Bug 623514 - After yum update, system cannot boot without selinux=0 kernel parameter
Summary: After yum update, system cannot boot without selinux=0 kernel parameter
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: x86_64
OS: Linux
low
urgent
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-12 01:47 UTC by Reartes Guillermo
Modified: 2010-08-16 14:03 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-08-16 14:03:23 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
audit.log after relabeling with AVC (92.45 KB, text/plain)
2010-08-13 01:39 UTC, Reartes Guillermo
no flags Details

Description Reartes Guillermo 2010-08-12 01:47:56 UTC
User-Agent:       Opera/9.80 (X11; Linux i686; U; en) Presto/2.6.30 Version/10.60


Afer performing a 'yum update' (wich finished ok, aparently) , i noticed constant disk access,
so i rebooted. During shutdown, every service status was failed.
I was not able to boot the system normally.

Aug 11 19:36:38 Updated: cronie-1.4.5-1.fc13.x86_64
Aug 11 19:36:39 Updated: cronie-anacron-1.4.5-1.fc13.x86_64
Aug 11 19:36:41 Updated: imsettings-libs-0.108.1-1.fc13.x86_64
Aug 11 19:37:01 Updated: selinux-policy-3.7.19-44.fc13.noarch
Aug 11 19:37:02 Updated: imsettings-0.108.1-1.fc13.x86_64
Aug 11 19:37:03 Updated: iputils-20071127-12.fc13.x86_64
Aug 11 19:37:37 Updated: selinux-policy-targeted-3.7.19-44.fc13.noarch
Aug 11 19:37:39 Updated: linux-firmware-20100806-2.fc13.noarch

------------------------------
Normal boot (obtained over the serial port with 'console=tty0 console ttyS0')

