[Bug 811368] New: Incorrect SELinux labels in /dev causes systemd to loop
https://bugzilla.novell.com/show_bug.cgi?id=811368 https://bugzilla.novell.com/show_bug.cgi?id=811368#c0 Summary: Incorrect SELinux labels in /dev causes systemd to loop Classification: openSUSE Product: openSUSE Factory Version: 13.1 Milestone 0 Platform: Other OS/Version: Other Status: ASSIGNED Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: vcizek@suse.com ReportedBy: vcizek@suse.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- Systemd won't start on a Factory machine with SELinux mls policy in enforcing mode. Corresponding AVC messages show: 2013-03-22T12:54:24.500000+01:00 dhcp88 kernel: [ 7.036863] type=1400 audit(1363953261.042:3): avc: denied { read } for pid=191 comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1787 scontext=system_u:system_r:syslogd_t:s15:c0.c1023 tcontext=system_u:object_r:device_t:s15:c0.c1023 tclass=chr_file 2013-03-22T12:54:24.500057+01:00 dhcp88 kernel: [ 7.243186] type=1400 audit(1363953261.250:8): avc: denied { write } for pid=196 comm="systemd-sysctl" name="kmsg" dev="devtmpfs" ino=1793 scontext=system_u:system_r:systemd_sysctl_t:s0-s15:c0.c1023 tcontext=system_u:object_r:device_t:s15:c0.c1023 tclass=chr_file
From the above messages indicate that /dev/null and /dev/kmsg are both labeled as device_t, which is the default for files in /dev. However looking at the files' labels (when booting in SELinux permissive mode):
# ls -1Z /dev/null /dev/kmsg system_u:object_r:kmsg_device_t:s15:c0.c1023 /dev/kmsg system_u:object_r:null_device_t:s0 /dev/null The devices are labeled with incorrect (default) types when running in mls policy in enforcing mode. It looks like systemd-journal accesses these devices before udev relabels them. Note: this occurs for other devices too, eg ttys. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368
https://bugzilla.novell.com/show_bug.cgi?id=811368#c1
Vitezslav Cizek
https://bugzilla.novell.com/show_bug.cgi?id=811368
https://bugzilla.novell.com/show_bug.cgi?id=811368#c2
Frederic Crozat
https://bugzilla.novell.com/show_bug.cgi?id=811368
https://bugzilla.novell.com/show_bug.cgi?id=811368#c3
--- Comment #3 from Robert Milasan
https://bugzilla.novell.com/show_bug.cgi?id=811368
https://bugzilla.novell.com/show_bug.cgi?id=811368#c
Robert Milasan
https://bugzilla.novell.com/show_bug.cgi?id=811368
https://bugzilla.novell.com/show_bug.cgi?id=811368#c4
--- Comment #4 from Frederic Crozat
Seems to be already fixed in upstream systemd, commit: 9a8ae49d91ae303c4f7c87f9c56fba3e8d646af7
https://bugs.freedesktop.org/show_bug.cgi?id=62615
Will try to backport the patch is need it and will give you the possibility to test, but in factory anyway we will upgrade to the latest version of systemd which has this already fixed.
But maybe for 12.3 would be need it.
I don't think it is this bug, because the breakage was introduced after the systemd release in 12.3 (v195) and we didn't backport the change which caused the bug to appear. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368
https://bugzilla.novell.com/show_bug.cgi?id=811368#c5
--- Comment #5 from Vitezslav Cizek
https://bugzilla.novell.com/show_bug.cgi?id=811368
https://bugzilla.novell.com/show_bug.cgi?id=811368#c6
--- Comment #6 from Frederic Crozat
I can confirm that I haven't met this bug on 12.3.
Then we have an issue because no relevant changes where made in systemd / udev since 12.3.. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368
https://bugzilla.novell.com/show_bug.cgi?id=811368#c7
--- Comment #7 from Robert Milasan
https://bugzilla.novell.com/show_bug.cgi?id=811368
https://bugzilla.novell.com/show_bug.cgi?id=811368#c8
Robert Milasan
https://bugzilla.novell.com/show_bug.cgi?id=811368
https://bugzilla.novell.com/show_bug.cgi?id=811368#c
Vitezslav Cizek
https://bugzilla.novell.com/show_bug.cgi?id=811368
https://bugzilla.novell.com/show_bug.cgi?id=811368#c9
Robert Milasan
https://bugzilla.novell.com/show_bug.cgi?id=811368
https://bugzilla.novell.com/show_bug.cgi?id=811368#c
Jiri Slaby
https://bugzilla.novell.com/show_bug.cgi?id=811368
https://bugzilla.novell.com/show_bug.cgi?id=811368#c10
Jiri Slaby
Jiri, would you mind to take a look this the issue?
selinux seems to be completely broken for factory... Where do you get the policy from? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368
https://bugzilla.novell.com/show_bug.cgi?id=811368#c11
Vitezslav Cizek
https://bugzilla.novell.com/show_bug.cgi?id=811368
https://bugzilla.novell.com/show_bug.cgi?id=811368#c12
Jiri Slaby
https://bugzilla.novell.com/show_bug.cgi?id=811368
https://bugzilla.novell.com/show_bug.cgi?id=811368#c13
Vitezslav Cizek
I do not see what you report, I can boot the system normally.
