User-Agent: Opera/9.80 (X11; Linux i686; U; en) Presto/2.6.30 Version/10.60 Afer performing a 'yum update' (wich finished ok, aparently) , i noticed constant disk access, so i rebooted. During shutdown, every service status was failed. I was not able to boot the system normally. Aug 11 19:36:38 Updated: cronie-1.4.5-1.fc13.x86_64 Aug 11 19:36:39 Updated: cronie-anacron-1.4.5-1.fc13.x86_64 Aug 11 19:36:41 Updated: imsettings-libs-0.108.1-1.fc13.x86_64 Aug 11 19:37:01 Updated: selinux-policy-3.7.19-44.fc13.noarch Aug 11 19:37:02 Updated: imsettings-0.108.1-1.fc13.x86_64 Aug 11 19:37:03 Updated: iputils-20071127-12.fc13.x86_64 Aug 11 19:37:37 Updated: selinux-policy-targeted-3.7.19-44.fc13.noarch Aug 11 19:37:39 Updated: linux-firmware-20100806-2.fc13.noarch ------------------------------ Normal boot (obtained over the serial port with 'console=tty0 console ttyS0') ÿGG/sbin/consoletype: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory mount: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Permission denied init: readahead-collector main process (517) terminated with status 127 Welcome to Fedora Press 'I' to enter interactive startup. Starting udev: /sbin/restorecon: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory Gk10temp 0000:00:18.3: unreliable CPU thermal sensor; monitoring disabled nForce2_smbus 0000:00:01.1: Error probing SMB2. [ OK ] Setting hostname ulquiorra.espada: [FAILED] Setting up Logical Volume Management: No volume groups found [ OK ] Checking filesystems Checking all file systems. [/sbin/fsck.ext4 (1) -- /] fsck.ext4 -a /dev/sda3 Fedora-13-x86_64: clean, 114894/1564672 files, 1015336/6249285 blocks [/sbin/fsck.ext3 (1) -- /home] fsck.ext3 -a /dev/md127 ulquiorra-home: clean, 44888/2191536 files, 5614781/8749056 blocks (check in 5 mounts) [/sbin/fsck.reiserfs (1) -- /data0] fsck.reiserfs -a /dev/sda6 [/sbin/fsck.reiserfs (2) -- /data1] fsck.reiserfs -a /dev/sdb6 Reiserfs super block in block 16 on 0x816 of format 3.6 with standard journal Blocks (total/free): 200246192/71507555 by 4096 bytes Filesystem is NOT clean Reiserfs super block in block 16 on 0x806 of format 3.6 with standard journal Blocks (total/free): 204909056/36552114 by 4096 bytes Filesystem is NOT clean Replaying journal: Replaying journal: Replaying journal: Done. Reiserfs journal '/dev/sda6' in blocks [18..8211]: 0 transactions replayed Replaying journal: Done. Reiserfs journal '/dev/sdb6' in blocks [18..8211]: 0 transactions replayed [/sbin/fsck.reiserfs (1) -- /data3] fsck.reiserfs -a /dev/sdb5 Reiserfs super block in block 16 on 0x815 of format 3.6 with standard journal Blocks (total/free): 29091696/11961221 by 4096 bytes Filesystem is NOT clean Replaying journal: Replaying journal: Done. Reiserfs journal '/dev/sdb5' in blocks [18..8211]: 0 transactions replayed [ OK ] Remounting root filesystem in read-write mode: mount: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Permission denied [FAILED] mount: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Permission denied Mounting local filesystems: mount: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Permission denied [FAILED] Enabling local filesystem quotas: [FAILED] chmod: changing permissions of `/var/lib/random-seed': Read-only file system rm: cannot remove `/var/run/wpa_supplicant.pid': Read-only file system rm: cannot remove `/var/run/ConsoleKit/database': Read-only file system rm: cannot remove `/var/run/nm-dhclient-eth0.conf': Read-only file system rm: cannot remove `/var/run/cupsd.pid': Read-only file system rm: cannot remove `/var/run/cron.reboot': Read-only file system rm: cannot remove `/var/run/console-kit-daemon.pid': Read-only file system rm: cannot remove `/var/run/portreserve/socket': Read-only file system rm: cannot remove `/var/run/setroubleshoot/setroubleshoot_server': Read-only file system rm: cannot remove `/var/run/kdm/.XauthrVX8Gb': Read-only file system rm: cannot remove `/var/run/kdm/kdm.pid': Read-only file system rm: cannot remove `/var/run/irqbalance.pid': Read-only file system rm: cannot remove `/var/run/libvirt/network/default.pid': Read-only file system rm: cannot remove `/var/run/acpid.socket': Read-only file system rm: cannot remove `/var/run/dhclient-eth0.pid': Read-only file system rm: cannot remove `/var/run/dbus/system_bus_socket': Read-only file system rm: cannot remove `/var/run/utmp': Read-only file system /etc/rc.d/rc.sysinit: line 761: /var/run/utmp: Read-only file system touch: cannot touch `/var/log/wtmp': Read-only file system chgrp: changing group of `/var/run/utmp': Read-only