Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1692903 - Disabled SELinux && --norootpass produces unbootable images
Summary: Disabled SELinux && --norootpass produces unbootable images
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: fedora-arm-installer
Version: 29
Hardware: aarch64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Paul Whalen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-26 16:34 UTC by Jan Kratochvil
Modified: 2019-03-26 20:01 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-03-26 18:03:25 UTC


Attachments (Terms of Use)
journalctl from SELINUX=enabled image created on SELINUX=disabled host (deleted)
2019-03-26 16:34 UTC, Jan Kratochvil
no flags Details

Description Jan Kratochvil 2019-03-26 16:34:00 UTC
Created attachment 1548154 [details]
journalctl from SELINUX=enabled image created on SELINUX=disabled host

Description of problem:
I was struggling to create a simple bootable image for Raspberry Pi 3B+:
  Raspberry Pi 3B+ fails to boot aarch64 image
  https://lists.fedoraproject.org/archives/list/arm@lists.fedoraproject.org/thread/TAQQM2BQTPHVEDAL5N4PLWVIZDADUK5H/
I have finally found why.

Version-Release number of selected component (if applicable):
arm-image-installer-2.10-1.fc29.noarch

How reproducible:
Always.

Steps to Reproduce:
echo >/etc/sysconfig/selinux SELINUX=disabled
reboot
fedora-arm-image-installer --image=...
Boot Raspberry Pi 3B+ with the image.

Actual results:
        https://www.jankratochvil.net/t/rpi3fail.jpg
        [FAILED] Failed to start Avahi mDNS/DNS-SD Stack.
        ...
        [FAILED] Failed to start Modem Manager

Expected results:
Booted system.

Additional info:
The fix is to mount the image and set SELINUX=disabled also in the image.
It then boots for me with "3" into a text login prompt.
The default graphical boot still does not work but that is some different problem.

Comment 1 Peter Robinson 2019-03-26 16:37:07 UTC
Why are you disabling SELinux? At worst you should be putting it in permissive mode. Also no sure what this has to do with arm-image-installer

Comment 2 Jan Kratochvil 2019-03-26 16:48:12 UTC
(In reply to Peter Robinson from comment #1)
> Why are you disabling SELinux?

That is offtopic for this Bug.  Fedora does have such option.

> At worst you should be putting it in permissive mode.

That is offtopic for this Bug.  Fedora does have such option.

> Also no sure what this has to do with arm-image-installer

Because one spends 10 hours and 52 minutes troubleshooting a mysterious bug instead of arm-image-installer for example just printing a fatal error:
  Building images on host with disabled SELinux is not supported.

I see now there are --selinux=off and --relabel options but I had no idea the failing Raspberry boots are due to SELinux.

(Only after realizing the failing boot records its messages to the USB drive itself which can be investigated afterwards, it looks simple but I did not realize it before.)

Comment 3 Peter Robinson 2019-03-26 16:52:21 UTC
(In reply to Jan Kratochvil from comment #2)
> (In reply to Peter Robinson from comment #1)
> > Why are you disabling SELinux?
> 
> That is offtopic for this Bug.  Fedora does have such option.
> 
> > At worst you should be putting it in permissive mode.
> 
> That is offtopic for this Bug.  Fedora does have such option.
> 
> > Also no sure what this has to do with arm-image-installer

Arguably you disabling SELinux and reporting the problem is "offtopic for this package" so it is completely relevant for this bug to ascertain whether the bug is actually in this package. Please do not be rude.

> Because one spends 10 hours and 52 minutes troubleshooting a mysterious bug
> instead of arm-image-installer for example just printing a fatal error:
>   Building images on host with disabled SELinux is not supported.
> 
> I see now there are --selinux=off and --relabel options but I had no idea
> the failing Raspberry boots are due to SELinux.

I believe SELinux is completely unrelated to the problem and that this has nothing to do what so ever with arm-image-installer

> (Only after realizing the failing boot records its messages to the USB drive
> itself which can be investigated afterwards, it looks simple but I did not
> realize it before.)

Comment 4 Jan Kratochvil 2019-03-26 17:06:05 UTC
(In reply to Peter Robinson from comment #3)
> I believe SELinux is completely unrelated to the problem and that this has
> nothing to do what so ever with arm-image-installer

This Bug is fixable on my host system configuration by:
  echo >/tmp/root/etc/sysconfig/selinux SELINUX=disabled

If this is not the proper fix you as the package owner should suggest a better one. But this fix does work for me.

Comment 5 Peter Robinson 2019-03-26 17:13:38 UTC
> This Bug is fixable on my host system configuration by:
>   echo >/tmp/root/etc/sysconfig/selinux SELINUX=disabled

Disabling SELinux is not a fix, it's a work around.

> If this is not the proper fix you as the package owner should suggest a
> better one. But this fix does work for me.

