Description of problem: When a filesystem configured in /etc/fstab cannot be mounted, rescue mode fails. The root password is requested, but when given the login fails. Version-Release number of selected component (if applicable): systemd-194-1.fc18.x86_64 How reproducible: 100% Steps to Reproduce: 1.Configure a filesystem in /etc/fstab that cannot be mounted. 2.Boot. Alternatively: configure an encrypted filesystem, but do not provide the password at boot.
Merely the password authentication fails, or something else?
Welcome to emergency mode. Use "systemctl default" or ^D to enter default mode. Give root password for maintenance (or type Control-D to continue) sulogin: /root: change directory failed: Permission denied Logging in with home = "/" sulogin: /bin/bash: exec failed: Permission denied sulogin: /bin/sh: exec failed: Permission denied Login incorrect Give root password for maintenance (or type Control-D to continue)
Does booting with "enforcing=0" help?
It does. dmesg reveals: [ 110.316332] type=1400 audit(1349975360.395:3): avc: denied { transition } for pid=499 comm="sulogin" path="/usr/bin/bash" dev="sda8" ino=674983 scontext=system_u:system_r:sulogin_t:s0 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process selinux-policy-targeted-3.11.1-32.fc18.noarch
Also, I'm not sure if it's intentional that failing to provide a password within about 80 seconds drops you into maintenance mode..?
(Sorry, not clear: failing to provide an *encryption* password drops you into maintenance mode, which asks for the root password)
(In reply to comment #4) > It does. > > dmesg reveals: > > [ 110.316332] type=1400 audit(1349975360.395:3): avc: denied { transition > } for pid=499 comm="sulogin" path="/usr/bin/bash" dev="sda8" ino=674983 > scontext=system_u:system_r:sulogin_t:s0 > tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process > > selinux-policy-targeted-3.11.1-32.fc18.noarch OK, reassigning to selinux-policy. (In reply to comment #6) > (Sorry, not clear: failing to provide an *encryption* password drops you > into maintenance mode, which asks for the root password) See https://bugzilla.redhat.com/show_bug.cgi?id=861123 regarding this.
We allow this but this is #============= sulogin_t ============== #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Constraint rule: # Possible cause source context and target context 'user' differ # Possible cause source context and target context 'level' differ allow sulogin_t unconfined_t:process transition;
It would work with mcs_process_set_categories(sulogin_t) which is a "hack". Dan, I believe we should get ranged sulogin_t.
i agree it should be ranged. Fixed in selinux-policy-3.11.1-40.fc18.noarch
selinux-policy-3.11.1-43.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-43.fc18
selinux-policy-3.11.1-46.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-46.fc18
Package selinux-policy-3.11.1-46.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-46.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-16862/selinux-policy-3.11.1-46.fc18 then log in and leave karma (feedback).
Fixes it here. Thanks.
selinux-policy-3.11.1-46.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.