I see login running as kernel_t, this looks like you didn't relabel the system. Our kernel defaults to apparmour, so selinux isn't enabled. Thus the policy can't relabel the filesystem upon install. You should restart the system, run restorecon -R / and then reboot again to correctly labeled system. You can check the guide at: https://en.opensuse.org/SDB:SELinux
There are two other failures here though: [ 3.605820] type=1400 audit(1371493942.594:3): avc: denied { associate } for pid=369 comm="restorecon" name="xconsole" dev="devtmpfs" ino=6531 scontext=system_u:object_r:xconsole_device_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [ 13.577555] type=1400 audit(1371493952.566:4): avc: denied { transition } for pid=1821 comm="login" path="/bin/bash" dev="sda1" ino=535765 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
Are you running up-to-date system? What kernel version do you have?
Factory updated last week, kernel-desktop-3.10.rc4-1.1.x86_64 Currently, the system isn't stuck in a loop, i can get to login prompt, but I keep getting: 2013-06-26T16:58:47.260230+02:00 dhcp88 kernel: [ 5.796749] type=1400 audit(1372258724.120:3): avc: denied { read } for pid=192 comm="systemd-tmpfile" path="/dev/null" dev="devtmpfs" ino=1673 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file 2013-06-26T16:58:47.260264+02:00 dhcp88 kernel: [ 5.951865] type=1400 audit(1372258724.275:4): avc: denied { read } for pid=194 comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1673 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file 2013-06-26T16:58:47.260265+02:00 dhcp88 kernel: [ 5.951893] type=1400 audit(1372258724.275:5): avc: denied { write } for pid=194 comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1673 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file 2013-06-26T16:58:47.260265+02:00 dhcp88 kernel: [ 5.951897] type=1400 audit(1372258724.275:6): avc: denied { write } for pid=194 comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1673 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file 2013-06-26T16:58:47.269962+02:00 dhcp88 kernel: [ 6.077661] type=1400 audit(1372258724.401:7): avc: denied { write } for pid=194 comm="systemd-journal" name="kmsg" dev="devtmpfs" ino=1679 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file 2013-06-26T16:58:47.269963+02:00 dhcp88 kernel: [ 6.107837] type=1400 audit(1372258724.431:8): avc: denied { read write } for pid=194 comm="systemd-journal" name="kmsg" dev="devtmpfs" ino=1679 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file 2013-06-26T16:58:47.269963+02:00 dhcp88 kernel: [ 6.111853] type=1400 audit(1372258724.435:9): avc: denied { read } for pid=194 comm="systemd-journal" name="urandom" dev="devtmpfs" ino=1678 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file 2013-06-26T16:58:47.269965+02:00 dhcp88 kernel: [ 6.137986] type=1400 audit(1372258724.461:10): avc: denied { read } for pid=203 comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1673 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file 2013-06-26T16:58:47.269965+02:00 dhcp88 kernel: [ 6.139799] type=1400 audit(1372258724.461:11): avc: denied { write } for pid=203 comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1673 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file 2013-06-26T16:58:47.269968+02:00 dhcp88 kernel: [ 6.139818] type=1400 audit(1372258724.463:12): avc: denied { write } for pid=203 comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1673 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file So at least /dev/null and /dev/kmsg are getting the default label for /dev files. This prevents journal from starting: systemd[1]: Starting Journal Service... systemd[1]: systemd-journald.service start request repeated too quickly, refusing to start. systemd[1]: systemd-journald.socket got notified about service death (failed permanently: yes) systemd[1]: systemd-journald.socket changed running -> failed systemd[1]: Unit systemd-journald.socket entered failed state. systemd[1]: Job systemd-journald.service/start finished, result=failed systemd[1]: Failed to start Journal Service. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811368
https://bugzilla.novell.com/show_bug.cgi?id=811368#c14
--- Comment #14 from Vitezslav Cizek
https://bugzilla.novell.com/show_bug.cgi?id=811368
https://bugzilla.novell.com/show_bug.cgi?id=811368#c15
Frederic Crozat
http://bugzilla.novell.com/show_bug.cgi?id=811368
Stephan Kulow
http://bugzilla.novell.com/show_bug.cgi?id=811368
Michal Marek
participants (1)
-
bugzilla_noreply@novell.com