help with Kernel panic after update

Bob Kashani bobk at ocf.berkeley.edu
Wed Jun 15 04:49:10 UTC 2005 

On Tue, 2005-06-14 at 22:10 -0400, Steven Knight wrote:
> Help!
> 
> Yesterday afternoon, my home FC3 system took a power hit (not
> unusual, unfortunately).  Nothing seemed particularly amiss, it
> came back up on its own (while I was still at work) and I reconnected
> and used it for several hours without noticing anything unsual.
> This is probably unrelated to what follows, but I mention it just
> in case it's not.
> 
> Upon arriving home, I logged back in on my desktop and noticed my
> Red Hat update icon on the top taskbar was red and pulsing.  I went
> ahead and su'ed up and fired up "yum update".  It asked for permission
> to update about 17 packages (I noticed GAIM on the list, but otherwise
> didn't pay much attention), but being used to reliable updates before,
> I went ahead and installed all of them without a second thought.
> 
> First sign of trouble:  I could no longer ls, df, or do just about
> anything.  Error messages were complaining about "Permission denied"
> for /lib/tls/libc.so.6 (and possibly other libraries), even when I
> tried to do anything from my su shell.
> 
> Figuring (naively) that I had some kind of package version skew, I
> (naively) tried rebooting to see if that would clear things up.
> Bad, hasty decision:  I now get an immediate kernel panic as follows
> (modulo typos from transcribing the information by hand):
> 
>     Uncompressing Linux... Ok, booting the kernel.
>     ACPI: BIOS age (1999) fails cutoff (2001, acpi=force is required to enable ACPI
>     audit(1118711202.065:0): initialized
>     Red Hat nash version 4.1.18 starting
>     audit(1118711209.899:0): avc:  denied { execmod } for pid=1 comm=init path=/lib/tls/libc-2.3.5.so dev=hdd2 ino=528350 scontext=user_u:system_r:unconfined_t tcontext=root:object_r:filet tcall=file
>     /sbin/init: error while loading shared libraries: /lib/tls/libc.so.6: cannot apply additional memory protection after relocation: Permission denied
>     Kernel panic - not syncing: Attempted to kill init!
> 
> After poking around, I figured out that this permission error was
> connected to selinux. My guess is that selinux-policy-target might
> have been part of the updates I installed, but like I said,
> I wasn't paying attention.  (Note that I installed the selinux
> RPM(s) by default when I first installed FC, but I've never bothered
> to really understand or do anything with them, so don't presume
> any coherent administrative behavior on my part.)
> 
> Some additional searches pointed me to /sbin/fixfiles, and the idea
> that relabelling might be necessary.  So I tried booting up on
> Knoppix and mounting my filesystems in their usual configuration
> relative to each other.  I then chroot'ed to the root of my
> reconstructed file systems and ran "fixfiles relabel".  This seemed
> to relabel a bunch of stuff, but it wouldn't relabel anything on
> my root partition, claiming that was mounted read-only.  (It wasn't
> relative to Knoppix, so I think that's an artifact of chroot
> behavior.)
> 
> Interestingly enough, the /lib/tls/libc.so.6 file mentioned in the
> error message never showed up as a file that fixfiles tried to
> relabel.
> 
> I tried rebooting anyway with the same panic as above.
> 
> Since I'm not actually "doing anything" with selinux, I'd be fine
> with completely disabling it and/or removing it from my system, but
> I can't even figure out how to get to the point of being able to
> do that.  How can I either work the right magic to label the above
> file appropriate and/or get past this panic, or else just disable/remove
> selinux so I can get going again?

You can use the rescue disc...just download and burn the iso and boot
it. Then at the commandline type "chroot /mnt/sysimage". It should allow
you to get back into your system. Then just turn selinux off
in /etc/selinux/config and reboot.

http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/iso/FC3-i386-rescuecd.iso

Once you get back into your system try Colin's advice:

setsebool -P allow_execmod=true

Hope this helps. :)

Bob

-- 
Bob Kashani
http://www.ocf.berkeley.edu/~bobk/garnome

More information about the fedora-selinux-list mailing list