Description of problem: I tried to boot Fedora 19 Beta into single user mode and got a number of AVCs on the console and root did not have access to the /root home directory. Welcome to Fedora 19 (Schrödinger’s Cat)! [ 8.559768] LVM: Logical Volume autoactivation enabled. [ 8.564998] LVM: Activation generator successfully completed. [ OK ] Stopped Journal Service. [ OK ] Stopped Switch Root. [ OK ] Stopped target Switch Root. [ Welcome to emergency mode! After logging in, type "journalctl -xb" to view system logs, "systemctl reboot" to reboot, "systemctl default" to try again to boot into default mode. [ 8.800180] type=1400 audit(1370464115.409:4): avc: denied { getattr } for pid=285 comm="sulogin" path="/dev/dm-1" dev="devtmpfs" ino=9444 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file [ 8.823533] type=1400 audit(1370464115.439:5): avc: denied { getattr } for pid=285 comm="sulogin" path="/dev/dm-0" dev="devtmpfs" ino=9443 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file [ 8.846604] type=1400 audit(1370464115.459:6): avc: denied { getattr } for pid=285 comm="sulogin" path="/dev/sda2" dev="devtmpfs" ino=9391 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file [ 8.869642] type=1400 audit(1370464115.479:7): avc: denied { getattr } for pid=285 comm="sulogin" path="/dev/sda1" dev="devtmpfs" ino=9390 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file [ 8.892677] type=1400 audit(1370464115.509:8): avc: denied { getattr } for pid=285 comm="sulogin" path="/dev/sda" dev="devtmpfs" ino=9389 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file [ 8.915677] type=1400 audit(1370464115.529:9): avc: denied { getattr } for pid=285 comm="sulogin" path="/dev/sg0" dev="devtmpfs" ino=8584 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file [ 8.938953] type=1400 audit(1370464115.549:10): avc: denied { getattr } for pid=285 comm="sulogin" path="/dev/rtc0" dev="devtmpfs" ino=1124 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file [ 8.962568] type=1400 audit(1370464115.579:11): avc: denied { getattr } for pid=285 comm="sulogin" path="/dev/network_throughput" dev="devtmpfs" ino=1129 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=chr_file [ 8.986918] type=1400 audit(1370464115.599:12): avc: denied { getattr } for pid=285 comm="sulogin" path="/dev/network_latency" dev="devtmpfs" ino=1128 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=chr_file Give root password for maintenance (or type Control-D to continue): sulogin: /root: change directory failed: Permission denied Logging in with home = "/". bash-4.2# Version-Release number of selected component (if applicable): selinux-policy-3.12.1-47.fc19.noarch How reproducible: every time Steps to Reproduce: 1. boot into single user mode, i.e., add systemd.unit=emergency.target to the kernel command line options 2. enter root password Actual results: lots of AVCs and root is denied access to /root home dir Expected results: no AVCs, root can access /root Additional info: I was testing on an ARM system, but the AVCs appear to generic to all architectures.
I booted into emergency.target with enforcing=0 and ran audit2allow against the dmesg logs: # audit2allow -d -M single # cat single.te module single 1.0; require { type clock_device_t; type loop_control_device_t; type netcontrol_device_t; type kmsg_device_t; type fixed_disk_device_t; type autofs_device_t; type ptmx_t; type sulogin_t; type scsi_generic_device_t; type usbmon_device_t; class blk_file getattr; class chr_file getattr; } #============= sulogin_t ============== allow sulogin_t autofs_device_t:chr_file getattr; allow sulogin_t clock_device_t:chr_file getattr; allow sulogin_t fixed_disk_device_t:blk_file getattr; allow sulogin_t kmsg_device_t:chr_file getattr; allow sulogin_t loop_control_device_t:chr_file getattr; allow sulogin_t netcontrol_device_t:chr_file getattr; allow sulogin_t ptmx_t:chr_file getattr; allow sulogin_t scsi_generic_device_t:chr_file getattr; allow sulogin_t usbmon_device_t:chr_file getattr;
This looks similar to bug 865399 from Fedora 18
So you needed to switch to permissive mode to boot into emergency.target, right?
Yes, I booted with enforcing=0 in order to get the logs to generate the policy module.
9eae5d54b4c6688a8bfb0251069ab245ac1437ab fixes this in git, although not sure why it was not able to step into /root. sulogin: /root: change directory failed: Permission denied Logging in with home = "/". 6768d2163b9bf6f68d42692def4f0ae05bf614c6 allows sulogin to search /root
selinux-policy-3.12.1-52.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19
selinux-policy-3.12.1-52.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.