ÿGG/sbin/consoletype: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
mount: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Permission denied
init: readahead-collector main process (517) terminated with status 127
		Welcome to Fedora 
		Press 'I' to enter interactive startup.
Starting udev: /sbin/restorecon: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
Gk10temp 0000:00:18.3: unreliable CPU thermal sensor; monitoring disabled
nForce2_smbus 0000:00:01.1: Error probing SMB2.
[  OK  ]
Setting hostname ulquiorra.espada:  [FAILED]
Setting up Logical Volume Management:   No volume groups found
[  OK  ]
Checking filesystems
Checking all file systems.
[/sbin/fsck.ext4 (1) -- /] fsck.ext4 -a /dev/sda3 
Fedora-13-x86_64: clean, 114894/1564672 files, 1015336/6249285 blocks
[/sbin/fsck.ext3 (1) -- /home] fsck.ext3 -a /dev/md127 
ulquiorra-home: clean, 44888/2191536 files, 5614781/8749056 blocks (check in 5 mounts)
[/sbin/fsck.reiserfs (1) -- /data0] fsck.reiserfs -a /dev/sda6 
[/sbin/fsck.reiserfs (2) -- /data1] fsck.reiserfs -a /dev/sdb6 
Reiserfs super block in block 16 on 0x816 of format 3.6 with standard journal
Blocks (total/free): 200246192/71507555 by 4096 bytes
Filesystem is NOT clean
Reiserfs super block in block 16 on 0x806 of format 3.6 with standard journal
Blocks (total/free): 204909056/36552114 by 4096 bytes
Filesystem is NOT clean
Replaying journal: Replaying journal: Replaying journal: Done.
Reiserfs journal '/dev/sda6' in blocks [18..8211]: 0 transactions replayed
Replaying journal: Done.
Reiserfs journal '/dev/sdb6' in blocks [18..8211]: 0 transactions replayed
[/sbin/fsck.reiserfs (1) -- /data3] fsck.reiserfs -a /dev/sdb5 
Reiserfs super block in block 16 on 0x815 of format 3.6 with standard journal
Blocks (total/free): 29091696/11961221 by 4096 bytes
Filesystem is NOT clean
Replaying journal: Replaying journal: Done.
Reiserfs journal '/dev/sdb5' in blocks [18..8211]: 0 transactions replayed
[  OK  ]
Remounting root filesystem in read-write mode:  mount: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Permission denied
[FAILED]
mount: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Permission denied
Mounting local filesystems:  mount: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Permission denied
[FAILED]
Enabling local filesystem quotas:  [FAILED]
chmod: changing permissions of `/var/lib/random-seed': Read-only file system
rm: cannot remove `/var/run/wpa_supplicant.pid': Read-only file system
rm: cannot remove `/var/run/ConsoleKit/database': Read-only file system
rm: cannot remove `/var/run/nm-dhclient-eth0.conf': Read-only file system
rm: cannot remove `/var/run/cupsd.pid': Read-only file system
rm: cannot remove `/var/run/cron.reboot': Read-only file system
rm: cannot remove `/var/run/console-kit-daemon.pid': Read-only file system
rm: cannot remove `/var/run/portreserve/socket': Read-only file system
rm: cannot remove `/var/run/setroubleshoot/setroubleshoot_server': Read-only file system
rm: cannot remove `/var/run/kdm/.XauthrVX8Gb': Read-only file system
rm: cannot remove `/var/run/kdm/kdm.pid': Read-only file system
rm: cannot remove `/var/run/irqbalance.pid': Read-only file system
rm: cannot remove `/var/run/libvirt/network/default.pid': Read-only file system
rm: cannot remove `/var/run/acpid.socket': Read-only file system
rm: cannot remove `/var/run/dhclient-eth0.pid': Read-only file system
rm: cannot remove `/var/run/dbus/system_bus_socket': Read-only file system
rm: cannot remove `/var/run/utmp': Read-only file system
/etc/rc.d/rc.sysinit: line 761: /var/run/utmp: Read-only file system
touch: cannot touch `/var/log/wtmp': Read-only file system
chgrp: changing group of `/var/run/utmp': Read-only file system
chgrp: changing group of `/var/log/wtmp': Read-only file system
chmod: changing permissions of `/var/run/utmp': Read-only file system
chmod: changing permissions of `/var/log/wtmp': Read-only file system
restorecon: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
rm: cannot remove `/tmp/.X11-unix': Read-only file system
rm: cannot remove `/tmp/.ICE-unix': Read-only file system
rm: cannot remove `/tmp/kde-guille': Read-only file system
rm: cannot remove `/tmp/kde-root': Read-only file system
rm: cannot remove `/tmp/ksocket-guille/klauncherMT2141.slave-socket': Read-only file system
rm: cannot remove `/tmp/mc-guille': Read-only file system
rm: cannot remove `/tmp/mc-root': Read-only file system
chown: changing ownership of `/tmp/.ICE-unix': Read-only file system
Enabling /etc/fstab swaps:  [  OK  ]
mv: cannot move `/var/log/dmesg' to `/var/log/dmesg.old': Read-only file system
/etc/rc.d/rc.sysinit: line 818: /var/log/dmesg: Read-only file system
touch: cannot touch `/var/run/getkey_done': Read-only file system
Entering non-interactive startup
init: system-setup-keyboard main process (1089) terminated with status 1
init: ck-log-system-start main process (1090) terminated with status 1
mktemp: failed to create file via template `/tmp/sysstat-XXXXXX': Read-only file system
touch: cannot touch `/var/lock/subsys/lvm2_monitor': Read-only file system
ip6tables: Applying firewall rules: [FAILED]
iptables: Applying firewall rules: [FAILED]
Starting auditd: [FAILED]
Starting portreserve: [FAILED]
Starting system logger: [FAILED]
Enabling ondemand cpu frequency scaling: [  OK  ]
touch: cannot touch `/var/lock/subsys/cpuspeed': Read-only file system
Starting irqbalance: [FAILED]
Starting rpcbind: [FAILED]
Starting mdmonitor: cannot create pid file: Read-only file system
[  OK  ]touch: cannot touch `/var/lock/subsys/mdmonitor': Read-only file system

Starting system message bus: [FAILED]
init: Unable to connect to the system bus: Failed to connect to socket /var/run/dbus/system_bus_socket: Connection refused
Setting network parameters... [  OK  ]
Starting NetworkManager daemon: [FAILED]
Starting Avahi daemon... [FAILED]
Starting NFS statd: [FAILED]
Initializing OpenCT smart card terminals:  [FAILED]
Starting RPC idmapd: Error: RPC MTAB does not exist.
Starting cups: [FAILED]
Starting acpi daemon: acpid: can't open socket /var/run/acpid.socket: Address already in use
[FAILED]
Starting HAL daemon: [FAILED]
Starting PC/SC smart card daemon (pcscd): mktemp: failed to create file via template `/tmp/reader.conf.XXXXXX': Read-only file system

