F13->F14 upgrade + relabel = logins hosed: entrypoint access denied

Daniel J Walsh dwalsh at redhat.com
Wed Jun 1 13:27:44 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/31/2011 05:17 PM, Dave Mitchell wrote:
> I just tried to upgrade a F13 system to F14 using preupgrade.
> It seemed to go well, but I was getting a lot of AVC denials for NM
> and polkitd, and NM wasn't working properly. So I tried a 'touch
> /.autorelabel' and reboot.  It seemed to work, but now I can't login. Any
> login attempt (via gdm or F2 console) immediately logs me back out again.
> 
> /var/log/messages shows, for a console login as root:
> 
> SELinux is preventing /bin/login from entrypoint access on the file /bin/bash
> 
> and for a GUI-based login:
> 
> SELinux is preventing /usr/libexec/gdm-session-worker from entrypoint access on the file /usr/bin/gnome-keyring/daemon
> SELinux is preventing /usr/libexec/gdm-session-worker from entrypoint access on the file /etc/X11/xinit/Xsession
> 
> I can boot single user okay.
> 
> I ran 'fixfiles restore' to relabel again and rebooted, and it made no
> difference.
> 
> By comparing with a similar but un-upgraded (ie F13) working host, I
> found that the following are the same on both hosts:
> 
> # ls -lZ /bin/login
> -rwxr-xr-x. root root system_u:object_r:login_exec_t:s0 /bin/login
> 
> # ls -lZ /bin/bash
> -rwxr-xr-x. root root system_u:object_r:shell_exec_t:s0 /bin/bash
> 
> Policy is the same apart from changes in ethereal and spamd:
> 
> # sesearch --allow --neverallow --auditallow --dontaudit --type \
>     --role_allow --role_trans --range_trans \
>     | sort | egrep -v'ethereal|spam[cd]'
> 
> # sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   enforcing
> Mode from config file:          enforcing
> Policy version:                 24
> Policy from config file:        targeted
> 
> While the two systems give the following:
> 
> # rpm -q selinux-policy
> selinux-policy-3.7.19-101.fc13.noarch # F13 host
> selinux-policy-3.9.7-40.fc14.noarch   # F14 borked host
> 
> At this point I've exhausted my meager understanding of selinux.
> 
> Any suggestions?
> Thanks.
> 
It is an upgrade bug.

https://bugzilla.redhat.com/show_bug.cgi?id=702865#c13

explains how to fix it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3mPk8ACgkQrlYvE4MpobOiIQCggCBOdDhAJSfF6VQcNHBV/jK9
t/0An3HukI2lrdRG9F1BRec1X2+tVw4t
=vF+e
-----END PGP SIGNATURE-----

More information about the users mailing list