Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 583659 - SELinux context wrong after using preugprade
Summary: SELinux context wrong after using preugprade
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: F13Blocker, F13FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2010-04-19 10:51 UTC by Kamil Páral
Modified: 2010-04-28 03:07 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.7.19-6.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-04-28 03:07:39 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
system logs (deleted)
2010-04-19 10:51 UTC, Kamil Páral
no flags Details

Description Kamil Páral 2010-04-19 10:51:26 UTC
Created attachment 407546 [details]
system logs

Description of problem:
Used preugprade from F12 to F13 Branched. After re-booting NFS statd and HAL fail to start. Xorg fails to start. Fully updated from updates-testing, rebooted. statd and HAL still fail to start, but at least Xorg works now. NetworkManager doesn't want to connect to network.

After inspecting logs it seems like SELinux issue. When booted with enforcing=0 kernel option, all services start up fine, everything works.

While updating packages with preupgrade there must have been some problem with SELinux and it is now blocking many services and programs.

All logs attached.

Version-Release number of selected component (if applicable):
libselinux-2.0.90-5.fc13.x86_64
libselinux-python-2.0.90-5.fc13.x86_64
libselinux-utils-2.0.90-5.fc13.x86_64
selinux-policy-3.7.15-4.fc13.noarch
selinux-policy-targeted-3.7.15-4.fc13.noarch

How reproducible:
did preugprade from F12 to F13 twice, happened everytime

Additional info:
This could be the same issue as reported in bug 505772.

Also please note that for verifying this issue the fix must be committed to stable F13 repository, not F13 updates-testing. Because preupgrade does not download packages from updates-testing.

I have no experience with using SELinux, but I can provide more information if you tell me how.

Comment 1 Daniel Walsh 2010-04-19 15:08:46 UTC
selinux-policy-3.7.19-2.fc13.noarch is already a candidate and fixes most of the avc's reported.

The troublesome ones are the fontconfig.

Comment 2 Kamil Páral 2010-04-19 16:17:03 UTC
Will updating to the newer version of selinux automatically fix the problems, or are there some manual steps required afterwards (re-labeling files with correct context and whatnot?).

Comment 3 Daniel Walsh 2010-04-20 13:25:09 UTC
It should fix most if not all the problems.  Relabeling should happen automatically.  If you still have problems after update, please open bugs.

I would likt to get 19-2 into the iso so we could test the upgrade path though.

Comment 4 Kamil Páral 2010-04-20 14:04:23 UTC
selinux-policy-3.7.19-2.fc13.noarch seems to solve all my problems. We would really prefer if this could get into stable f13 repo before preupgrade test day:
https://fedoraproject.org/wiki/Test_Day:2010-04-29_Preupgrade

Comment 5 Daniel Walsh 2010-04-20 14:26:40 UTC
Increase its kama.

Comment 6 Adam Williamson 2010-04-23 19:40:27 UTC
Discussed at the blocker review meeting today, we agree this is a blocker and will try to put feedback in Bodhi soon.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 7 Fedora Update System 2010-04-26 19:52:12 UTC
selinux-policy-3.7.19-6.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-6.fc13

Comment 8 Fedora Update System 2010-04-27 05:49:25 UTC
selinux-policy-3.7.19-6.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-6.fc13

Comment 9 Kamil Páral 2010-04-27 09:12:32 UTC
I have updated to selinux-policy-3.7.19-6.fc13 and I see this avc denial in /var/log/messages after bootup:

Apr 27 05:08:17 localhost kernel: type=1400 audit(1272359290.665:4): avc:  denied  { mmap_zero } for  pid=420 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect

There is not denial in /var/log/audit/audit.log though.

Comment 10 Daniel Walsh 2010-04-27 13:01:02 UTC
It happens before auditd is started, This bug has been reported against vbetool in the past.

Comment 11 Kamil Páral 2010-04-27 13:42:45 UTC
Daniel, I can't find you on any IRC channel. Does this mean that selinux-policy-3.7.19-6.fc13 should get -1 karma from me? Do you have bug number for that vbetool bug?

Comment 12 Fedora Update System 2010-04-28 03:06:50 UTC
selinux-policy-3.7.19-6.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.