Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1355861

Summary: 20160712 Workstation Rawhide nightly fails to boot in enforcing mode, boots in permissive
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: urgent    
Version: rawhideCC: dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, renault, robatino
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-15 22:58:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1277284    
Attachments:
Description Flags
sealert -a /var/log/audit/audit.log output on 20160711
none
sealert -a /var/log/audit/audit.log output on 20160712
none
journalctl -b | grep -i avc | grep den output on 20160711
none
journalctl -b | grep -i avc | grep den output on 20160712 none

Description Adam Williamson 2016-07-12 18:27:48 UTC
Today's Rawhide Workstation nightly live:

https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20160712.n.0/compose/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-Rawhide-20160712.n.0.iso

does not boot in enforcing mode, it gets stuck in a loop during GNOME init. It boots fine in permissive mode.

The previous day's nightly:

https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20160711.n.0/compose/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-Rawhide-20160711.n.0.iso

boots OK in enforcing mode. A new selinux-policy landed in 20160712.n.0 - selinux-policy-3.13.1-201.fc25 - so this is the obvious suspect.

Booting both images in permissive mode seems to produce the same five AVCs:

SELinux is preventing (-localed) from mounton access on the directory /dev.
SELinux is preventing accounts-daemon from write access on the directory root.
SELinux is preventing accounts-daemon from add_name access on the directory .cache.
SELinux is preventing accounts-daemon from create access on the directory .cache.
SELinux is preventing gdbus from write access on the fifo_file /run/systemd/inhibit/1.ref.

according to 'sealert -a /var/log/audit/audit.log' as root. However, looking at the journal - 'journalctl -b | grep -i avc | grep den' - shows one on 20160712 that is not apparent on 20160711:

Jul 12 18:23:57 localhost audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-logind" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system

that does not appear in 20160711.

Proposing as an F25 Alpha blocker: violates "All release-blocking images must boot in their supported configurations" for the Workstation live, which is a release-blocking image.

Comment 1 Adam Williamson 2016-07-12 18:29:38 UTC
Created attachment 1178971 [details]
sealert -a /var/log/audit/audit.log output on 20160711

Comment 2 Adam Williamson 2016-07-12 18:29:56 UTC
Created attachment 1178972 [details]
sealert -a /var/log/audit/audit.log output on 20160712

Comment 3 Adam Williamson 2016-07-12 18:30:22 UTC
Created attachment 1178973 [details]
journalctl -b | grep -i avc | grep den output on 20160711

Comment 4 Adam Williamson 2016-07-12 18:30:39 UTC
Created attachment 1178974 [details]
journalctl -b | grep -i avc | grep den output on 20160712

Comment 5 Lukas Vrabec 2016-07-13 06:42:42 UTC
I probably see the issue here. I will fix this ASAP.

Comment 6 Lukas Vrabec 2016-07-13 08:46:42 UTC
I built selinux-policy-3.13.1-202.fc25 selinux policy package. This should fix the issue.

Comment 7 Adam Williamson 2016-07-13 15:57:00 UTC
Thanks. We didn't get a nightly today because of https://fedorahosted.org/rel-eng/ticket/6442 , I'll be able to confirm the fix (or not) when that's resolved.

Comment 8 Couret Charles-Antoine 2016-07-15 21:55:50 UTC
The update doesn't fix the issue for me.
Many services couldn't be started and the boot failed. With selinux=0 in the command line to boot, no problem.

Comment 9 Adam Williamson 2016-07-15 22:58:09 UTC
It does fix nightly live image boots, though. The last couple of days of Workstation nightly lives have booted OK.

Comment 10 Couret Charles-Antoine 2016-07-18 07:14:52 UTC
It's fixed for me after manual relabelling.
Thanks.