1263570 – Selinux prevents system from rebooting after update to new policy

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1263570 - Selinux prevents system from rebooting after update to new policy

Summary: Selinux prevents system from rebooting after update to new policy

Keywords:
Status:	CLOSED DUPLICATE of bug 1224211
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	F23FinalBlocker
TreeView+	depends on / blocked

Reported:	2015-09-16 08:27 UTC by Petr Schindler
Modified:	2015-09-28 07:51 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-09-28 07:51:36 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Petr Schindler 2015-09-16 08:27:35 UTC

Description of problem:
Output of journalctl after I tried to reboot (with `reboot`):
Sep 16 10:15:03 dhcp-28-126.brq.redhat.com polkitd[835]: Registered Authentication Agent for unix-process:27011:578421 (system bus name :1.29 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Sep 16 10:15:03 dhcp-28-126.brq.redhat.com audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=0 uid=0 gid=0 path="/usr/lib/systemd/system/reboot.target" cmdline="reboot" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service
                                                      exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Sep 16 10:15:03 dhcp-28-126.brq.redhat.com polkitd[835]: Unregistered Authentication Agent for unix-process:27011:578421 (system bus name :1.29, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

What I get:
# reboot
Failed to start reboot.target: Access denied

The same thing happens with poweroff.

I was able to reboot after I turned selinux off. After reboot I haven't met any problem. Everything seems to work after reboot.

Version-Release number of selected component (if applicable):
selinux-policy{,-targeted}-3.13.1-147.fc23.noarch

How reproducible:
I tested with virtual machine and bare metal machine

Steps to Reproduce:
1. Do installation from RC1 Server DVD
2. Boot to system and update it (dnf update)

Actual results:
User will be unable to reboot without setting selinux to permissive

Expected results:


Additional info:
I propose this as final blocker (as it is in updates-testing and probably won't get to beta) as it violates the alpha criterion: It must be possible to trigger a clean system shutdown using standard console commands.

Comment 1 Miroslav Grepl 2015-09-17 09:14:20 UTC

Petr,
can you really confirm, you get this AVC with

selinux-policy{,-targeted}-3.13.1-147.fc23.noarch

#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t power_unit_file_t:service start;

Comment 2 Kamil Páral 2015-09-17 12:03:03 UTC

The same problem occurs on F22 with selinux-policy-3.13.1-128.13.fc22. Until reboot, systemctl can't be used (*any* command). After reboot, everything is fine. Offline updates are not affected, just live dnf updates.

Comment 3 Thomas Schneider 2015-09-17 20:38:43 UTC

I believe that I suffered from the same bug yesterday, and so did several users in #fedora.  It seems that the fix is as simple as `systemctl daemon-reexec`, I however do not know enough about SELinux to tell whether this is really sufficient, why it is even necessary etc.  A reboot, of course including a restart of systemd, also works.
#1261747 appears to be the very same problem.

Comment 4 Miroslav Grepl 2015-09-21 07:26:08 UTC

You are correct,

`systemctl daemon-reexec`

is needed. The problem is with policy update which is not paired with systemd update. There are backported policy changes which require also systemd reload to make SELinux+systemd working correctly.

Comment 5 Adam Williamson 2015-09-23 15:13:35 UTC

Discussed at 2015-09-22 blocker review meeting: https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2015-09-22/f23-blocker-review.2015-09-22-16.00.html . We agreed that there is not sufficient data to determine whether this is a release blocking issue.

The release blocker process mainly relates to the packages on the frozen release media - the live images, Server DVD and so on. Is there any circumstance in which this bug would cause a problem if some version of selinux-policy were on the frozen media, or is it an issue that can only happen when doing a package update, and that could thus always be fixed with an update? Thanks!

Comment 6 François Kooman 2015-09-28 07:51:36 UTC


*** This bug has been marked as a duplicate of bug 1224211 ***

Note You need to log in before you can comment on or make changes to this bug.