In current Fedora 35 and Rawhide - this seems to have been the case since about Fedora-35-20210822.n.1, when selinux-policy-34.16-1.fc35 landed - when the gnome-initial-setup tool runs on first boot of a Workstation or Silverblue install, it takes several minutes to actually show the UI. Then, one of the pages is skipped; there should be an Online Accounts page before the user creation page, but it is not shown. Booting with enforcing=0, neither problem happens; g-i-s starts promptly, and the Online Accounts page is shown. These are the AVCs recorded during a boot with enforcing enabled: Aug 24 14:21:46 fedora audit[727]: AVC avc: denied { create } for pid=727 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=0 Aug 24 14:23:48 fedora audit[910]: AVC avc: denied { sigkill } for pid=910 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0 Aug 24 14:24:14 fedora audit[910]: AVC avc: denied { sigkill } for pid=910 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0 Aug 24 14:24:14 fedora audit[910]: AVC avc: denied { sigkill } for pid=910 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0 Aug 24 14:25:05 fedora audit[910]: AVC avc: denied { sigkill } for pid=910 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0 and we do see GOA-related errors around one of them: Aug 24 14:24:14 fedora audit[910]: AVC avc: denied { sigkill } for pid=910 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0 Aug 24 14:24:14 fedora audit[910]: AVC avc: denied { sigkill } for pid=910 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0 Aug 24 14:24:23 fedora gnome-initial-s[1324]: Failed to get a GoaClient: Error calling StartServiceByName for org.gnome.OnlineAccounts: Timeout was reached Aug 24 14:24:27 fedora systemd[1]: systemd-localed.service: Deactivated successfully.
We had a discussion about a blocker criterion which would cover this bug a few months back, but it never got finalized. So this can't really be a blocker for now, proposing as an FE instead (this is obviously bad enough to warrant an FE). I will resurrect the discussion about the criterion.
+3 in https://pagure.io/fedora-qa/blocker-review/issue/403 , marking accepted FE.
Zdenek, can you please prioritize this? It's an FE for now, but it's a really major issue we do not want to ship Beta with if at all possible, and we're discussing a criterion which would make it a blocker. Thanks!
OK, so we approved a criterion relevant to this recently, so I'm now proposing it as a blocker as a violation of that new criterion: "If a utility for creating user accounts and other configuration is configured to launch, it must be visible within 10 seconds of the first boot reaching the launch point" - https://fedoraproject.org/wiki/Basic_Release_Criteria#Expected_installed_system_boot_behavior
I wonder if there could be a common problem with this bug and bug 2001057 (f35 boots 3x slower).
It doesn't seem likely. You say selinux permissive doesn't help that one, right?
Tested with Fedora-Workstation-Live-x86_64-35-20210904.n.0.iso. The initial screen changes into "Oh no!" screen after ~50 seconds, and g-i-s finally appears after ~2m 30s. So most of the time it looks like a crashed desktop and it is unclear that it will recover.
Please look for USER_AVCs too: # ausearch -m avc -m user_avc -m selinux_err -i -ts today and let us know if they appeared. If there are delays of 25 seconds, I would guess that some D-bus timeouts happened.
The first denial is tracked in bz#2001057. There are no additional data to debug, but the second one may be resolved with bz#1949712. If not, audit records with full auditing is required.
+3 blocker in https://pagure.io/fedora-qa/blocker-review/issue/403 , marking accepted. Zdenek, I can try to get more data tomorrow if needed, but today is a holiday so I won't be working after the meeting. It is an easy bug to reproduce: grab a 35 or Rawhide Workstation live - e.g. https://kojipkgs.fedoraproject.org/compose/branched/Fedora-35-20210906.n.0/compose/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-35-20210906.n.0.iso - boot, install, and boot the installed system. You should see the bug right away.
That bug still present on the 20210906 iso Uefi install.
I ran openQA on the scratch build, the bugs are still there. Either the scratch build didn't make it into the built image for some reason, or it doesn't fix the problems. I'm downloading the ISO now so I can test it manually and see what's up.
This https://koji.fedoraproject.org/koji/taskinfo?taskID=75281469 really is just a scratchbuild. The actual builds still wait for CI to finish.
I have a mechanism in openQA that allows for testing scratch builds (they get pulled in via a side repository). It's possible there was some kind of dependency issue, though, since you only did a Rawhide scratch build, and I had to run the test on F35 (we can't run update tests on Rawhide currently).
Welp, I just booted the ISO and it did get selinux-policy-34.18-1.fc36.noarch . So the bug is still happening with that build. I'll run an install and grab the denials after booting...