Enabling Bluetooth devices:
Starting sendmail: [  OK  ]
touch: cannot touch `/var/lock/subsys/sendmail': Read-only file system
Starting sm-client: touch: cannot touch `/var/run/sm-client.pid': Read-only file system
chown: cannot access `/var/run/sm-client.pid': No such file or directory
/sbin/restorecon: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
[  OK  ]
touch: cannot touch `/var/lock/subsys/sm-client': Read-only file system
Starting abrt daemon: [FAILED]
Starting ksm: [  OK  ]
Starting ksmtuned: [FAILED]
Starting crond: crond: can't open or create /var/run/crond.pid: Read-only file system
[FAILED]
Starting atd: [  OK  ][  OK  ]
touch: cannot touch `/var/lock/subsys/atd': Read-only file system
Starting libvirtd daemon: libvirtd: error: Unable to obtain pidfile. Check /var/log/messages or run without --daemon for more info.
[FAILED]
rm: cannot remove `/var/lib/libvirt/libvirt-guests': Read-only file system
touch: cannot touch `/var/lock/subsys/libvirt-guests': Read-only file system
Registering binary handler for Windows applications: /etc/rc5.d/S98wine: line 28: /proc/sys/fs/binfmt_misc/register: No such file or directory
/etc/rc5.d/S98wine: line 29: /proc/sys/fs/binfmt_misc/register: No such file or directory
[  OK  ]
touch: cannot touch `/var/lock/subsys/local': Read-only file system
securetty: Couldn't open /etc/securetty: Read-only file system
init: serial (ttyS0) pre-start process (1462) terminated with status 1
init: prefdm main process (1460) terminated with status 127
init: prefdm main process ended, respawning
^@init: prefdm main process (1525) terminated with status 127
init: prefdm main process ended, respawning
init: prefdm main process (1527) terminated with status 127
init: prefdm main process ended, respawning
^@init: prefdm main process (1529) terminated with status 127
init: prefdm main process ended, respawning
init: prefdm main process (1531) terminated with status 127
init: prefdm main process ended, respawning
^@init: prefdm main process (1533) terminated with status 127
init: prefdm main process ended, respawning
init: prefdm main process (1535) terminated with status 127
init: prefdm main process ended, respawning
^@init: prefdm main process (1537) terminated with status 127
init: prefdm main process ended, respawning
init: prefdm main process (1539) terminated with status 127
init: prefdm main process ended, respawning
^@init: prefdm main process (1541) terminated with status 127
init: prefdm main process ended, respawning
init: prefdm main process (1543) terminated with status 127
init: prefdm respawning too fast, stopped
^@init: ck-log-system-restart main process (1551) terminated with status 1
Entering non-interactive startup
Sending all processes the TERM signal... [  OK  ]
init: ck-log-system-restart main process (1565) terminated with status 1
Sending all processes the KILL signal... [  OK  ]
touch: cannot touch `/var/lib/random-seed': Read-only file system
chmod: changing permissions of `/var/lib/random-seed': Read-only file system
Saving random seed:  [FAILED]
Syncing hardware clock to system time [FAILED]
Turning off swap:  [  OK  ]
Turning off quotas:  [FAILED]
umount: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Permission denied
umount: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Permission denied
mount: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Permission denied
Please stand by while rebooting the system...
init: Re-executing /sbin/init
Restarting system.

---------------------------

After some tests, i was able too boot the system disabling selinux. 'selinux=0'.





Reproducible: Always

Steps to Reproduce:
1. yum update
2. reboot

Actual Results:  
the system does not boot normally anymore, unless specifying 'selinux=0' kernel parameter 

Expected Results:  
to be able to boot the system with selinux enabled

For my hardware / software information se bug 611350 (bugzilla.redhat.com)

Comment 1 Miroslav Grepl 2010-08-12 12:10:40 UTC
Reartes,
could you try to edit /etc/selinux/config and change the field

SELINUX=enforcing

to

SELINUX=permissive

After that execute:

# touch /.autorelabel; reboot

Comment 2 Reartes Guillermo 2010-08-12 20:33:21 UTC
It works! Great Advice!

edited /etc/selinux/config and change the field

SELINUX=enforcing

to

SELINUX=permissive

After that executed:

# touch /.autorelabel; reboot    


I am able to boot with selinux enabled (but permissive)

--------------------------------------------------------------

# setenforce enforcing

After that, the process dbus-daemon gets constant 23% cpu usage and disk access (that was the process with strange behaviour i noticed after yum uptate).
 

