Bug 486170 - avc problem on first reboot after install
avc problem on first reboot after install
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-02-18 13:23 EST by ralph hinton
Modified: 2009-05-01 14:07 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-05-01 14:07:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
audit.log tarfile as requested (60.00 KB, application/x-tar)
2009-02-21 15:00 EST, ralph hinton
no flags Details

  None (edit)
Description ralph hinton 2009-02-18 13:23:01 EST
Description of problem:
I installed Fedora 11 alpha (64bit) on my laptop
 (acer with AMD turion 64 & ATI radeon graphics, dual boot with Vista)
 this afternoon, this worked OK.
I get the following message on the first reboot:
"type=1400 audit(1234972567.989:80): avc: denied {search } for pid 2578 comm=readahead name=dbus dev=sda3 ino=5277582  ... "

Version-Release number of selected component (if applicable):

How reproducible:
same message (different numbers) on two reboots so far.

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
search shows bug 47333 (?) is similar which may help.
Comment 1 ralph hinton 2009-02-18 13:24:33 EST
two lines above is the message "__ratelimit 18 callbacks suppressed"
if this is relevant?.
Comment 2 ralph hinton 2009-02-18 13:29:25 EST
Sorry the similar bug no. in additional info above is 473443 .
Comment 3 ralph hinton 2009-02-20 11:23:41 EST
Have got in via Knoppix as cannot boot.

Below /usr there are dbus-1.0 dirs and below /etc there is dbus-1
what other info do you require?.
Comment 4 Colin Walters 2009-02-20 13:00:38 EST
This looks like a SELinux policy issue related to the readahead program.  

Please attach the full audit message, the parts you've replaced with "..." are important too.
Comment 5 Daniel Walsh 2009-02-20 13:59:05 EST
Attach compressed /var/log/audit/audit.log
Comment 6 ralph hinton 2009-02-21 15:00:18 EST
Created attachment 332828 [details]
audit.log tarfile as requested

Requested by Daniel in comment 5
Comment 7 ralph hinton 2009-02-21 15:22:39 EST
Rest of message at boot attempt (refer comment 4):
" scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir" EOM

There is an identical one above it and several similar ones before that which are ".. denied {read} for ... name=X" X=ntpd/nscd/cups if that is of interest?.
Comment 8 Daniel Walsh 2009-02-23 09:49:07 EST
There are no errors in the audit.log

Have you tried to relabel the system

As root run

fixfiles restore

Also what file system are you using ?
Comment 9 ralph hinton 2009-02-23 11:57:02 EST
It is an ext3 filesystem (it had Fedora 6.93 in previously).

fixfiles is not recognised.  Note the first reboot after install has not completed so I have no access to fedora, just to the files via knoppix, so I ran it as root in a knoppix terminal.
Comment 10 Daniel Walsh 2009-02-23 13:29:52 EST
You can boot with the following command at the console.

Add enforcing=0 autorelabel

to kernel boot params and it should Fedora Grub boot and fix the labeling on the machine
Comment 11 ralph hinton 2009-02-24 08:16:02 EST
Yes that worked and got me into the system OK.

However the next startup it has lost my login and has no keyboard input. Obviously a separate problem I think.  Is this going to require a reload from DVD?.
Comment 12 Daniel Walsh 2009-02-24 09:04:26 EST
I have no idea.  Seems like something went very wrong when you installed this system.
Comment 13 ralph hinton 2009-02-24 11:49:31 EST
Possibly.  As there was no published checksum I can't start to find out where it goes wrong as it looked OK at the time.
Is there any news on when the SHASUM etc will be available?.
I can then re-install and post further developments.

Could it be that it got mixed up with very old Fedora6 stuff on that partition and that if I put F10 on it now we will not know the re-install shows?.  I can leave it as it is for a week or so as it is a spare installation (or I wouldn't have risked an alpha release).
Comment 14 Daniel Walsh 2009-02-25 10:42:49 EST
Did you do an upgrade or an install.   Install should have been fine, upgrade from F6 to f10 might be shaky.
Comment 15 ralph hinton 2009-02-25 12:45:24 EST
I did an upgrade.
I did the same thing to another machine and when I tried to do an install Fedora wanted to redo all the partitions already set up and I didn't want to be bothered re-arranging four partitions (this is an annoyance I probably ought to raise separately).  So i did the upgrade to the full version 10 OK - I am using it now.  I know it isn't recommended but it was a lot less hassle.
When I came to do the next machine I also did an upgrade to v11alpha with the consequences above.
Bit of a long explanation but it may help if i tell you why I was doing what I did. It still could be the download?.
Comment 16 Daniel Walsh 2009-02-26 09:32:10 EST
Ok run 

# fixfiles restore

Which should fix your file labeling.
Comment 17 ralph hinton 2009-02-26 12:37:39 EST
I tried that from the command shell under 'rescue installed system' with and got the error "mnt/sysimage/sbin/fixfiles: line 140: /sbin/setfiles: No such file or directory
find: `/var/tmp': No such file or directory"

Is it time to try the whole install again?.
Comment 18 ralph hinton 2009-02-27 13:51:27 EST
I am being slow and forgot singleuser/command line mode.
However it gave a whole load of find: '/tmp/...': Permission denied messages which is worrying.  It hasn't fixed the graphical logon problem .

I can't add a new user to passwd file ( is readonly) and the my usename is in there. Cannot change pass with passwd command (not authorised) even logged in as root.
Going to try yum * in hope.
Comment 19 ralph hinton 2009-03-03 16:56:03 EST
I tried the whole install again and it reloaded three packages and that didn't sort it, the next time it loaded none
yum update doesn't seem work from command line so I am left with a stuffed partition/system.  Any advice on how to start again please.
Comment 20 Daniel Walsh 2009-03-03 17:07:08 EST
I have no idea what you are doing.

Do you have an installed machine?  Can you login in permissive mode?
Comment 21 ralph hinton 2009-03-03 17:31:01 EST
I am not sure what I am doing, just getting a bit desperate.
I can log in in single user mode 3 and things seem to work.
The first problem I find is the graphical login screen that cannot authenticate users that I logged in with in single user mode.
I don't know much about SElinux to know if it is permissive mode.
Comment 22 Daniel Walsh 2009-03-04 08:35:36 EST
vi /etc/selinux/config

Change the SELINUX field to say permissive
touch /.autorelabel

When the machine comes up it will be in permissive mode and relabeled. Then see if you can login.  If you still can not, then this is not an SELinux problem.
Comment 23 ralph hinton 2009-03-04 09:50:44 EST
That has worked!!!. Excellent great, thanks.
It could have been read/write permissions earlier with the fixfiles command as I had to mount r/w under knoppix
Do I need to do a cleanup or update to make sure it is stable?.
I forgot about SELinux because it was off in the previous installation.

Note You need to log in before you can comment on or make changes to this bug.