971097 – selinux blocks booting into single user mode (systemd.unit=emergency.target)

Bug 971097 - selinux blocks booting into single user mode (systemd.unit=emergency.target)

Summary: selinux blocks booting into single user mode (systemd.unit=emergency.target)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	19
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-06-05 16:36 UTC by Jeff Bastian
Modified:	2013-06-15 03:06 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.12.1-52.fc19
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-06-15 03:06:48 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jeff Bastian 2013-06-05 16:36:04 UTC

Description of problem:
I tried to boot Fedora 19 Beta into single user mode and got a number of AVCs on the console and root did not have access to the /root home directory.

Welcome to Fedora 19 (Schrödinger’s Cat)!

[    8.559768] LVM: Logical Volume autoactivation enabled.
[    8.564998] LVM: Activation generator successfully completed.
[  OK  ] Stopped Journal Service.
[  OK  ] Stopped Switch Root.
[  OK  ] Stopped target Switch Root.
[ Welcome to emergency mode! After logging in, type "journalctl -xb" to view
system logs, "systemctl reboot" to reboot, "systemctl default" to try again
to boot into default mode.
[    8.800180] type=1400 audit(1370464115.409:4): avc:  denied  { getattr } for  pid=285 comm="sulogin" path="/dev/dm-1" dev="devtmpfs" ino=9444 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
[    8.823533] type=1400 audit(1370464115.439:5): avc:  denied  { getattr } for  pid=285 comm="sulogin" path="/dev/dm-0" dev="devtmpfs" ino=9443 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
[    8.846604] type=1400 audit(1370464115.459:6): avc:  denied  { getattr } for  pid=285 comm="sulogin" path="/dev/sda2" dev="devtmpfs" ino=9391 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
[    8.869642] type=1400 audit(1370464115.479:7): avc:  denied  { getattr } for  pid=285 comm="sulogin" path="/dev/sda1" dev="devtmpfs" ino=9390 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
[    8.892677] type=1400 audit(1370464115.509:8): avc:  denied  { getattr } for  pid=285 comm="sulogin" path="/dev/sda" dev="devtmpfs" ino=9389 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
[    8.915677] type=1400 audit(1370464115.529:9): avc:  denied  { getattr } for  pid=285 comm="sulogin" path="/dev/sg0" dev="devtmpfs" ino=8584 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file
[    8.938953] type=1400 audit(1370464115.549:10): avc:  denied  { getattr } for  pid=285 comm="sulogin" path="/dev/rtc0" dev="devtmpfs" ino=1124 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file
[    8.962568] type=1400 audit(1370464115.579:11): avc:  denied  { getattr } for  pid=285 comm="sulogin" path="/dev/network_throughput" dev="devtmpfs" ino=1129 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=chr_file
[    8.986918] type=1400 audit(1370464115.599:12): avc:  denied  { getattr } for  pid=285 comm="sulogin" path="/dev/network_latency" dev="devtmpfs" ino=1128 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=chr_file
Give root password for maintenance
(or type Control-D to continue): 
sulogin: /root: change directory failed: Permission denied
Logging in with home = "/".
bash-4.2# 


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-47.fc19.noarch

How reproducible:
every time

Steps to Reproduce:
1. boot into single user mode, i.e., add systemd.unit=emergency.target to the kernel command line options
2. enter root password

Actual results:
lots of AVCs and root is denied access to /root home dir

Expected results:
no AVCs, root can access /root

Additional info:
I was testing on an ARM system, but the AVCs appear to generic to all architectures.

Comment 1 Jeff Bastian 2013-06-05 17:45:22 UTC

I booted into emergency.target with enforcing=0 and ran audit2allow against the dmesg logs:

# audit2allow -d -M single
# cat single.te

module single 1.0;

require {
	type clock_device_t;
	type loop_control_device_t;
	type netcontrol_device_t;
	type kmsg_device_t;
	type fixed_disk_device_t;
	type autofs_device_t;
	type ptmx_t;
	type sulogin_t;
	type scsi_generic_device_t;
	type usbmon_device_t;
	class blk_file getattr;
	class chr_file getattr;
}

#============= sulogin_t ==============
allow sulogin_t autofs_device_t:chr_file getattr;
allow sulogin_t clock_device_t:chr_file getattr;
allow sulogin_t fixed_disk_device_t:blk_file getattr;
allow sulogin_t kmsg_device_t:chr_file getattr;
allow sulogin_t loop_control_device_t:chr_file getattr;
allow sulogin_t netcontrol_device_t:chr_file getattr;
allow sulogin_t ptmx_t:chr_file getattr;
allow sulogin_t scsi_generic_device_t:chr_file getattr;
allow sulogin_t usbmon_device_t:chr_file getattr;

Comment 2 Jeff Bastian 2013-06-05 17:49:53 UTC

This looks similar to bug 865399 from Fedora 18

Comment 3 Miroslav Grepl 2013-06-07 09:33:10 UTC

So you needed to switch to permissive mode to boot into emergency.target, right?

Comment 4 Jeff Bastian 2013-06-07 14:50:15 UTC

Yes, I booted with enforcing=0 in order to get the logs to generate the policy module.

Comment 5 Daniel Walsh 2013-06-07 20:18:42 UTC

9eae5d54b4c6688a8bfb0251069ab245ac1437ab fixes this in git, although not sure why it was not able to step into /root.

sulogin: /root: change directory failed: Permission denied
Logging in with home = "/".

6768d2163b9bf6f68d42692def4f0ae05bf614c6 allows sulogin to search /root

Comment 6 Fedora Update System 2013-06-14 07:23:46 UTC

selinux-policy-3.12.1-52.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19

Comment 7 Fedora Update System 2013-06-15 03:06:48 UTC

selinux-policy-3.12.1-52.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.