What were you trying to do that didn't work?

Fresh install of minimal server, add selinux-policy-mls package, and in /etc/selinux/config:{}

SELINUX=enforcing

SELINUXTYPE=MLS

What is the impact of this issue to you?

Can't run a system in MLS enforced mode. Not acceptable for any production build of an MLS requirement.

Please provide the package NVR for which the bug is seen:

Linux localhost 5.14.0-503.21.1.el9_5.aarch64 #1 SMP PREEMPT_DYNAMIC Thu Dec 19 
15:17:12 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux

How reproducible is this bug?:

Always

Steps to reproduce

1. Download RHEL 9.5 ISO
2. Perform minimal server install with all defaults for storage configuration
3. Modify selinux config file as shown and reboot

Expected results

Command prompt to login.

Actual results

Emergency mode boot.

 

Added SELinux policy files to address denials, but still not working.

[root@localhost rpmrh95]# semodule -l | grep rh95
cronrh95
firewallrh95
initrh95
nmrh95
rpmrh95
setroubleshootrh95
sshrh95
staffrh95
surh95
sysadmrh95
syslogrh95
systemdrh95
udevrh95
userrh95

 

[  OK  ] Reached target Switch Root.
         Starting Switch Root...
[    2.837927] systemd-journald[198]: Received SIGTERM from PID 1 (systemd).
[    2.871569] audit: type=1404 audit(1736547862.930:2): enforcing=1 old_enforci
ng=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1
[    2.908535] SELinux:  policy capability network_peer_controls=1
[    2.909512] SELinux:  policy capability open_perms=1
[    2.910375] SELinux:  policy capability extended_socket_class=1
[    2.911313] SELinux:  policy capability always_check_network=0
[    2.912218] SELinux:  policy capability cgroup_seclabel=1
[    2.913066] SELinux:  policy capability nnp_nosuid_transition=1
[    2.913963] SELinux:  policy capability genfs_seclabel_symlinks=1
[    3.035535] audit: type=1403 audit(1736547863.100:3): auid=4294967295 ses=429
4967295 lsm=selinux res=1
[    3.037997] systemd[1]: Successfully loaded SELinux policy in 166.577ms.
[    3.058953] systemd[1]: Relabelled /dev, /dev/shm, /run, /sys/fs/cgroup in 10
.989ms.
[    3.061735] systemd[1]: systemd 252-46.el9_5.2 running in system mode (+PAM +
AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLK
ID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2
 -PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK +
XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)

[    3.066975] systemd[1]: Detected virtualization qemu.
[    3.067715] systemd[1]: Detected architecture arm64.

Welcome to Red Hat Enterprise Linux 9.5 (Plow)!

[    3.177762] systemd-rc-local-generator[529]: /etc/rc.d/rc.local is not marked
 executable, skipping.
[    3.298171] systemd[1]: initrd-switch-root.service: Deactivated successfully.
[    3.299358] systemd[1]: Stopped Switch Root.

[  OK  ] Stopped Switch Root.
[    3.301096] systemd[1]: systemd-journald.service: Scheduled restart job, rest
art counter is at 1.
[    3.302589] systemd[1]: Created slice Slice /system/getty.
[  OK  ] Created slice Slice /system/getty.
[    3.304528] systemd[1]: Created slice Slice /system/modprobe.
[  OK  ] Created slice Slice /system/modprobe.
[    3.306754] systemd[1]: Created slice Slice /system/serial-getty.
[  OK  ] Created slice Slice /system/serial-getty.
[    3.308867] systemd[1]: Created slice Slice /system/sshd-keygen.
[  OK  ] Created slice Slice /system/sshd-keygen.
[    3.310882] systemd[1]: Created slice Slice /system/systemd-fsck.
[  OK  ] Created slice Slice /system/systemd-fsck.
[    3.312826] systemd[1]: Created slice User and Session Slice.
[  OK  ] Created slice User and Session Slice.
[    3.314688] systemd[1]: Started Dispatch Password Requests to Console Directo
ry Watch.
[  OK  ] Started Dispatch Password Requests to Console Directory Watch.
[    3.317341] systemd[1]: Started Forward Password Requests to Wall Directory W
atch.

