[Bug 811368] New: Incorrect SELinux labels in /dev causes systemd to loop
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c0 Summary: Incorrect SELinux labels in /dev causes systemd to loop Classification: openSUSE Product: openSUSE Factory Version: 13.1 Milestone 0 Platform: Other OS/Version: Other Status: ASSIGNED Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: vcizek@suse.com ReportedBy: vcizek@suse.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- Systemd won't start on a Factory machine with SELinux mls policy in enforcing mode. Corresponding AVC messages show: 2013-03-22T12:54:24.500000+01:00 dhcp88 kernel: [ 7.036863] type=1400 audit(1363953261.042:3): avc: denied { read } for pid=191 comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1787 scontext=system_u:system_r:syslogd_t:s15:c0.c1023 tcontext=system_u:object_r:device_t:s15:c0.c1023 tclass=chr_file 2013-03-22T12:54:24.500057+01:00 dhcp88 kernel: [ 7.243186] type=1400 audit(1363953261.250:8): avc: denied { write } for pid=196 comm="systemd-sysctl" name="kmsg" dev="devtmpfs" ino=1793 scontext=system_u:system_r:systemd_sysctl_t:s0-s15:c0.c1023 tcontext=system_u:object_r:device_t:s15:c0.c1023 tclass=chr_file
From the above messages indicate that /dev/null and /dev/kmsg are both labeled as device_t, which is the default for files in /dev. However looking at the files' labels (when booting in SELinux permissive mode):
# ls -1Z /dev/null /dev/kmsg system_u:object_r:kmsg_device_t:s15:c0.c1023 /dev/kmsg system_u:object_r:null_device_t:s0 /dev/null The devices are labeled with incorrect (default) types when running in mls policy in enforcing mode. It looks like systemd-journal accesses these devices before udev relabels them. Note: this occurs for other devices too, eg ttys. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c1 Vitezslav Cizek <vcizek@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO CC| |vcizek@suse.com InfoProvider| |fcrozat@suse.com --- Comment #1 from Vitezslav Cizek <vcizek@suse.com> 2013-03-25 13:54:05 CET --- I've found a mail thread with a similar problem: http://kerneltrap.org/mailarchive/linux-kernel/2010/8/27/4612449 Frederic, what is your opinion about this? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c2 Frederic Crozat <fcrozat@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED CC| |fcrozat@suse.com, | |rmilasan@suse.com InfoProvider|fcrozat@suse.com | --- Comment #2 from Frederic Crozat <fcrozat@suse.com> 2013-03-25 14:17:23 UTC --- I'm not udev maintainer, robert is (cc him). To me, it looks like udevd in initrd should take care of setting labels for /dev/null and /dev/kmsg, before systemd and "main" udevd are started. It might be worth to get udev debug output to see what is going on (I think you need to boot with udev.log-priority=debug but I'm not 100% sure) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c3 --- Comment #3 from Robert Milasan <rmilasan@suse.com> 2013-03-25 15:39:20 UTC --- Seems to be already fixed in upstream systemd, commit: 9a8ae49d91ae303c4f7c87f9c56fba3e8d646af7 https://bugs.freedesktop.org/show_bug.cgi?id=62615 Will try to backport the patch is need it and will give you the possibility to test, but in factory anyway we will upgrade to the latest version of systemd which has this already fixed. But maybe for 12.3 would be need it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c Robert Milasan <rmilasan@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P4 - Low Platform|Other |All AssignedTo|vcizek@suse.com |rmilasan@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c4 --- Comment #4 from Frederic Crozat <fcrozat@suse.com> 2013-03-25 15:58:16 UTC --- (In reply to comment #3)
Seems to be already fixed in upstream systemd, commit: 9a8ae49d91ae303c4f7c87f9c56fba3e8d646af7
https://bugs.freedesktop.org/show_bug.cgi?id=62615
Will try to backport the patch is need it and will give you the possibility to test, but in factory anyway we will upgrade to the latest version of systemd which has this already fixed.
But maybe for 12.3 would be need it.
I don't think it is this bug, because the breakage was introduced after the systemd release in 12.3 (v195) and we didn't backport the change which caused the bug to appear. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c5 --- Comment #5 from Vitezslav Cizek <vcizek@suse.com> 2013-03-25 17:06:42 CET --- I can confirm that I haven't met this bug on 12.3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c6 --- Comment #6 from Frederic Crozat <fcrozat@suse.com> 2013-03-25 16:20:06 UTC --- (In reply to comment #5)
I can confirm that I haven't met this bug on 12.3.
Then we have an issue because no relevant changes where made in systemd / udev since 12.3.. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c7 --- Comment #7 from Robert Milasan <rmilasan@suse.com> 2013-03-26 07:24:20 UTC --- I haven't spent too much time, it look very similar to this bug the commit. Anyway, as Frederic said systemd/udev hasn't changed since 12.3 which pretty much means kernel issue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c8 Robert Milasan <rmilasan@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|rmilasan@suse.com |jeffm@suse.com --- Comment #8 from Robert Milasan <rmilasan@suse.com> 2013-03-26 07:31:59 UTC --- Jeff, would you please take a look. Also not sure if you would the the right person for selinux. Please correct it, if I'm wrong. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c Vitezslav Cizek <vcizek@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |jeffm@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c9 Robert Milasan <rmilasan@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- InfoProvider|jeffm@suse.com |jslaby@suse.com AssignedTo|jeffm@suse.com |jslaby@suse.com --- Comment #9 from Robert Milasan <rmilasan@suse.com> 2013-06-05 09:23:46 UTC --- I think maybe Jiri would be suited for this issue. Jiri, would you mind to take a look this the issue? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c Jiri Slaby <jslaby@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|jslaby@suse.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c10 Jiri Slaby <jslaby@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |vcizek@suse.com --- Comment #10 from Jiri Slaby <jslaby@suse.com> 2013-06-17 09:03:19 UTC --- (In reply to comment #9)
Jiri, would you mind to take a look this the issue?
selinux seems to be completely broken for factory... Where do you get the policy from? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c11 Vitezslav Cizek <vcizek@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|vcizek@suse.com | --- Comment #11 from Vitezslav Cizek <vcizek@suse.com> 2013-06-17 11:09:37 CEST --- security:SELinux/selinux-policy -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c12 Jiri Slaby <jslaby@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |vcizek@suse.com --- Comment #12 from Jiri Slaby <jslaby@suse.com> 2013-06-17 12:34:47 UTC --- I do not see what you report, I can boot the system normally. There are two other failures here though: [ 3.605820] type=1400 audit(1371493942.594:3): avc: denied { associate } for pid=369 comm="restorecon" name="xconsole" dev="devtmpfs" ino=6531 scontext=system_u:object_r:xconsole_device_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [ 13.577555] type=1400 audit(1371493952.566:4): avc: denied { transition } for pid=1821 comm="login" path="/bin/bash" dev="sda1" ino=535765 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process Are you running up-to-date system? What kernel version do you have? They should be sorted out in the policy files (they disallow login). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c13 Vitezslav Cizek <vcizek@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|vcizek@suse.com | --- Comment #13 from Vitezslav Cizek <vcizek@suse.com> 2013-06-26 11:23:59 CEST --- (In reply to comment #12)
I do not see what you report, I can boot the system normally.
I see login running as kernel_t, this looks like you didn't relabel the system. Our kernel defaults to apparmour, so selinux isn't enabled. Thus the policy can't relabel the filesystem upon install. You should restart the system, run restorecon -R / and then reboot again to correctly labeled system. You can check the guide at: https://en.opensuse.org/SDB:SELinux
There are two other failures here though: [ 3.605820] type=1400 audit(1371493942.594:3): avc: denied { associate } for pid=369 comm="restorecon" name="xconsole" dev="devtmpfs" ino=6531 scontext=system_u:object_r:xconsole_device_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [ 13.577555] type=1400 audit(1371493952.566:4): avc: denied { transition } for pid=1821 comm="login" path="/bin/bash" dev="sda1" ino=535765 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
Are you running up-to-date system? What kernel version do you have?
Factory updated last week, kernel-desktop-3.10.rc4-1.1.x86_64 Currently, the system isn't stuck in a loop, i can get to login prompt, but I keep getting: 2013-06-26T16:58:47.260230+02:00 dhcp88 kernel: [ 5.796749] type=1400 audit(1372258724.120:3): avc: denied { read } for pid=192 comm="systemd-tmpfile" path="/dev/null" dev="devtmpfs" ino=1673 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file 2013-06-26T16:58:47.260264+02:00 dhcp88 kernel: [ 5.951865] type=1400 audit(1372258724.275:4): avc: denied { read } for pid=194 comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1673 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file 2013-06-26T16:58:47.260265+02:00 dhcp88 kernel: [ 5.951893] type=1400 audit(1372258724.275:5): avc: denied { write } for pid=194 comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1673 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file 2013-06-26T16:58:47.260265+02:00 dhcp88 kernel: [ 5.951897] type=1400 audit(1372258724.275:6): avc: denied { write } for pid=194 comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1673 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file 2013-06-26T16:58:47.269962+02:00 dhcp88 kernel: [ 6.077661] type=1400 audit(1372258724.401:7): avc: denied { write } for pid=194 comm="systemd-journal" name="kmsg" dev="devtmpfs" ino=1679 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file 2013-06-26T16:58:47.269963+02:00 dhcp88 kernel: [ 6.107837] type=1400 audit(1372258724.431:8): avc: denied { read write } for pid=194 comm="systemd-journal" name="kmsg" dev="devtmpfs" ino=1679 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file 2013-06-26T16:58:47.269963+02:00 dhcp88 kernel: [ 6.111853] type=1400 audit(1372258724.435:9): avc: denied { read } for pid=194 comm="systemd-journal" name="urandom" dev="devtmpfs" ino=1678 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file 2013-06-26T16:58:47.269965+02:00 dhcp88 kernel: [ 6.137986] type=1400 audit(1372258724.461:10): avc: denied { read } for pid=203 comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1673 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file 2013-06-26T16:58:47.269965+02:00 dhcp88 kernel: [ 6.139799] type=1400 audit(1372258724.461:11): avc: denied { write } for pid=203 comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1673 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file 2013-06-26T16:58:47.269968+02:00 dhcp88 kernel: [ 6.139818] type=1400 audit(1372258724.463:12): avc: denied { write } for pid=203 comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1673 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file So at least /dev/null and /dev/kmsg are getting the default label for /dev files. This prevents journal from starting: systemd[1]: Starting Journal Service... systemd[1]: systemd-journald.service start request repeated too quickly, refusing to start. systemd[1]: systemd-journald.socket got notified about service death (failed permanently: yes) systemd[1]: systemd-journald.socket changed running -> failed systemd[1]: Unit systemd-journald.socket entered failed state. systemd[1]: Job systemd-journald.service/start finished, result=failed systemd[1]: Failed to start Journal Service. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c14 --- Comment #14 from Vitezslav Cizek <vcizek@suse.com> 2013-10-02 11:17:13 CEST --- This issue is still present in 13.1 Beta 1. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c15 Frederic Crozat <fcrozat@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jslaby@suse.com |mmarek@suse.com --- Comment #15 from Frederic Crozat <fcrozat@suse.com> 2013-10-03 17:04:38 UTC --- I've reproduced the issue but I'm still a newbie on SELinux. Looking at the policy for udev, it seems missing some stuff : - /usr/lib/udev/rules.d/* isn't labelled at all as udev rules (well, same issue on Fedora 19). Only stuff in /etc/udev/rules.d is. I don't know if it is wanted or not. The following devices are not created by udev nor systemd but by one of mkinitrd script, and since udev only relabel devices when they are created, it might explain why they have an incorrect label on startup : " mknod -m 0666 /dev/tty c 5 0 mknod -m 0600 /dev/console c 5 1 mknod -m 0666 /dev/ptmx c 5 2 mknod -m 0666 /dev/null c 1 3 mknod -m 0600 /dev/kmsg c 1 11 mknod -m 0660 /dev/snapshot c 10 231 mknod -m 0666 /dev/random c 1 8 mknod -m 0644 /dev/urandom c 1 9 " after comparing boot with dracut, I found the issue : loading selinux policy shouldn't be done in mkinitrd itself (when booting with systemd) but left to systemd, which will take care of loading selinux policy at startup (before udev and journald are started) and will relabel /dev and /run. I'd suggest to disable the selinux_load_policy "/root" line in /lib/mkinitrd/scripts/boot-boot.sh when systemd has been detected as the init system (if you want to keep compatibility with the old sysvinit otherwise, just remove the entire selinux stuff from mkinitrd). Once it is done, labelling of /dev and /run will work fine (tested on a VM) reassigning to mkinitrd maintainer -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=811368 Stephan Kulow <coolo@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |coolo@suse.com --- Comment #16 from Stephan Kulow <coolo@suse.com> --- is this bug fixed or not? It's been a year... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=811368 Michal Marek <mmarek@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |WONTFIX --- Comment #17 from Michal Marek <mmarek@suse.com> --- We dropped mkinitrd in favor of dracut. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com