Bug 434793 - Filesystem relabel fails after mls policy install
Filesystem relabel fails after mls policy install
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-mls (Show other bugs)
rawhide
noarch Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-25 10:21 EST by Joe Nall
Modified: 2008-02-28 14:14 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-28 12:26:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
boot single user errors (13.67 KB, image/png)
2008-02-25 10:22 EST, Joe Nall
no flags Details
fixfiles restore output (16.05 KB, image/png)
2008-02-25 10:22 EST, Joe Nall
no flags Details
kickstart that demonstrates the issue (838 bytes, text/plain)
2008-02-27 23:07 EST, Joe Nall
no flags Details

  None (edit)
Description Joe Nall 2008-02-25 10:21:19 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.12) Gecko/20080208 Fedora/2.0.0.12-1.fc8 Firefox/2.0.0.12

Description of problem:
I'm unable to get the current rawhide mls policy to install. There are many matchpathcon errors on reboot and fixfiles fails after 10 errors. Screenshots of a vm booted into single user with mls for the first time and after fixfiles attached.

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.3.0-1

How reproducible:
Always


Steps to Reproduce:
Set policy to mls/permissive
reboot single user
fixfiles restore

Actual Results:
File system not relabeled due to errors

Expected Results:
Initial targeted->mls relabel

Additional info:
Comment 1 Joe Nall 2008-02-25 10:22:15 EST
Created attachment 295804 [details]
boot single user errors
Comment 2 Joe Nall 2008-02-25 10:22:51 EST
Created attachment 295805 [details]
fixfiles restore output
Comment 3 Daniel Walsh 2008-02-26 10:14:09 EST
Notting,

Could this be caused by the new upstart?  Are we putting something into mkinitrd
to define which kind of policy is installed?

This looks like a mismatch between the loaded policy in the kernel and what the
USERspace thinks it is.
Comment 4 Bill Nottingham 2008-02-26 10:35:03 EST
Shouldn't be - the initrd just uses the same call into libselinux to load the
policy that init did.
Comment 5 Daniel Walsh 2008-02-26 10:45:59 EST
Joe if you execute a load_policy before running fixfiles, does it work?
Comment 6 Joe Nall 2008-02-27 13:19:23 EST
Even with the policy set to mls/permissive the kernel is loading targeted. I removed selinux-policy-
targeted, removed the /etc/selinux/targeted directory and rebooted the box. During boot, there is an 
error loading targeted/policy.22 and selinux is disabled. After booting, a load_policy works fine, 
/selinux/mls is 1 and getenforce returns Permissive and /sbin/fixfiles restore works as expected.

Kernel rpm is kernel-2.6.25-0.65.rc2.git7.fc9.i686

Comment 7 Bill Nottingham 2008-02-27 13:31:38 EST
What's your /etc/selinux/config?
Comment 8 Joe Nall 2008-02-27 14:00:32 EST
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=mls

Created by
lokkit -q -n --selinuxtype=mls
lokkit -q -n --selinux=permissive
touch /.autorelabel

in the %post section of a network kickstart

Comment 9 Joe Nall 2008-02-27 14:06:40 EST
[root@rawhide ~]# dmesg | egrep -i "security|selinux"
Security Framework initialized
SELinux:  Initializing.
SELinux:  Starting in permissive mode
selinux_register_security:  Registering secondary module capability
SELinux:  Registering netfilter hooks
SELinux:8192 avtab hash slots allocated. Num of rules:156249
SELinux:8192 avtab hash slots allocated. Num of rules:156249
security:  8 users, 12 roles, 2370 types, 109 bools, 1 sens, 1024 cats
security:  72 classes, 156249 rules
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev sda2, type ext3), uses xattr
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: policy loaded with handle_unknown=allow
SELinux: initialized (dev sda1, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts

note the 1 sens

but 
[root@rawhide ~]# cat /selinux/mls 
1

versions
[root@rawhide ~]# rpm -qa | grep selinux
libselinux-2.0.57-1.fc9.i386
libselinux-python-2.0.57-1.fc9.i386
selinux-policy-3.3.1-1.fc9.noarch
selinux-policy-mls-3.3.1-1.fc9.noarch
selinux-policy-targeted-3.3.1-1.fc9.noarch
selinux-policy-devel-3.3.1-1.fc9.noarch


Comment 10 Joe Nall 2008-02-27 23:07:21 EST
Created attachment 296154 [details]
kickstart that demonstrates the issue
Comment 11 Joe Nall 2008-02-27 23:10:19 EST
The attached kickstart, which does a minimal mls network install off of download.fedora.redhat.com is the 
smallest test case I could generate for the problem.
Comment 12 Daniel Walsh 2008-02-28 12:26:56 EST
Ok the problem was in libselinux.

libselinux initilized the location of the policy and the type of the policy in
the constructor of the policy.  If no /etc/selinux/config file exists it
defaults to targeted.

So when init starts up nash there is no /etc/selinux/config so libselinux loads
the default settings for targeted policy.  Later when nash executes loadpolicy,
it now has an /etc/selinux/config but ignores it.  So I have changed libselinux
to reload the config when it 

Fixed in libselinux-2.0.57-2.fc9

You can grab the libraries from 

http://people.fedoraproject.org/~dwalsh/SELinux/F9/

Or from koji
You will need to mkinitrd to get the new libselinux.
Comment 13 Joe Nall 2008-02-28 14:14:05 EST
Added your repo

repo --name=dwalsh --baseurl=http://people.fedoraproject.org/~dwalsh/SELinux/F9/

and rebuilt initrd in the kickstart

%post
kernel=`rpm -q kernel | sed -e "s/\.[^.]*$//"`
mkinitrd -v -f initrd-$kernel.img $kernel

and I now have 16 sens. A good sign.



Note You need to log in before you can comment on or make changes to this bug.