You need to describe the problem you are seeing that you believe this issue fixes when booting the image. You need state exactly which image you are using, the full file name would provide the details.

Comment 6 Jan Kratochvil 2019-03-26 17:35:52 UTC
The problem I was seeing before my proposed fix is described in Comment 0.
It fixed for me booting from Fedora-Workstation-29-1.2.aarch64.raw.xz and from Fedora-Workstation-30-20190316.n.1.aarch64.raw.xz on Raspberry Pi 3B+ from my Fedora 29 x86_64 host.

(In reply to Peter Robinson from comment #5)
> Disabling SELinux is not a fix, it's a work around.

As long as normal Fedora supports SELINUX=disabled (which AFAIK it does) fedora-arm-image-installer should also support creating ARM images with SELINUX=disabled.

Currently fedora-arm-image-installer creating SELINUX=enabled image on SELINUX=disabled host will quietly create an unbootable image.  That is this Bug.

fedora-arm-image-installer should either exit with error in such case or fix up the image somehow - maybe automatically enable --relabel? I haven't tried that.

Comment 7 Paul Whalen 2019-03-26 18:03:25 UTC
(In reply to Jan Kratochvil from comment #6)
> The problem I was seeing before my proposed fix is described in Comment 0.
> It fixed for me booting from Fedora-Workstation-29-1.2.aarch64.raw.xz and
> from Fedora-Workstation-30-20190316.n.1.aarch64.raw.xz on Raspberry Pi 3B+
> from my Fedora 29 x86_64 host.
> 
> (In reply to Peter Robinson from comment #5)
> > Disabling SELinux is not a fix, it's a work around.
> 
> As long as normal Fedora supports SELINUX=disabled (which AFAIK it does)
> fedora-arm-image-installer should also support creating ARM images with
> SELINUX=disabled.

The arm-image-installer writes out the arm images and makes some small tweaks
to the media. It is not a true 'installer'. 

> 
> Currently fedora-arm-image-installer creating SELINUX=enabled image on
> SELINUX=disabled host will quietly create an unbootable image.  That is this
> Bug.

It will write what ever image you give it, there is no guarantee it will boot
on your hardware. If you do run into bugs, please file it on the appropriate
package. 

> 
> fedora-arm-image-installer should either exit with error in such case or fix
> up the image somehow - maybe automatically enable --relabel? I haven't tried
> that.

On the Fedora 30 aarch64 Workstation image, there is a gnome-shell crash on the
rpi3. It is unrelated to this package.

Comment 8 Jan Kratochvil 2019-03-26 18:32:36 UTC
(In reply to Paul Whalen from comment #7)
> The arm-image-installer writes out the arm images and makes some small tweaks
> to the media. It is not a true 'installer'.

If it is not an installer rename it to arm-image-tweaker.  But that still would not solve its bugs.


> It will write what ever image you give it, there is no guarantee it will boot
> on your hardware. If you do run into bugs, please file it on the appropriate
> package. 

The bug is in fedora-arm-installer because --norootpass modifies image's /etc/passwd corrupting its SELinux context.


I sure disagree with closing this Bug but next people facing this Bug can at least google out this bugreport how to fix it.

Comment 9 Paul Whalen 2019-03-26 18:43:17 UTC
(In reply to Jan Kratochvil from comment #8)
> (In reply to Paul Whalen from comment #7)
> > The arm-image-installer writes out the arm images and makes some small tweaks
> > to the media. It is not a true 'installer'.
> 
> If it is not an installer rename it to arm-image-tweaker.  But that still
> would not solve its bugs.

I am happy to fix the bugs you encounter, but the description thus far has been of 
issues outside the script. 

> 
> 
> > It will write what ever image you give it, there is no guarantee it will boot
> > on your hardware. If you do run into bugs, please file it on the appropriate
> > package. 
> 
> The bug is in fedora-arm-installer because --norootpass modifies image's
> /etc/passwd corrupting its SELinux context.

This is the first you mentioned using that option in this bug. Indeed that would
be an issue with the installer. I can look at that. 

> 
> I sure disagree with closing this Bug but next people facing this Bug can at
> least google out this bugreport how to fix it.

In the future it would be helpful for you to include all relevant information in
the bug- the command and image used at a minimum.

Comment 10 Jan Kratochvil 2019-03-26 20:01:02 UTC
(In reply to Paul Whalen from comment #9)
> In the future it would be helpful for you to include all relevant
> information in the bug- the command and image used at a minimum.

OK, sorry, only later I realized it is due to --norootpass which I have always used.
Originally I expected any usage of fedora-arm-image-installer from SELINUX=disabled host does reproduce this problem.

fedora-arm-image-installer --image=Fedora-Workstation-30-20190315.n.0.aarch64.raw.xz --media=/dev/sda --resizefs --target=rpi3 --norootpass


Note You need to log in before you can comment on or make changes to this bug.