file system chgrp: changing group of `/var/log/wtmp': Read-only file system chmod: changing permissions of `/var/run/utmp': Read-only file system chmod: changing permissions of `/var/log/wtmp': Read-only file system restorecon: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory rm: cannot remove `/tmp/.X11-unix': Read-only file system rm: cannot remove `/tmp/.ICE-unix': Read-only file system rm: cannot remove `/tmp/kde-guille': Read-only file system rm: cannot remove `/tmp/kde-root': Read-only file system rm: cannot remove `/tmp/ksocket-guille/klauncherMT2141.slave-socket': Read-only file system rm: cannot remove `/tmp/mc-guille': Read-only file system rm: cannot remove `/tmp/mc-root': Read-only file system chown: changing ownership of `/tmp/.ICE-unix': Read-only file system Enabling /etc/fstab swaps: [ OK ] mv: cannot move `/var/log/dmesg' to `/var/log/dmesg.old': Read-only file system /etc/rc.d/rc.sysinit: line 818: /var/log/dmesg: Read-only file system touch: cannot touch `/var/run/getkey_done': Read-only file system Entering non-interactive startup init: system-setup-keyboard main process (1089) terminated with status 1 init: ck-log-system-start main process (1090) terminated with status 1 mktemp: failed to create file via template `/tmp/sysstat-XXXXXX': Read-only file system touch: cannot touch `/var/lock/subsys/lvm2_monitor': Read-only file system ip6tables: Applying firewall rules: [FAILED] iptables: Applying firewall rules: [FAILED] Starting auditd: [FAILED] Starting portreserve: [FAILED] Starting system logger: [FAILED] Enabling ondemand cpu frequency scaling: [ OK ] touch: cannot touch `/var/lock/subsys/cpuspeed': Read-only file system Starting irqbalance: [FAILED] Starting rpcbind: [FAILED] Starting mdmonitor: cannot create pid file: Read-only file system [ OK ]touch: cannot touch `/var/lock/subsys/mdmonitor': Read-only file system Starting system message bus: [FAILED] init: Unable to connect to the system bus: Failed to connect to socket /var/run/dbus/system_bus_socket: Connection refused Setting network parameters... [ OK ] Starting NetworkManager daemon: [FAILED] Starting Avahi daemon... [FAILED] Starting NFS statd: [FAILED] Initializing OpenCT smart card terminals: [FAILED] Starting RPC idmapd: Error: RPC MTAB does not exist. Starting cups: [FAILED] Starting acpi daemon: acpid: can't open socket /var/run/acpid.socket: Address already in use [FAILED] Starting HAL daemon: [FAILED] Starting PC/SC smart card daemon (pcscd): mktemp: failed to create file via template `/tmp/reader.conf.XXXXXX': Read-only file system Enabling Bluetooth devices: Starting sendmail: [ OK ] touch: cannot touch `/var/lock/subsys/sendmail': Read-only file system Starting sm-client: touch: cannot touch `/var/run/sm-client.pid': Read-only file system chown: cannot access `/var/run/sm-client.pid': No such file or directory /sbin/restorecon: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory [ OK ] touch: cannot touch `/var/lock/subsys/sm-client': Read-only file system Starting abrt daemon: [FAILED] Starting ksm: [ OK ] Starting ksmtuned: [FAILED] Starting crond: crond: can't open or create /var/run/crond.pid: Read-only file system [FAILED] Starting atd: [ OK ][ OK ] touch: cannot touch `/var/lock/subsys/atd': Read-only file system Starting libvirtd daemon: libvirtd: error: Unable to obtain pidfile. Check /var/log/messages or run without --daemon for more info. [FAILED] rm: cannot remove `/var/lib/libvirt/libvirt-guests': Read-only file system touch: cannot touch `/var/lock/subsys/libvirt-guests': Read-only file system Registering binary handler for Windows applications: /etc/rc5.d/S98wine: line 28: /proc/sys/fs/binfmt_misc/register: No such file or directory /etc/rc5.d/S98wine: line 29: /proc/sys/fs/binfmt_misc/register: No such file or directory [ OK ] touch: cannot touch `/var/lock/subsys/local': Read-only file system securetty: Couldn't open /etc/securetty: Read-only file system init: serial (ttyS0) pre-start process (1462) terminated with status 1 init: prefdm main process (1460) terminated with status 127 init: prefdm main process ended, respawning ^@init: prefdm main process (1525) terminated with status 127 init: prefdm main process ended, respawning init: prefdm main process (1527) terminated with status 127 init: prefdm main process ended, respawning ^@init: prefdm main process (1529) terminated with status 127 init: prefdm main process ended, respawning init: prefdm main process (1531) terminated with status 127 init: prefdm main process ended, respawning ^@init: