Booting a rawhide KVM guest with dracut built initrd fails when trying to activate and fsck the rootfs. The problem seems to be something with /dev entries. After the fsck fails, I enter the root pw and it drops to a shell. Only the "control" entry exists under /dev/mapper even though earlier boot messages seem to indicate that activating the LVM VG where it lives was successful. Rebuilding the initramfs with mkinitrd and booting works fine. I'm using: dracut-002-13.4.git8f397a9b.fc12.noarch Complete console log is attached. Let me know if you need other info...
Created attachment 364455 [details] console log from failed boot
why is this a problem with dracut?
type=1400 audit(1255354212.706:9): avc: denied { open } for pid=289 comm="mount" name="null" dev=devtmpfs ino=3590 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=chr_file can you try to boot with "selinux=0" ?
> why is this a problem with dracut? Because an initramfs built with mkinitrd works fine? > can you try to boot with "selinux=0" ? I already had selinux in permissive mode, but went ahead and disabled it completely for giggles. It failed in the exact same way.
The interesting bit is that the switchroot actually works, so filesystems are actually being mounted. Here's /proc/mounts after entering the maintenance shell: (Repair filesystem) 1 # cat /proc/mounts rootfs / rootfs rw 0 0 /proc /proc proc rw,relatime 0 0 /sys /sys sysfs rw,seclabel,relatime 0 0 udev /dev devtmpfs rw,relatime,size=225116k,nr_inodes=56279 0 0 /dev/pts /dev/pts devpts rw,seclabel,relatime,mode=600,ptmxmode=000 0 0 /dev/shm /dev/shm tmpfs rw,seclabel,relatime 0 0 /dev/mapper/rawhidevg-root / ext4 ro,seclabel,relatime,barrier=1,data=ordered 0 0 none /selinux selinuxfs rw,relatime 0 0 /proc/bus/usb /proc/bus/usb usbfs rw,relatime 0 0 none /dev tmpfs rw,rootcontext=system_u:object_r:device_t:s0,seclabel,relatime,mode=755 0 0 devpts /dev/pts devpts rw,seclabel,relatime,mode=600,ptmxmode=000 0 0 I think that the question is we need to answer is: Why are there no block device entries under /dev/mapper after switchroot?
udev /dev devtmpfs none /dev tmpfs ok, /dev is mounted as devtmpfs first and then start_udev might mount a tmpfs there.. can you comment out the shell block in /sbin/start_udev which starts like this? # mount the tmpfs on ${udev_root%/}, if not already done LANG=C awk "\$2 == \"${udev_root%/}\" && \$3 == \"tmpfs\" { exit 1 }" /proc/mounts && { .... ret=$[$ret + $?] }
That seemed to work -- it boots with that block commented out. There seems to be a problem setting security labels on the nodes under /dev though. I get a ton of these sorts of messages on the console while booting: udevd-work[620]: setfilecon /dev/disk/by-id/ata-QEMU_HARDDISK_QM00001-part1 failed: Operation not supported udevd-work[620]: setfilecon /dev/disk/by-id/ata-QEMU_HARDDISK_QM00001-part1 failed: Operation not supported udevd-work[620]: setfilecon /dev/disk/by-path/pci-0000:00:01.1-scsi-0:0:0:0-part1 failed: Operation not supported FWIW this is using: udev-145-10.fc12.x86_64
ok, next step.. edit /usr/share/dracut/modules.d/99base/init make if [ ! -c /dev/ptmx ]; then # try to mount devtmpfs if ! mount -t devtmpfs -omode=0755 udev /dev >/dev/null 2>&1; then # if it failed fall back to normal tmpfs mount -t tmpfs -omode=0755 udev /dev >/dev/null 2>&1 # Make some basic devices first, let udev handle the rest mknod /dev/null c 1 3 mknod /dev/ptmx c 5 2 mknod /dev/console c 5 1 mknod /dev/kmsg c 1 11 fi fi to if [ ! -c /dev/ptmx ]; then # if it failed fall back to normal tmpfs mount -t tmpfs -omode=0755 udev /dev >/dev/null 2>&1 # Make some basic devices first, let udev handle the rest mknod /dev/null c 1 3 mknod /dev/ptmx c 5 2 mknod /dev/console c 5 1 mknod /dev/kmsg c 1 11 fi and rebuild the initramfs image with: # dracut -f /boot/initramfs-$(uname -r).img $(uname -r)
this will mount a tmpfs instead of the devtmpfs on /dev let me know, if the udevd-work[620]: setfilecon /dev/disk/by-id/ata-QEMU_HARDDISK_QM00001-part1 failed: Operation not supported messages disappear.
Yes, that seemed to eliminate the messages (note that that was tested with the "patch" from comment #6 still in place).
dwalsh: why does it give those setfilecon errors on a devtmpfs filesystem (which is practically a tmpfs)
Because we have not told selinux what a devtmpfs is. Is this a new file system? Or just call it a tmpfs_t?
Fixed in selinux-policy-3.6.32-26.fc12.noarch
cool, thx
Harald can you pull the policy out of Rawhide and make sure it works ok. If it does I will ask for this policy to be updated for Beta.
didn't find a build for selinux-policy-3.6.32-26 on rebuilding from cvs I get: /usr/bin/checkmodule: loading policy configuration from tmp/xen.tmp policy/modules/system/xen.te":354:ERROR 'permission getshed is not defined for class process' at token ';' on line 16604: allow xm_t self:process { getshed signal }; allow xm_t self:capability { dac_override ipc_lock sys_tty_config }; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/xen.mod] Error 1 error: Bad exit status from /var/tmp/rpm-tmp.4R2wi1 (%install) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.4R2wi1 (%install)
-fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0); +fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0); Hmm, why do you remove the normal tmpfs? It still exists for older kernels < 2.6.32 without devtmpfs
(In reply to comment #17) > Hmm, why do you remove the normal tmpfs? It still exists for older kernels < > 2.6.32 without devtmpfs s/still exists/still is mounted on /dev /
ok, managed to build the rpm with: s/getshed/getsched/ and not removing fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0); but adding fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0); WORKSFORME.. no more setfilecon ... failed: Operation not supported
I guess it is a good thing it did not build. I will build a new version ASAP with your fixes. Then can we close this bug.
I had another rawhide guest with this problem and patched it with udev-145-11 (and associated libs) and selinux-policy-3.6.32-27 (and the associated -targeted package). Rebuilt the initramfs with dracut and it works fine. I think we can declare this one closed. Thanks for the quick resolution!