These are the AVCs from the journal in enforcing mode: Sep 07 13:54:11 fedora audit[563]: AVC avc: denied { watch } for pid=563 comm="(sh)" path="/dev/tty9" dev="devtmpfs" ino=28 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0 Sep 07 13:54:11 fedora audit[577]: AVC avc: denied { watch } for pid=577 comm="(sh)" path="/dev/tty9" dev="devtmpfs" ino=28 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0 Sep 07 13:54:11 fedora audit[583]: AVC avc: denied { watch } for pid=583 comm="(sh)" path="/dev/tty9" dev="devtmpfs" ino=28 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0 Sep 07 13:54:11 fedora audit[584]: AVC avc: denied { watch } for pid=584 comm="(sh)" path="/dev/tty9" dev="devtmpfs" ino=28 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0 Sep 07 13:54:11 fedora audit[585]: AVC avc: denied { watch } for pid=585 comm="(sh)" path="/dev/tty9" dev="devtmpfs" ino=28 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0 Sep 07 13:54:17 fedora audit[1034]: AVC avc: denied { search } for pid=1034 comm="at-spi-bus-laun" name="gnome-initial-setup" dev="tmpfs" ino=1281 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 Sep 07 13:54:17 fedora audit[1034]: AVC avc: denied { search } for pid=1034 comm="at-spi-bus-laun" name="gnome-initial-setup" dev="tmpfs" ino=1281 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 Sep 07 13:54:17 fedora dbus-broker-launch[1007]: avc: denied { send_msg } for scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0 Sep 07 13:54:20 fedora audit[1291]: AVC avc: denied { search } for pid=1291 comm="at-spi-bus-laun" name="gnome-initial-setup" dev="tmpfs" ino=1281 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 Sep 07 13:54:20 fedora audit[1291]: AVC avc: denied { search } for pid=1291 comm="at-spi-bus-laun" name="gnome-initial-setup" dev="tmpfs" ino=1281 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 Sep 07 13:54:20 fedora dbus-broker-launch[1007]: avc: denied { send_msg } for scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0 Sep 07 13:54:46 fedora audit[1425]: AVC avc: denied { search } for pid=1425 comm="at-spi-bus-laun" name="gnome-initial-setup" dev="tmpfs" ino=1281 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 Sep 07 13:54:46 fedora audit[1425]: AVC avc: denied { search } for pid=1425 comm="at-spi-bus-laun" name="gnome-initial-setup" dev="tmpfs" ino=1281 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 Sep 07 13:54:46 fedora dbus-broker-launch[1007]: avc: denied { send_msg } for scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0 Sep 07 13:54:46 fedora audit[1448]: AVC avc: denied { search } for pid=1448 comm="at-spi-bus-laun" name="gnome-initial-setup" dev="tmpfs" ino=1281 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 Sep 07 13:54:46 fedora audit[1448]: AVC avc: denied { search } for pid=1448 comm="at-spi-bus-laun" name="gnome-initial-setup" dev="tmpfs" ino=1281 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 Sep 07 13:54:46 fedora dbus-broker-launch[1007]: avc: denied { send_msg } for scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0 Sep 07 13:56:17 fedora audit[1010]: AVC avc: denied { sigkill } for pid=1010 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0 Sep 07 13:56:19 fedora audit[1010]: AVC avc: denied { sigkill } for pid=1010 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0 Sep 07 13:56:45 fedora audit[1010]: AVC avc: denied { sigkill } for pid=1010 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0
Milos' command shows the search and sigkill denials, not the watch ones, and nothing extra.
With 'full auditing' enabled according to https://lukas-vrabec.com/index.php/2018/07/16/how-to-enable-full-auditing-in-audit-daemon/ , Milos' command shows some more info: ---- type=AVC msg=audit(2021-09-07 13:54:17.275:234) : avc: denied { search } for pid=1034 comm=at-spi-bus-laun name=gnome-initial-setup dev="tmpfs" ino=1281 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 ---- type=AVC msg=audit(2021-09-07 13:54:17.276:235) : avc: denied { search } for pid=1034 comm=at-spi-bus-laun name=gnome-initial-setup dev="tmpfs" ino=1281 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 ---- type=AVC msg=audit(2021-09-07 13:54:20.337:242) : avc: denied { search } for pid=1291 comm=at-spi-bus-laun name=gnome-initial-setup dev="tmpfs" ino=1281 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 ---- type=AVC msg=audit(2021-09-07 13:54:20.337:243) : avc: denied { search } for pid=1291 comm=at-spi-bus-laun name=gnome-initial-setup dev="tmpfs" ino=1281 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 ---- type=AVC msg=audit(2021-09-07 13:54:46.187:260) : avc: denied { search } for pid=1425 comm=at-spi-bus-laun name=gnome-initial-setup dev="tmpfs" ino=1281 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 ---- type=AVC msg=audit(2021-09-07 13:54:46.193:261) : avc: denied { search } for pid=1425 comm=at-spi-bus-laun