Mailinglist Archive: opensuse-bugs (2746 mails)

< Previous Next >
[Bug 811368] Incorrect SELinux labels in /dev causes systemd to loop

https://bugzilla.novell.com/show_bug.cgi?id=811368

https://bugzilla.novell.com/show_bug.cgi?id=811368#c13


Vitezslav Cizek <vcizek@xxxxxxxx> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |ASSIGNED
InfoProvider|vcizek@xxxxxxxx |

--- Comment #13 from Vitezslav Cizek <vcizek@xxxxxxxx> 2013-06-26 11:23:59 CEST
---
(In reply to comment #12)
I do not see what you report, I can boot the system normally.

I see login running as kernel_t, this looks like you didn't relabel the system.
Our kernel defaults to apparmour, so selinux isn't enabled.
Thus the policy can't relabel the filesystem upon install.
You should restart the system, run restorecon -R / and then reboot again to
correctly labeled system.

You can check the guide at: https://en.opensuse.org/SDB:SELinux

There are two other failures here though:
[ 3.605820] type=1400 audit(1371493942.594:3): avc: denied { associate }
for pid=369 comm="restorecon" name="xconsole" dev="devtmpfs" ino=6531
scontext=system_u:object_r:xconsole_device_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[ 13.577555] type=1400 audit(1371493952.566:4): avc: denied { transition }
for pid=1821 comm="login" path="/bin/bash" dev="sda1" ino=535765
scontext=system_u:system_r:kernel_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process

Are you running up-to-date system? What kernel version do you have?

Factory updated last week, kernel-desktop-3.10.rc4-1.1.x86_64

Currently, the system isn't stuck in a loop, i can get to login prompt,
but I keep getting:

2013-06-26T16:58:47.260230+02:00 dhcp88 kernel: [ 5.796749] type=1400
audit(1372258724.120:3): avc: denied { read } for pid=192
comm="systemd-tmpfile" path="/dev/null" dev="devtmpfs" ino=1673
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
2013-06-26T16:58:47.260264+02:00 dhcp88 kernel: [ 5.951865] type=1400
audit(1372258724.275:4): avc: denied { read } for pid=194
comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1673
scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=chr_file
2013-06-26T16:58:47.260265+02:00 dhcp88 kernel: [ 5.951893] type=1400
audit(1372258724.275:5): avc: denied { write } for pid=194
comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1673
scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=chr_file
2013-06-26T16:58:47.260265+02:00 dhcp88 kernel: [ 5.951897] type=1400
audit(1372258724.275:6): avc: denied { write } for pid=194
comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1673
scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=chr_file
2013-06-26T16:58:47.269962+02:00 dhcp88 kernel: [ 6.077661] type=1400
audit(1372258724.401:7): avc: denied { write } for pid=194
comm="systemd-journal" name="kmsg" dev="devtmpfs" ino=1679
scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=chr_file
2013-06-26T16:58:47.269963+02:00 dhcp88 kernel: [ 6.107837] type=1400
audit(1372258724.431:8): avc: denied { read write } for pid=194
comm="systemd-journal" name="kmsg" dev="devtmpfs" ino=1679
scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=chr_file
2013-06-26T16:58:47.269963+02:00 dhcp88 kernel: [ 6.111853] type=1400
audit(1372258724.435:9): avc: denied { read } for pid=194
comm="systemd-journal" name="urandom" dev="devtmpfs" ino=1678
scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=chr_file
2013-06-26T16:58:47.269965+02:00 dhcp88 kernel: [ 6.137986] type=1400
audit(1372258724.461:10): avc: denied { read } for pid=203
comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1673
scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=chr_file
2013-06-26T16:58:47.269965+02:00 dhcp88 kernel: [ 6.139799] type=1400
audit(1372258724.461:11): avc: denied { write } for pid=203
comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1673
scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=chr_file
2013-06-26T16:58:47.269968+02:00 dhcp88 kernel: [ 6.139818] type=1400
audit(1372258724.463:12): avc: denied { write } for pid=203
comm="systemd-journal" path="/dev/null" dev="devtmpfs" ino=1673
scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=chr_file

So at least /dev/null and /dev/kmsg are getting the default label for /dev
files.

This prevents journal from starting:

systemd[1]: Starting Journal Service...
systemd[1]: systemd-journald.service start request repeated too quickly,
refusing to start.
systemd[1]: systemd-journald.socket got notified about service death (failed
permanently: yes)
systemd[1]: systemd-journald.socket changed running -> failed
systemd[1]: Unit systemd-journald.socket entered failed state.
systemd[1]: Job systemd-journald.service/start finished, result=failed
systemd[1]: Failed to start Journal Service.

--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >