398839 – system fails to boot with selinux-base-policy-2.20110726-r11 in enforcing mode

Bug 398839 - system fails to boot with selinux-base-policy-2.20110726-r11 in enforcing mode

Summary: system fails to boot with selinux-base-policy-2.20110726-r11 in enforcing mode

Status:	VERIFIED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:
Keywords:

Duplicates (1):	400987 (view as bug list)
Depends on:
Blocks:

Reported:	2012-01-14 03:33 UTC by Stan Sander
Modified:	2012-03-31 12:58 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stan Sander 2012-01-14 03:33:38 UTC

Did world updates today and also moved to selinux-base-policy-2.20110726-r11 from hardened-dev overlay.  The subsequent boot of the system hung because of a failure to start sysfs and udev.  I did do an rlpkg -ar before attempting to reboot.  After trying a couple of things including rolling back to an older kernel without success, I put selinux in permissive mode and the system proceeded to boot normally.  Here is what I have been able to extract from logs thus far:

mkdir: cannot create directory `/sys/fs/cgroup/cpuset': Permission denied
mount: mount point /sys/fs/cgroup/cpuset does not exist
mkdir: cannot create directory `/sys/fs/cgroup/cpu': Permission denied
mount: mount point /sys/fs/cgroup/cpu does not exist
mkdir: cannot create directory `/sys/fs/cgroup/devices': Permission denied
mount: mount point /sys/fs/cgroup/devices does not exist
 * ERROR: sysfs failed to start
 * ERROR: cannot start udev as sysfs would not start

The next thing the system attempts is to start d-bus which hangs.



Jan 13 19:01:12 siren kernel: type=1400 audit(1326506450.366:3): avc:  denied  { read write } for  pid=617 comm="restorecon" name="console" dev=devtmpfs ino=1038 scontext=system_u:system_r:setfiles_t tcontext=system_u:object_r:device_t tclass=chr_file
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506456.486:4): avc:  denied  { write } for  pid=871 comm="mount" name="/" dev=configfs ino=98 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:configfs_t tclass=dir
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506456.570:5): avc:  denied  { write } for  pid=878 comm="mkdir" name="/" dev=tmpfs ino=106 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sysfs_t tclass=dir
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506456.570:6): avc:  denied  { add_name } for  pid=878 comm="mkdir" name="cpuset" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sysfs_t tclass=dir
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506456.570:7): avc:  denied  { create } for  pid=878 comm="mkdir" name="cpuset" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sysfs_t tclass=dir
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506456.586:8): avc:  denied  { search } for  pid=879 comm="mount" name="/" dev=cgroup ino=1275 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506457.126:9): avc:  denied  { associate } for  pid=897 comm="restorecon" name="shm" dev=devtmpfs ino=120 scontext=system_u:object_r:tmpfs_t tcontext=system_u:object_r:device_t tclass=filesystem
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506457.130:10): avc:  denied  { associate } for  pid=897 comm="restorecon" name="pts" dev=devtmpfs ino=119 scontext=system_u:object_r:devpts_t tcontext=system_u:object_r:device_t tclass=filesystem
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506458.286:11): avc:  denied  { module_request } for  pid=928 comm="rc" kmod="net-pf-10" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:kernel_t tclass=system
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506458.713:12): avc:  denied  { relabelto } for  pid=928 comm="udevd" name=".udev" dev=devtmpfs ino=125 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506458.746:13): avc:  denied  { write } for  pid=928 comm="udevd" name=".udev" dev=devtmpfs ino=125 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506464.883:23): avc:  denied  { read } for  pid=931 comm="udevd" name="10" dev=devtmpfs ino=622 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506464.883:24): avc:  denied  { unlink } for  pid=1193 comm="udevd" name="10" dev=devtmpfs ino=622 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506465.566:25): avc:  denied  { setsched } for  pid=1283 comm="mount" scontext=system_u:system_r:mount_t tcontext=system_u:system_r:kernel_t tclass=process
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506466.063:26): avc:  denied  { write } for  pid=1313 comm="rm" name="console" dev=sda1 ino=1936394 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506466.063:27): avc:  denied  { remove_name } for  pid=1313 comm="rm" name="default8x16.psfu.gz" dev=sda1 ino=1936395 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506466.063:28): avc:  denied  { unlink } for  pid=1313 comm="rm" name="default8x16.psfu.gz" dev=sda1 ino=1936395 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=file
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506466.086:29): avc:  denied  { create } for  pid=1314 comm="mkdir" name=".test.1307" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_run_t tclass=dir
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506466.486:30): avc:  denied  { getattr } for  pid=1451 comm="fuser" path="socket:[1515]" dev=sockfs ino=1515 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t tclass=unix_stream_socket
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506466.490:31): avc:  denied  { getattr } for  pid=1452 comm="fuser" path="socket:[1516]" dev=sockfs ino=1516 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t tclass=netlink_kobject_uevent_socket
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506466.533:32): avc:  denied  { getattr } for  pid=1534 comm="fuser" path="/sys/kernel/debug" dev=debugfs ino=1 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:debugfs_t tclass=dir
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506471.000:39): avc:  denied  { search } for  pid=1843 comm="klogd" name="src" dev=sda1 ino=464406 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:src_t tclass=dir
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506471.023:40): avc:  denied  { read } for  pid=1843 comm="klogd" name="linux" dev=sda1 ino=464552 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:src_t tclass=lnk_file
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506471.053:41): avc:  denied  { read } for  pid=1843 comm="klogd" name="System.map" dev=sda1 ino=558149 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:src_t tclass=file
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506471.053:42): avc:  denied  { open } for  pid=1843 comm="klogd" name="System.map" dev=sda1 ino=558149 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:src_t tclass=file
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506471.053:43): avc:  denied  { getattr } for  pid=1843 comm="klogd" path="/usr/src/linux-3.1.7-hardened/System.map" dev=sda1 ino=558149 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:src_t tclass=file
Jan 13 19:01:12 siren kernel: type=1400 audit(1326506472.236:44): avc:  denied  { read } for  pid=1855 comm="modprobe" path="/var/lib/ip6tables/rules-save" dev=sda1 ino=445955 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:initrc_tmp_t tclass=file
Jan 13 19:01:23 siren kernel: type=1400 audit(1326506483.700:45): avc:  denied  { accept } for  pid=2277 comm="slapd" path="/var/run/openldap/slapd.sock" scontext=system_u:system_r:slapd_t tcontext=system_u:system_r:slapd_t tclass=unix_stream_socket
Jan 13 19:01:24 siren kernel: type=1400 audit(1326506484.283:46): avc:  denied  { accept } for  pid=2277 comm="slapd" path="/var/run/openldap/slapd.sock" scontext=system_u:system_r:slapd_t tcontext=system_u:system_r:slapd_t tclass=unix_stream_socket
Jan 13 19:01:24 siren dbus[2291]: avc:  netlink poll: error 4 
Jan 13 19:01:24 siren kernel: type=1400 audit(1326506484.290:47): avc:  denied  { setrlimit } for  pid=2291 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=process
Jan 13 19:01:24 siren dbus[2291]: avc:  netlink poll: error 4 
Jan 13 19:01:24 siren dbus[2291]: avc:  netlink poll: error 4