prefdm main process (1533) terminated with status 127 init: prefdm main process ended, respawning init: prefdm main process (1535) terminated with status 127 init: prefdm main process ended, respawning ^@init: prefdm main process (1537) terminated with status 127 init: prefdm main process ended, respawning init: prefdm main process (1539) terminated with status 127 init: prefdm main process ended, respawning ^@init: prefdm main process (1541) terminated with status 127 init: prefdm main process ended, respawning init: prefdm main process (1543) terminated with status 127 init: prefdm respawning too fast, stopped ^@init: ck-log-system-restart main process (1551) terminated with status 1 Entering non-interactive startup Sending all processes the TERM signal... [ OK ] init: ck-log-system-restart main process (1565) terminated with status 1 Sending all processes the KILL signal... [ OK ] touch: cannot touch `/var/lib/random-seed': Read-only file system chmod: changing permissions of `/var/lib/random-seed': Read-only file system Saving random seed: [FAILED] Syncing hardware clock to system time [FAILED] Turning off swap: [ OK ] Turning off quotas: [FAILED] umount: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Permission denied umount: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Permission denied mount: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Permission denied Please stand by while rebooting the system... init: Re-executing /sbin/init Restarting system. --------------------------- After some tests, i was able too boot the system disabling selinux. 'selinux=0'. Reproducible: Always Steps to Reproduce: 1. yum update 2. reboot Actual Results: the system does not boot normally anymore, unless specifying 'selinux=0' kernel parameter Expected Results: to be able to boot the system with selinux enabled For my hardware / software information se bug 611350 (bugzilla.redhat.com)
Reartes, could you try to edit /etc/selinux/config and change the field SELINUX=enforcing to SELINUX=permissive After that execute: # touch /.autorelabel; reboot
It works! Great Advice! edited /etc/selinux/config and change the field SELINUX=enforcing to SELINUX=permissive After that executed: # touch /.autorelabel; reboot I am able to boot with selinux enabled (but permissive) -------------------------------------------------------------- # setenforce enforcing After that, the process dbus-daemon gets constant 23% cpu usage and disk access (that was the process with strange behaviour i noticed after yum uptate). # setenforce permissive The process dbus-daemon returns to normal? but the issue returns. So i repeated the fix and left it in permissive for now.
After the relabel, did you see any AVC messages in /var/log/audit/audit.log?
Yes, there are quite a lot actually... I will create an attachment.
Created attachment 438569 [details] audit.log after relabeling with AVC /var/log/audit/audit.log Right after executing the autorelabel stuff.
What says matchpathcon /lib64/libc-2.12.so
This looks like an old bug where restorecond would go wild relabeling everything as admin_home_t. Could you make sure the restorecond service is not running. Also did you login an X Session as root?
# matchpathcon /lib64/libc-2.12.so /lib64/libc-2.12.so system_u:object:lib_t:s0 restorecond is off in all runlevels and it is not running. I logged as a normal user (but used su - to execute privileged commands) I tried again # setenforce enforcing (under normal user via su -) These processes where the ones with more cpu utilization. dbus-daemon ksmtuned After issuing the command, i lost 'the keyboard' (this is the second time it happened in a month, after issuing a command wich resulted in high load). Unpluggin and repluggin the keyboard does not work (maybe another separate issue to troubleshout), no caps lock... ssh is closed, forgot to enable after last reinstall... :-(
Hummm... The relabeling process complained over some conflict, it seems it choose admin_t for some files... [root@ulquiorra /]# ls -lZ /lib64/libc-2.12.so -rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 /lib64/libc-2.12.so [root@ulquiorra /]# restorecon /lib64/libc-2.12.so [root@ulquiorra /]# ls -lZ /lib64/libc-2.12.so -rwxr-xr-x. root root system_u:object_r:lib_t:s0 /lib64/libc-2.12.so [root@ulquiorra /]# cd /lib64 [root@ulquiorra lib64]# ls -lZ|grep home_ -rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 ld-2.12.so -rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 libasound.so.2.0.0 -rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 