With selinux set to enforcing, my system-upgrade to 25 failed to start, resulting in a reboot loop. I fished the following out of journalctl:
Nov 25 09:51:55 thinkpenguin.email-scan.com audit[1]: AVC avc: denied { open } for pid=1 comm="systemd" path="/var/lib/dnf/system-upgrade/.dnf- system-upgrade" dev="dm-1" ino=1181602 scontext=system_u:system_r:init_t:s0
I had to drop to an emergency shell, and set selinux to permissive, in order for the upgrade to do its thing.
Wondering if all upgrades with selinux enabled are broken, or just something with this particular laptop. This doesn't look like a system-specific failure to me, but if all upgrades with enforcing selinux blow up like this, I would've expected a lot of noise in here, by now… More details in bug 1398696.
On 25 November 2016 at 16:08, Sam Varshavchik mrsam@courier-mta.com wrote:
With selinux set to enforcing, my system-upgrade to 25 failed to start, resulting in a reboot loop. I fished the following out of journalctl:
Nov 25 09:51:55 thinkpenguin.email-scan.com audit[1]: AVC avc: denied { open } for pid=1 comm="systemd" path="/var/lib/dnf/system-upgrade/.dnf-system-upgrade" dev="dm-1" ino=1181602 scontext=system_u:system_r:init_t:s0
I had to drop to an emergency shell, and set selinux to permissive, in order for the upgrade to do its thing.
Wondering if all upgrades with selinux enabled are broken, or just something with this particular laptop. This doesn't look like a system-specific failure to me, but if all upgrades with enforcing selinux blow up like this, I would've expected a lot of noise in here, by now… More details in bug 1398696.
For what it's worth my systems are always Enforcing ... two laptops upgraded (one in beta and one in RC) with no problem and a headless server at release with no problem
There must be something off with your setup somehow
On Fri, 2016-11-25 at 11:08 -0500, Sam Varshavchik wrote:
Wondering if all upgrades with selinux enabled are broken, or just something with this particular laptop. This doesn't look like a system-specific failure to me, but if all upgrades with enforcing selinux blow up like this, I would've expected a lot of noise in here, by now… More details in bug 1398696.
My system has been enforcing for at least the last 5 versions (possibly more), and I had no problem with this.
poc
Patrick O'Callaghan writes:
On Fri, 2016-11-25 at 11:08 -0500, Sam Varshavchik wrote:
Wondering if all upgrades with selinux enabled are broken, or just
something
with this particular laptop. This doesn't look like a system-specific failure to me, but if all upgrades with enforcing selinux blow up like
this,
I would've expected a lot of noise in here, by now… More details in bug 1398696.
My system has been enforcing for at least the last 5 versions (possibly more), and I had no problem with this.
What output do you get from:
ls -alZd /var/lib/dnf/system-upgrade
On the one with the problem I get:
drwxr-xr-x. 2 root root unconfined_u:object_r:user_tmp_t:s0 233472 Nov 25 10:31 /var/lib/dnf/system-upgrade
Now, another one of my laptops shows:
drwxr-xr-x. 2 root root unconfined_u:object_r:rpm_var_lib_t:s0 221184 Nov 23 16:09 system-upgrade
However that laptop was already running in permissive mode. Still, according to rpm:
file /var/lib/dnf/system-upgrade is not owned by any package
After rmdir-ing and mkdir-ing /var/lib/dnf/system-upgrade its selinux context is changed to unconfined_u:object_r:rpm_var_lib_t:s0, so I think that's where the problem was. Unclear how the former selinux context was what it was.
On 11/25/2016 01:28 PM, Sam Varshavchik wrote:
Patrick O'Callaghan writes:
On Fri, 2016-11-25 at 11:08 -0500, Sam Varshavchik wrote:
Wondering if all upgrades with selinux enabled are broken, or just
something
with this particular laptop. This doesn't look like a system-specific failure to me, but if all upgrades with enforcing selinux blow up
like this,
I would've expected a lot of noise in here, by now… More details in
bug
My system has been enforcing for at least the last 5 versions (possibly more), and I had no problem with this.
What output do you get from:
ls -alZd /var/lib/dnf/system-upgrade
On the one with the problem I get:
drwxr-xr-x. 2 root root unconfined_u:object_r:user_tmp_t:s0 233472 Nov 25 10:31 /var/lib/dnf/system-upgrade
user_tmp_t means that it was created by a user process in a /tmp or /var/tmp and then mv'd to /var/lib/dnf.
Now, another one of my laptops shows:
drwxr-xr-x. 2 root root unconfined_u:object_r:rpm_var_lib_t:s0 221184 Nov 23 16:09 system-upgrade
However that laptop was already running in permissive mode. Still, according to rpm:
file /var/lib/dnf/system-upgrade is not owned by any package
After rmdir-ing and mkdir-ing /var/lib/dnf/system-upgrade its selinux context is changed to unconfined_u:object_r:rpm_var_lib_t:s0, so I think that's where the problem was. Unclear how the former selinux context was what it was.
Just running restorecon -R -v /var/lib/dnf
Would have fixed the problem.
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
-
Daniel J Walsh -
James Hogarth -
Patrick O'Callaghan -
Sam Varshavchik