# setenforce permissive 

The process dbus-daemon returns to normal? but the issue returns.

So i repeated the fix and left it in permissive for now.

Comment 3 Daniel Walsh 2010-08-12 20:51:11 UTC
After the relabel, did you see any AVC messages in /var/log/audit/audit.log?

Comment 4 Reartes Guillermo 2010-08-13 01:37:23 UTC
Yes, there are quite a lot actually...

I will create an attachment.

Comment 5 Reartes Guillermo 2010-08-13 01:39:13 UTC
Created attachment 438569 [details]
audit.log after relabeling with AVC

/var/log/audit/audit.log

Right after executing the autorelabel stuff.

Comment 6 Miroslav Grepl 2010-08-13 06:34:22 UTC
What says

matchpathcon /lib64/libc-2.12.so

Comment 7 Daniel Walsh 2010-08-13 13:49:01 UTC
This looks like an old bug where restorecond would go wild relabeling everything as admin_home_t.

Could you make sure the restorecond service is not running.  Also did you login an X Session as root?

Comment 8 Reartes Guillermo 2010-08-13 21:57:06 UTC
# matchpathcon /lib64/libc-2.12.so

/lib64/libc-2.12.so  system_u:object:lib_t:s0

restorecond is off in all runlevels and it is not running.

I logged as a normal user (but used su - to execute privileged commands)

I tried again

# setenforce enforcing (under normal user via su -)

These processes where the ones with more cpu utilization.

dbus-daemon
ksmtuned

After issuing the command, i lost 'the keyboard' (this is the second time it happened in a month, after issuing a command wich resulted in high load). Unpluggin and repluggin the keyboard does not work (maybe another separate issue to troubleshout), no caps lock... ssh is closed, forgot to enable after last reinstall... :-(

Comment 9 Reartes Guillermo 2010-08-13 23:09:09 UTC
Hummm...

The relabeling process complained over some conflict, it seems it choose admin_t for some files...

[root@ulquiorra /]# ls -lZ /lib64/libc-2.12.so 
-rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 /lib64/libc-2.12.so
[root@ulquiorra /]# restorecon /lib64/libc-2.12.so
[root@ulquiorra /]# ls -lZ /lib64/libc-2.12.so 
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       /lib64/libc-2.12.so

[root@ulquiorra /]# cd /lib64
[root@ulquiorra lib64]# ls -lZ|grep home_
-rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 ld-2.12.so                                                                                                          
-rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 libasound.so.2.0.0                                                                                                  
-rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 libglib-2.0.so.0.2400.1                                                                                             
-rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 libgthread-2.0.so.0.2400.1
-rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 libm-2.12.so
-rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 libpthread-2.12.so
-rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 librt-2.12.so
-rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 libudev.so.0.6.1

[root@ulquiorra lib64]# restorecon /lib64/ld-2.12.so 
[root@ulquiorra lib64]# restorecon /lib64/libasound.so.2
[root@ulquiorra lib64]# restorecon /lib64/libgthread-2.0.so.0
[root@ulquiorra lib64]# restorecon /lib64/libm-2.12.so 
[root@ulquiorra lib64]# restorecon /lib64/libpthread-2.12.so 
[root@ulquiorra lib64]# restorecon /lib64/librt-2.12.so 
[root@ulquiorra lib64]# restorecon /lib64/libudev.so.0

[root@ulquiorra lib64]# ls -lZ|grep home_
-rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 libglib-2.0.so.0.2400.1

[root@ulquiorra lib64]# restorecon /lib64/libglib-2.0.so.0.2400.1 
[root@ulquiorra lib64]# ls -lZ|grep home_

