Bug 842758 - sockets activated from initramfs need relabeling on switch-root
sockets activated from initramfs need relabeling on switch-root
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: systemd (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: systemd-maint
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-24 10:20 EDT by Jeff Layton
Modified: 2014-06-18 03:42 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-31 12:00:26 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
console log from boot (13.08 KB, text/plain)
2012-07-24 10:20 EDT, Jeff Layton
no flags Details

  None (edit)
Description Jeff Layton 2012-07-24 10:20:28 EDT
Created attachment 600040 [details]
console log from boot

Opening as a systemd bug, but may be some other component that's broken...

Recently, when I reboot my rawhide machine, it drops to an emergency mode prompt due to what looks like dependency issues. It also looks like systemd is constantly starting and stopping the journald service. Not sure if that's expected or not...
Comment 1 Jeff Layton 2012-07-24 10:23:17 EDT
Oh, if I subsequently hit ^d at the prompt, then it seems to boot just fine. Also, this may be of interest:

[root@rawhide ~]# systemctl status systemd-journald.service
systemd-journald.service - Journal Service
	  Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service; static)
	  Active: inactive (dead) (Result: exit-code) since Tue, 24 Jul 2012 10:21:57 -0400; 11s ago
	    Docs: man:systemd-journald.service(8)
	          man:journald.conf(5)
	 Process: 363 ExecStart=/usr/lib/systemd/systemd-journald (code=exited, status=1/FAILURE)
	  Status: "Shutting down..."
	  CGroup: name=systemd:/system/systemd-journald.service
Comment 2 Michal Schmidt 2012-07-24 11:41:10 EDT
A failing journal service is definitely interesting.

> systemd-journald[294]: Unknown socket passed.

Would you paste also the output of "systemctl status systemd-journald.socket"?
Comment 3 Jeff Layton 2012-07-24 12:05:29 EDT
From emergency mode:

[root@rawhide ~]# systemctl status systemd-journald.socket
systemd-journald.socket - Journal Socket
	  Loaded: loaded (/usr/lib/systemd/system/systemd-journald.socket; static)
	  Active: failed (Result: service-failed-permanent) since Tue, 24 Jul 2012 12:02:46 -0400; 22s ago
	    Docs: man:systemd-journald.service(8)
	          man:journald.conf(5)
	  CGroup: name=systemd:/system/systemd-journald.socket


The interesting bit is if I exit emergency mode and let it boot up the rest of the way, it seems to be fine:

[root@rawhide ~]# systemctl status systemd-journald.socket
systemd-journald.socket - Journal Socket
	  Loaded: loaded (/usr/lib/systemd/system/systemd-journald.socket; static)
	  Active: active (running) since Tue, 24 Jul 2012 12:03:33 -0400; 12s ago
	    Docs: man:systemd-journald.service(8)
	          man:journald.conf(5)
	  CGroup: name=systemd:/system/systemd-journald.socket

...sort of smells like a race of some sort, but I don't know enough about the design of the journald stuff to say for sure.
Comment 4 Michal Schmidt 2012-07-24 18:55:18 EDT
Are there SELinux denials? Try booting with enforcing=0.
Comment 5 Jeff Layton 2012-07-24 20:56:45 EDT
Good call. Machine boots fine with enforcing=0.

I tried doing a full relabel (by touching /.autorelabel and rebooting) but it didn't help. Should we move this to an selinux-policy bug?
Comment 6 Michal Schmidt 2012-07-25 05:01:20 EDT
It depends. Please paste the AVC denial messages you're getting (in dmesg or audit.log).
Comment 7 Jeff Layton 2012-07-25 06:37:41 EDT
Booting with selinux set to enforcing, I don't see any avc messages (which seems odd), but if I boot with it in permissive mode I see these:

[    2.140434] type=1400 audit(1343212438.114:3): avc:  denied  { getattr } for  pid=269 comm="systemd-journal" path="socket:[5497]" dev="sockfs" ino=5497 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket
[    2.140446] type=1400 audit(1343212438.114:4): avc:  denied  { getattr } for  pid=269 comm="systemd-journal" path="socket:[5500]" dev="sockfs" ino=5500 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
[    3.485759] type=1400 audit(1343212439.459:5): avc:  denied  { write } for  pid=269 comm="systemd-journal" name="journal" dev="tmpfs" ino=5498 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir
[    3.485765] type=1400 audit(1343212439.459:6): avc:  denied  { add_name } for  pid=269 comm="systemd-journal" name="flushed" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir
[    3.485805] type=1400 audit(1343212439.459:7): avc:  denied  { create } for  pid=269 comm="systemd-journal" name="flushed" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file
[    3.485836] type=1400 audit(1343212439.459:8): avc:  denied  { write open } for  pid=269 comm="systemd-journal" path="/run/systemd/journal/flushed" dev="tmpfs" ino=10660 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file
Comment 8 Michal Schmidt 2012-07-27 05:18:14 EDT
The journal socket is labeled kernel_t because it is created in the initramfs while the SELinux policy is not yet loaded. The open socket is then intentionally "leaked" to the main systemd when switching to the real root filesystem. We need a way to relabel active sockets after loading the policy. And we don't even know yet if the kernel allows it. (As discussed on IRC yesterday.)
Comment 9 Daniel Walsh 2012-07-31 12:00:26 EDT
Fixed in selinux-policy-3.11.0-15.fc18.noarch

Note You need to log in before you can comment on or make changes to this bug.