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2012-01-14 14:58:15 UTC

Are you running ~arch software?

Comment 2 Stan Sander 2012-01-14 17:34:10 UTC

Yes, everything is ~amd64 except for the hardened-dev overlay.  I think what is actually going on is something is different in openrc-0.9.8 which came down with the updates and now that has to be accounted for in the base policy.  On the other hand I saw several avc's about slapd being unable to accept() on its socket file, which I'm pretty sure is a new development.  Here is the list of updates that were emerged that I think might have any impact.  There were about 50 altogether and I can get the complete list if you want.  

openrc-0.9.8
selinux-dbus-2.20110726-r2
hardened-sources-3.1.7
selinux-base-policy-2.20110726-r11
coreutils-8.15
libdrm-2.4.30
util-linux-2.20.1-r1

Also I should mention that kernel mode setting of the console display did not function when selinux was enforcing.  However, I think this was a result of udev not starting.

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2012-01-14 19:05:58 UTC

The sysfs stuff is probably due to openrc (as /etc/init.d/sysfs is provided by openrc). The new version probably has changes in its behavior and those still need to be accounted for in the policies.

I'm currently building up a server in ~arch completely so that I can reproduce and help fix, but that might take a while (first need to focus on failures with stable keywords ;-)

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2012-01-15 16:43:28 UTC

ACK on the sysfs one, will be allowed in rev 12 (currently by allowing initrc_t to manage sysfs dirs, but in the future we might use named transitions first).

Will check dbus now.

Comment 5 Sven Vermeulen (RETIRED) gentoo-dev

2012-01-15 16:52:33 UTC

dbus works fine if sysfs is available.

Comment 6 Sven Vermeulen (RETIRED) gentoo-dev

2012-01-29 09:15:50 UTC

*** Bug 400987 has been marked as a duplicate of this bug. ***

Comment 7 Sven Vermeulen (RETIRED) gentoo-dev

2012-01-29 17:04:46 UTC

Available in hardened-dev overlay

Comment 8 Matthew Thode ( prometheanfire ) archtester

2012-01-30 18:28:50 UTC

confirmed fix

Comment 9 Sven Vermeulen (RETIRED) gentoo-dev

2012-02-23 18:24:56 UTC

in main tree, ~arch'ed

Comment 10 Sven Vermeulen (RETIRED) gentoo-dev

2012-03-31 12:58:58 UTC

Stabilized