[root@ulquiorra lib64]# ls /lib -lZ|grep home_
[root@ulquiorra lib64]# ls /bin  -lZ|grep home_
-rwxr-xr-x. root root system_u:object_r:admin_home_t:s0 bash
    
[root@ulquiorra lib64]# restorecon /bin/bash 
[root@ulquiorra lib64]# ls /bin  -lZ|grep home_

[root@ulquiorra lib64]# ls /sbin  -lZ|grep home_
[root@ulquiorra lib64]# ls /usr/sbin  -lZ|grep home_
[root@ulquiorra lib64]# ls /usr/bin  -lZ|grep home_
[root@ulquiorra lib64]# ls /usr/lib  -lZ|grep home_
[root@ulquiorra lib64]# ls /usr/lib64/  -lZ|grep home_
[root@ulquiorra lib64]# ls /usr/libexec/  -lZ|grep home_
[root@ulquiorra lib64]# ls /etc -lZ|grep home_

Comment 10 Miroslav Grepl 2010-08-16 13:30:46 UTC
Are you able to boot without errors now?

Also what says

grep -r admin_home_t /etc/selinux/targeted/contexts/

Comment 11 Reartes Guillermo 2010-08-16 13:53:28 UTC
I found this AVC, currently the only one reported by the selinux-gui-utility.

-----------------------

Summary:

SELinux is preventing /bin/bash access to a leaked /root file descriptor.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by the prelink command. It looks like this is
either a leaked descriptor or prelink output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the /root. You should generate a bugzilla on selinux-policy, and it will get
routed to the appropriate package. You can safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                system_u:system_r:prelink_cron_system_t:s0-s0:c0.c
                              1023
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                /root [ dir ]
Source                        prelink
Source Path                   /bin/bash
Port                          <Unknown>
Host                          ulquiorra.espada
Source RPM Packages           bash-4.1.7-1.fc13
Target RPM Packages           filesystem-2.4.31-1.fc13
Policy RPM                    selinux-policy-3.7.19-44.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   leaks
Host Name                     ulquiorra.espada
Platform                      Linux ulquiorra.espada 2.6.34.3-37.fc13.x86_64 #1
                              SMP Tue Aug 10 21:09:58 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 16 Aug 2010 03:20:57 AM ART
Last Seen                     Mon 16 Aug 2010 03:20:57 AM ART
Local ID                      3717d61a-b04e-4281-b83e-5f3393016ed7
Line Numbers                  

Raw Audit Messages            

node=ulquiorra.espada type=AVC msg=audit(1281939657.156:24190): avc:  denied  { read } for  pid=5101 comm="prelink" path="/root" dev=sda3 ino=742 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

node=ulquiorra.espada type=SYSCALL msg=audit(1281939657.156:24190): arch=c000003e syscall=59 success=yes exit=0 a0=1e69860 a1=1e69ff0 a2=1e69530 a3=10 items=0 ppid=4926 pid=5101 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=27 comm="prelink" exe="/bin/bash" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null)

-------------------------------

Since it said something about prelink (don't really know much about it). 

# prelink -af

And now i will try to set selinux in enforcing

# setenforce=enforcing

The dbus-daemon issue didn't ocurr, now... so i set it to enforcing in /etc/selinux/config

# init 6

WOW! It WORKS.

Currently im able to boot with selinux enabled & enforcing :-)


Thanks for the help and advices.

Guillermo.

------------------------------------------

Update:

[root@ulquiorra ~]# grep -r admin_home_t /etc/selinux/targeted/contexts/
/etc/selinux/targeted/contexts/files/file_contexts:/root(/.*)?  system_u:object_r:admin_home_t:s0

Comment 12 Miroslav Grepl 2010-08-16 14:03:23 UTC
(In reply to comment #11)
> I found this AVC, currently the only one reported by the selinux-gui-utility.
> 

This is a different issue which is caused by cronie. We added a fix to selinux-policy-3.7.19-47.fc13.noarch. This update should be available from update repo now.

> Update:
> 
> [root@ulquiorra ~]# grep -r admin_home_t /etc/selinux/targeted/contexts/
> /etc/selinux/targeted/contexts/files/file_contexts:/root(/.*)? 
> system_u:object_r:admin_home_t:s0

Looks good. Please reopen if it happens again.


Note You need to log in before you can comment on or make changes to this bug.