[  OK  ] Started Forward Password Requests to Wall Directory Watch.
[    3.319857] systemd[1]: Set up automount Arbitrary Executable File Formats Fi
le System Automount Point.
[  OK  ] Set up automount Arbitrary Executa...ormats File System Automount Point.
[    3.322640] systemd[1]: Reached target Local Encrypted Volumes.
[  OK  ] Reached target Local Encrypted Volumes.
[    3.324341] systemd[1]: Stopped target Switch Root.
[  OK  ] Stopped target Switch Root.
[    3.326139] systemd[1]: Stopped target Initrd File Systems.
[  OK  ] Stopped target Initrd File Systems.
[    3.327853] systemd[1]: Stopped target Initrd Root File System.
[  OK  ] Stopped target Initrd Root File System.
[    3.329683] systemd[1]: Reached target Local Integrity Protected Volumes.
[  OK  ] Reached target Local Integrity Protected Volumes.
[    3.331490] systemd[1]: Reached target Path Units.
[  OK  ] Reached target Path Units.
[    3.332905] systemd[1]: Reached target Remote File Systems.
[  OK  ] Reached target Remote File Systems.
[    3.334564] systemd[1]: Reached target Slice Units.
[  OK  ] Reached target Slice Units.
[    3.336214] systemd[1]: Reached target Local Verity Protected Volumes.
[  OK  ] Reached target Local Verity Protected Volumes.
[    3.338345] systemd[1]: Listening on Device-mapper event daemon FIFOs.

[  OK  ] Listening on Device-mapper event daemon FIFOs.
[    3.340718] systemd[1]: Listening on LVM2 poll daemon socket.
[  OK  ] Listening on LVM2 poll daemon socket.
[    3.342984] systemd[1]: Listening on Process Core Dump Socket.
[  OK  ] Listening on Process Core Dump Socket.
[    3.344670] systemd[1]: Listening on initctl Compatibility Named Pipe.
[  OK  ] Listening on initctl Compatibility Named Pipe.
[    3.347746] systemd[1]: Listening on udev Control Socket.
[  OK  ] Listening on udev Control Socket.
[    3.352755] systemd[1]: Listening on udev Kernel Socket.
[  OK  ] Listening on udev Kernel Socket.
[    3.355178] systemd[1]: Activating swap /dev/mapper/rhel-swap...
         Activating swap /dev/mapper/rhel-swap...
[    3.357596] systemd[1]: Mounting Huge Pages File System...
         Mounting Huge Pages File System...
[    3.359866] systemd[1]: Mounting POSIX Message Queue File System...
         Mounting POSIX Message Queue File System...
[    3.362939] systemd[1]: Mounting Kernel Debug File System...
         Mounting Kernel Debug File System...
[    3.366713] systemd[1]: Mounting Kernel Trace File System...
         Mounting Kernel Trace File System...
[    3.368664] Adding 8241148k swap on /dev/mapper/rhel-swap.  Priority:-2 exten
ts:1 across:8241148k 

[    3.369194] systemd[1]: Starting Create List of Static Device Nodes...
         Starting Create List of Static Device Nodes...
[    3.373762] systemd[1]: Starting Monitoring of LVM2 mirrors, snapshots etc. u
sing dmeventd or progress polling...
         Starting Monitoring of LVM2 mirror...ing dmeventd or progress polling...
[    3.377183] systemd[1]: Starting Load Kernel Module configfs...
         Starting Load Kernel Module configfs...
[    3.379378] systemd[1]: Starting Load Kernel Module drm...
         Starting Load Kernel Module drm...
[    3.383095] systemd[1]: Starting Load Kernel Module fuse...
         Starting Load Kernel Module fuse...
[    3.392459] fuse: init (API version 7.36)
[    3.394518] systemd[1]: Starting Read and set NIS domainname from /etc/syscon
fig/network...
         Starting Read and set NIS domainname from /etc/sysconfig/network...
[    3.397531] systemd[1]: systemd-fsck-root.service: Deactivated successfully.
[    3.398644] systemd[1]: Stopped File System Check on Root Device.
[  OK  ] Stopped File System Check on Root Device.
[    3.401195] systemd[1]: Stopped Journal Service.
[  OK  ] Stopped Journal Service.[    3.402188] ACPI: bus type drm_connector reg
istered

