third machine I got the same error when I
followed below method.

1.On Pristine RHEL5 system with selinux-policy-2.4.6-30.el5 which comes as
default with RHEL5, Update  selinux policy to selinux-policy-2.4.6-80.el5 by
installing selinux-policy-2.4.6-106.el5 and selinux-policy-targeted 
2.4.6-106.el5(which I confirmed(rpm -qa |grep selinux)).
Note: SELinux is disabled(i.e file system is not labelled with any SELinux(not
30 nor new 106) policy yet)

2.Enforce selinux (/etc/sysconfig/selinux , SELINUX=enforcing).

3.Reboot the system so that the filesystem is labelled as per SELinux policies.

 Actual results: The system while booting continously throws below messages and
doesn't boots up successfully.

audit(1189690957.438:1085817): avc:  denied  { search } for  pid=1906
comm="klogd" name="/" dev=tmpfs ino=695 scontext=system_u:system_r:klogd_t:s0
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Comment 11 Daniel Walsh 2007-11-06 11:40:17 EST
What does your mount partition look like?  
Comment 12 Daniel Walsh 2007-11-15 14:10:13 EST
Please try this with selinux-policy-2.4.6-106.el5_1.3

Reopen if the problem continues.
Comment 13 manoj 2007-11-15 22:51:53 EST
I had already tested that as stated in comment 4
Comment 14 manoj 2007-11-15 22:53:19 EST
I have only two physical partitions / and swap.
Comment 15 Daniel Walsh 2007-11-16 09:32:38 EST
Well to get rid of the avc execute

# grep klog /var/log/audit/audit.log | audit2allow -M myklog
# semodule -i myklog.pp

I will put a fix for this in U2.
Comment 16 Daniel Walsh 2008-03-05 16:59:12 EST
Fixed in u2 policy. selinux-policy-2.4.6-125
Comment 17 RHEL Product and Program Management 2008-03-05 17:07:31 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 22 errata-xmlrpc 2008-05-21 12:05:59 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html

Note You need to log in before you can comment on or make changes to this bug.