libglib-2.0.so.0.2400.1 -rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 libgthread-2.0.so.0.2400.1 -rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 libm-2.12.so -rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 libpthread-2.12.so -rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 librt-2.12.so -rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 libudev.so.0.6.1 [root@ulquiorra lib64]# restorecon /lib64/ld-2.12.so [root@ulquiorra lib64]# restorecon /lib64/libasound.so.2 [root@ulquiorra lib64]# restorecon /lib64/libgthread-2.0.so.0 [root@ulquiorra lib64]# restorecon /lib64/libm-2.12.so [root@ulquiorra lib64]# restorecon /lib64/libpthread-2.12.so [root@ulquiorra lib64]# restorecon /lib64/librt-2.12.so [root@ulquiorra lib64]# restorecon /lib64/libudev.so.0 [root@ulquiorra lib64]# ls -lZ|grep home_ -rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 libglib-2.0.so.0.2400.1 [root@ulquiorra lib64]# restorecon /lib64/libglib-2.0.so.0.2400.1 [root@ulquiorra lib64]# ls -lZ|grep home_ [root@ulquiorra lib64]# ls /lib -lZ|grep home_ [root@ulquiorra lib64]# ls /bin -lZ|grep home_ -rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 bash [root@ulquiorra lib64]# restorecon /bin/bash [root@ulquiorra lib64]# ls /bin -lZ|grep home_ [root@ulquiorra lib64]# ls /sbin -lZ|grep home_ [root@ulquiorra lib64]# ls /usr/sbin -lZ|grep home_ [root@ulquiorra lib64]# ls /usr/bin -lZ|grep home_ [root@ulquiorra lib64]# ls /usr/lib -lZ|grep home_ [root@ulquiorra lib64]# ls /usr/lib64/ -lZ|grep home_ [root@ulquiorra lib64]# ls /usr/libexec/ -lZ|grep home_ [root@ulquiorra lib64]# ls /etc -lZ|grep home_
Are you able to boot without errors now? Also what says grep -r admin_home_t /etc/selinux/targeted/contexts/
I found this AVC, currently the only one reported by the selinux-gui-utility. ----------------------- Summary: SELinux is preventing /bin/bash access to a leaked /root file descriptor. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by the prelink command. It looks like this is either a leaked descriptor or prelink output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /root. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context system_u:system_r:prelink_cron_system_t:s0-s0:c0.c 1023 Target Context system_u:object_r:admin_home_t:s0 Target Objects /root [ dir ] Source prelink Source Path /bin/bash Port <Unknown> Host ulquiorra.espada Source RPM Packages bash-4.1.7-1.fc13 Target RPM Packages filesystem-2.4.31-1.fc13 Policy RPM selinux-policy-3.7.19-44.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name leaks Host Name ulquiorra.espada Platform Linux ulquiorra.espada 2.6.34.3-37.fc13.x86_64 #1 SMP Tue Aug 10 21:09:58 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Mon 16 Aug 2010 03:20:57 AM ART Last Seen Mon 16 Aug 2010 03:20:57 AM ART Local ID 3717d61a-b04e-4281-b83e-5f3393016ed7 Line Numbers Raw Audit Messages node=ulquiorra.espada type=AVC msg=audit(1281939657.156:24190): avc: denied { read } for pid=5101 comm="prelink" path="/root" dev=sda3 ino=742 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir node=ulquiorra.espada type=SYSCALL msg=audit(1281939657.156:24190): arch=c000003e syscall=59 success=yes exit=0 a0=1e69860 a1=1e69ff0 a2=1e69530 a3=10 items=0 ppid=4926 pid=5101 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=27 comm="prelink" exe="/bin/bash" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null) ------------------------------- Since it said something about prelink (don't really know much about it). # prelink -af And now i will try to set selinux in enforcing # setenforce=enforcing The dbus-daemon issue didn't ocurr, now... so i set it to enforcing in /etc/selinux/config # init 6 WOW! It WORKS. Currently im able to boot with selinux enabled & enforcing :-) Thanks for the help and advices. Guillermo. ------------------------------------------ Update: [root@ulquiorra ~]# grep -r admin_home_t /etc/selinux/targeted/contexts/ /etc/selinux/targeted/contexts/files/file_contexts:/root(/.*)? system_u:object_r:admin_home_t:s0
(In reply to comment #11) > I found this AVC, currently the only one reported by the selinux-gui-utility. > This is a different issue which is caused by cronie. We added a fix to selinux-policy-3.7.19-47.fc13.noarch. This update should be available from update repo now. > Update: > > [root@ulquiorra ~]# grep -r admin_home_t /etc/selinux/targeted/contexts/ > /etc/selinux/targeted/contexts/files/file_contexts:/root(/.*)? > system_u:object_r:admin_home_t:s0 Looks good. Please reopen if it happens again.