Bug 971097 - selinux blocks booting into single user mode (systemd.unit=emergency.target)
selinux blocks booting into single user mode (systemd.unit=emergency.target)
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
Unspecified Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-06-05 12:36 EDT by Jeff Bastian
Modified: 2013-06-14 23:06 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-52.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-06-14 23:06:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jeff Bastian 2013-06-05 12:36:04 EDT
Description of problem:
I tried to boot Fedora 19 Beta into single user mode and got a number of AVCs on the console and root did not have access to the /root home directory.

Welcome to Fedora 19 (Schrödinger’s Cat)!

[    8.559768] LVM: Logical Volume autoactivation enabled.
[    8.564998] LVM: Activation generator successfully completed.
[  OK  ] Stopped Journal Service.
[  OK  ] Stopped Switch Root.
[  OK  ] Stopped target Switch Root.
[ Welcome to emergency mode! After logging in, type "journalctl -xb" to view
system logs, "systemctl reboot" to reboot, "systemctl default" to try again
to boot into default mode.
[    8.800180] type=1400 audit(1370464115.409:4): avc:  denied  { getattr } for  pid=285 comm="sulogin" path="/dev/dm-1" dev="devtmpfs" ino=9444 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
[    8.823533] type=1400 audit(1370464115.439:5): avc:  denied  { getattr } for  pid=285 comm="sulogin" path="/dev/dm-0" dev="devtmpfs" ino=9443 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
[    8.846604] type=1400 audit(1370464115.459:6): avc:  denied  { getattr } for  pid=285 comm="sulogin" path="/dev/sda2" dev="devtmpfs" ino=9391 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
[    8.869642] type=1400 audit(1370464115.479:7): avc:  denied  { getattr } for  pid=285 comm="sulogin" path="/dev/sda1" dev="devtmpfs" ino=9390 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
[    8.892677] type=1400 audit(1370464115.509:8): avc:  denied  { getattr } for  pid=285 comm="sulogin" path="/dev/sda" dev="devtmpfs" ino=9389 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
[    8.915677] type=1400 audit(1370464115.529:9): avc:  denied  { getattr } for  pid=285 comm="sulogin" path="/dev/sg0" dev="devtmpfs" ino=8584 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file
[    8.938953] type=1400 audit(1370464115.549:10): avc:  denied  { getattr } for  pid=285 comm="sulogin" path="/dev/rtc0" dev="devtmpfs" ino=1124 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file
[    8.962568] type=1400 audit(1370464115.579:11): avc:  denied  { getattr } for  pid=285 comm="sulogin" path="/dev/network_throughput" dev="devtmpfs" ino=1129 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=chr_file
[    8.986918] type=1400 audit(1370464115.599:12): avc:  denied  { getattr } for  pid=285 comm="sulogin" path="/dev/network_latency" dev="devtmpfs" ino=1128 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=chr_file
Give root password for maintenance
(or type Control-D to continue): 
sulogin: /root: change directory failed: Permission denied
Logging in with home = "/".

Version-Release number of selected component (if applicable):

How reproducible:
every time

Steps to Reproduce:
1. boot into single user mode, i.e., add systemd.unit=emergency.target to the kernel command line options
2. enter root password

Actual results:
lots of AVCs and root is denied access to /root home dir

Expected results:
no AVCs, root can access /root

Additional info:
I was testing on an ARM system, but the AVCs appear to generic to all architectures.
Comment 1 Jeff Bastian 2013-06-05 13:45:22 EDT
I booted into emergency.target with enforcing=0 and ran audit2allow against the dmesg logs:

# audit2allow -d -M single
# cat single.te

module single 1.0;

require {
	type clock_device_t;
	type loop_control_device_t;
	type netcontrol_device_t;
	type kmsg_device_t;
	type fixed_disk_device_t;
	type autofs_device_t;
	type ptmx_t;
	type sulogin_t;
	type scsi_generic_device_t;
	type usbmon_device_t;
	class blk_file getattr;
	class chr_file getattr;

#============= sulogin_t ==============
allow sulogin_t autofs_device_t:chr_file getattr;
allow sulogin_t clock_device_t:chr_file getattr;
allow sulogin_t fixed_disk_device_t:blk_file getattr;
allow sulogin_t kmsg_device_t:chr_file getattr;
allow sulogin_t loop_control_device_t:chr_file getattr;
allow sulogin_t netcontrol_device_t:chr_file getattr;
allow sulogin_t ptmx_t:chr_file getattr;
allow sulogin_t scsi_generic_device_t:chr_file getattr;
allow sulogin_t usbmon_device_t:chr_file getattr;
Comment 2 Jeff Bastian 2013-06-05 13:49:53 EDT
This looks similar to bug 865399 from Fedora 18
Comment 3 Miroslav Grepl 2013-06-07 05:33:10 EDT
So you needed to switch to permissive mode to boot into emergency.target, right?
Comment 4 Jeff Bastian 2013-06-07 10:50:15 EDT
Yes, I booted with enforcing=0 in order to get the logs to generate the policy module.
Comment 5 Daniel Walsh 2013-06-07 16:18:42 EDT
9eae5d54b4c6688a8bfb0251069ab245ac1437ab fixes this in git, although not sure why it was not able to step into /root.

sulogin: /root: change directory failed: Permission denied
Logging in with home = "/".

6768d2163b9bf6f68d42692def4f0ae05bf614c6 allows sulogin to search /root
Comment 6 Fedora Update System 2013-06-14 03:23:46 EDT
selinux-policy-3.12.1-52.fc19 has been submitted as an update for Fedora 19.
Comment 7 Fedora Update System 2013-06-14 23:06:48 EDT
selinux-policy-3.12.1-52.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.