[    3.406180] systemd[1]: Starting Journal Service...
         Starting Journal Service...
[    3.409632] systemd[1]: Load Kernel Modules was skipped because no trigger co
ndition checks were met.
[    3.411596] systemd[1]: Starting Generate network units from Kernel command l
ine...
         Starting Generate network units from Kernel command line...
[    3.414762] systemd[1]: TPM2 PCR Machine ID Measurement was skipped because o
f an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/StubPc
rKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f).
[    3.418552] systemd[1]: Starting Remount Root and Kernel File Systems...
         Starting Remount Root and Kernel File Systems...
[    3.421741] systemd[1]: Repartition Root Disk was skipped because no trigger 
condition checks were met.
[    3.425047] systemd[1]: Starting Apply Kernel Variables...
         Starting Apply Kernel Variables...
[    3.428492] systemd[1]: Starting Coldplug All udev Devices...
         Starting Coldplug All udev Devices...
[    3.432641] systemd[1]: Activated swap /dev/mapper/rhel-swap.

[  OK  ] Activated swap /dev/mapper/rhel-swap.
[    3.434874] systemd[1]: Started Journal Service.
[  OK  ] Started Journal Service.
[  OK  ] Mounted Huge Pages File System.
[  OK  ] Mounted POSIX Message Queue File System.
[  OK  ] Mounted Kernel Debug File System.
[  OK  ] Mounted Kernel Trace File System.
[  OK  ] Finished Create List of Static Device Nodes.
[  OK  ] Finished Load Kernel Module configfs.
[  OK  ] Finished Load Kernel Module drm.
[  OK  ] Finished Load Kernel Module fuse.
[  OK  ] Finished Read and set NIS domainname from /etc/sysconfig/network.
[  OK  ] Finished Generate network units from Kernel command line.
[  OK  ] Finished Remount Root and Kernel File Systems.
[  OK  ] Finished Apply Kernel Variables.
[  OK  ] Reached target Swaps.

         Mounting FUSE Control File System...
[    3.458996] audit: type=1400 audit(1736547863.520:4): avc:  denied  

{ getattr  } for  pid=545 comm="lvm" path="/dev/autofs" dev="devtmpfs" ino=85 scontext=sys
tem_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:autofs_device_t:
s0 tclass=chr_file permissive=0
[    3.462810] audit: type=1400 audit(1736547863.520:5): avc:  denied  { getattr  }

for  pid=545 comm="lvm" path="/dev/bus/usb/001/001" dev="devtmpfs" ino=100 sc
ontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:usb_de
vice_t:s0 tclass=chr_file permissive=0
[    3.462815] audit: type=1400 audit(1736547863.520:6): avc:  denied  

{ getattr  } for  pid=545 comm="lvm" path="/dev/bus/usb/001/002" dev="devtmpfs" ino=122 sc
ontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:usb_de
vice_t:s0 tclass=chr_file permissive=0
[    3.462818] audit: type=1400 audit(1736547863.520:7): avc:  denied  { getattr  }

for  pid=545 comm="lvm" path="/dev/bus/usb/001/003" dev="devtmpfs" ino=207 sc
ontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:usb_de
vice_t:s0 tclass=chr_file permissive=0

[    3.462820] audit: type=1400 audit(1736547863.520:8): avc:  denied  

{ getattr  } for  pid=545 comm="lvm" path="/dev/bus/usb/001/004" dev="devtmpfs" ino=289 sc
ontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:usb_de
vice_t:s0 tclass=chr_file permissive=0
[    3.462823] audit: type=1400 audit(1736547863.520:9): avc:  denied  { getattr  }

for  pid=545 comm="lvm" path="/dev/bus/usb/001/005" dev="devtmpfs" ino=292 sc
ontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:usb_de
vice_t:s0 tclass=chr_file permissive=0
[    3.462825] audit: type=1400 audit(1736547863.520:10): avc:  denied  

{ getatt r }

for  pid=545 comm="lvm" path="/dev/bus/usb/001/006" dev="devtmpfs" ino=330 s
context=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:usb_d
evice_t:s0 tclass=chr_file permissive=0
[    3.470643] scsi 0:0:0:0: CD-ROM            QEMU     QEMU CD-ROM      2.5+ PQ
: 0 ANSI: 5
         Mounting Kernel Configuration File System...
         Starting Flush Journal to Persistent Storage...
         Starting Load/Save OS Random Seed...
         Starting Create Static Device Nodes in /dev...
[  OK  ] Finished Coldplug All udev Devices.[    3.500307] systemd-journald[550]
: Received client request to flush runtime journal.

[  OK  ] Mounted FUSE Control File System.
[  OK  ] Mounted Kernel Configuration File System.
[  OK  ] Finished Flush Journal to Persistent Storage.
[  OK  ] Finished Load/Save OS Random Seed.
[  OK  ] Finished Create Static Device Nodes in /dev.
         Starting Rule-based Manager for Device Events and Files...
[  OK  ] Started Rule-based Manager for Device Events and Files.
         Starting Load Kernel Module configfs...
[  OK  ] Finished Load Kernel Module configfs.
[    3.550100] scsi 0:0:0:0: Attached scsi generic sg0 type 5
[  OK  ] Finished Monitoring of LVM2 mirror...using dmeventd or progress polling.
[  OK  ] Reached target Preparation for Local File Systems.
         Mounting /boot...
         Starting File System Check on /dev/disk/by-uuid/1FAA-93E4...

[    3.588145] XFS (vda2): Mounting V5 Filesystem d82e4dfc-b9f5-4560-a418-422961
31367f
[  OK  ] Finished File System Check on /dev/disk/by-uuid/1FAA-93E4.
[    3.614452] XFS (vda2): Ending clean mount
[  OK  ] Mounted /boot.
         Mounting /boot/efi...
[  OK  ] Mounted /boot/efi.
[ TIME ] Timed out waiting for device /dev/mapper/rhel-home.
[DEPEND] Dependency failed for /home.
[DEPEND] Dependency failed for Local File Systems.
[DEPEND] Dependency failed for Mark the need to relabel after reboot.
[  OK  ] Stopped Dispatch Password Requests to Console Directory Watch.
[  OK  ] Stopped Forward Password Requests to Wall Directory Watch.
[  OK  ] Reached target Timer Units.
[  OK  ] Reached target Preparation for Network.

[  OK  ] Reached target Login Prompts.
[  OK  ] Reached target Network.
[  OK  ] Reached target Network is Online.
[  OK  ] Reached target User and Group Name Lookups.
[  OK  ] Reached target Socket Units.
[  OK  ] Started Emergency Shell.
[  OK  ] Reached target Emergency Mode.
         Starting Automatic Boot Loader Update...
         Starting Create Volatile Files and Directories...
[  OK  ] Finished Automatic Boot Loader Update.
[  OK  ] Finished Create Volatile Files and Directories.
         Starting Security Auditing Service...
[  OK  ] Started Security Auditing Service.
         Starting Record System Boot/Shutdown in UTMP...
[  OK  ] Finished Record System Boot/Shutdown in UTMP.
         Starting Record Runlevel Change in UTMP...
[  OK  ] Finished Record Runlevel Change in UTMP.
You are in emergency mode. After logging in, type "journalctl -xb" to view
system logs, "systemctl reboot" to reboot, "systemctl default" or "exit"
to boot into default mode.
Give root password for maintenance
(or press Control-D to continue):