name=gnome-initial-setup dev="tmpfs" ino=1281 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 ---- type=AVC msg=audit(2021-09-07 13:54:46.550:262) : avc: denied { search } for pid=1448 comm=at-spi-bus-laun name=gnome-initial-setup dev="tmpfs" ino=1281 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 ---- type=AVC msg=audit(2021-09-07 13:54:46.552:263) : avc: denied { search } for pid=1448 comm=at-spi-bus-laun name=gnome-initial-setup dev="tmpfs" ino=1281 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 ---- type=AVC msg=audit(2021-09-07 13:56:17.867:303) : avc: denied { sigkill } for pid=1010 comm=dbus-daemon scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- type=AVC msg=audit(2021-09-07 13:56:19.286:304) : avc: denied { sigkill } for pid=1010 comm=dbus-daemon scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- type=AVC msg=audit(2021-09-07 13:56:45.752:313) : avc: denied { sigkill } for pid=1010 comm=dbus-daemon scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- type=PROCTITLE msg=audit(2021-09-07 14:34:10.277:222) : proctitle=/usr/libexec/at-spi-bus-launcher type=PATH msg=audit(2021-09-07 14:34:10.277:222) : item=0 name=/run/gnome-initial-setup/.local/share/glib-2.0/schemas/gschemas.compiled nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(2021-09-07 14:34:10.277:222) : cwd=/run/gnome-initial-setup type=SYSCALL msg=audit(2021-09-07 14:34:10.277:222) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x5597238ce650 a2=O_RDONLY a3=0x0 items=1 ppid=993 pid=994 auid=unset uid=gnome-initial-setup gid=gnome-initial-setup euid=gnome-initial-setup suid=gnome-initial-setup fsuid=gnome-initial-setup egid=gnome-initial-setup sgid=gnome-initial-setup fsgid=gnome-initial-setup tty=(none) ses=unset comm=at-spi-bus-laun exe=/usr/libexec/at-spi-bus-launcher subj=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(2021-09-07 14:34:10.277:222) : avc: denied { search } for pid=994 comm=at-spi-bus-laun name=gnome-initial-setup dev="tmpfs" ino=1293 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(2021-09-07 14:34:10.278:223) : proctitle=/usr/libexec/at-spi-bus-launcher type=PATH msg=audit(2021-09-07 14:34:10.278:223) : item=0 name=/run/gnome-initial-setup/.config/dconf/user nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(2021-09-07 14:34:10.278:223) : cwd=/run/gnome-initial-setup type=SYSCALL msg=audit(2021-09-07 14:34:10.278:223) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x5597238da4b0 a2=O_RDONLY a3=0x0 items=1 ppid=993 pid=994 auid=unset uid=gnome-initial-setup gid=gnome-initial-setup euid=gnome-initial-setup suid=gnome-initial-setup fsuid=gnome-initial-setup egid=gnome-initial-setup sgid=gnome-initial-setup fsgid=gnome-initial-setup tty=(none) ses=unset comm=at-spi-bus-laun exe=/usr/libexec/at-spi-bus-launcher subj=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(2021-09-07 14:34:10.278:223) : avc: denied { search } for pid=994 comm=at-spi-bus-laun name=gnome-initial-setup dev="tmpfs" ino=1293 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(2021-09-07 14:34:12.118:229) : proctitle=/usr/libexec/at-spi-bus-launcher type=PATH msg=audit(2021-09-07 14:34:12.118:229) : item=0 name=/run/gnome-initial-setup/.local/share/glib-2.0/schemas/gschemas.compiled nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(2021-09-07 14:34:12.118:229) : cwd=/run/gnome-initial-setup type=SYSCALL msg=audit(2021-09-07 14:34:12.118:229) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55f418512650 a2=O_RDONLY a3=0x0 items=1 ppid=1238 pid=1239 auid=unset uid=gnome-initial-setup gid=gnome-initial-setup euid=gnome-initial-setup suid=gnome-initial-setup fsuid=gnome-initial-setup egid=gnome-initial-setup sgid=gnome-initial-setup fsgid=gnome-initial-setup tty=(none) ses=unset comm=at-spi-bus-laun exe=/usr/libexec/at-spi-bus-launcher subj=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(2021-09-07 14:34:12.118:229) : avc: denied { search } for pid=1239 comm=at-spi-bus-laun name=gnome-initial-setup dev="tmpfs" ino=1293 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(2021-09-07 14:34:12.125:230) : proctitle=/usr/libexec/at-spi-bus-launcher type=PATH msg=audit(2021-09-07 14:34:12.125:230) : item=0 name=/run/gnome-initial-setup/.config/dconf/user nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(2021-09-07 14:34:12.125:230) : cwd=/run/gnome-initial-setup type=SYSCALL msg=audit(2021-09-07 14:34:12.125:230) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55f41851e4b0 a2=O_RDONLY a3=0x0 items=1 ppid=1238 pid=1239 auid=unset uid=gnome-initial-setup gid=gnome-initial-setup euid=gnome-initial-setup suid=gnome-initial-setup fsuid=gnome-initial-setup egid=gnome-initial-setup sgid=gnome-initial-setup fsgid=gnome-initial-setup tty=(none) ses=unset comm=at-spi-bus-laun exe=/usr/libexec/at-spi-bus-launcher subj=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(2021-09-07 14:34:12.125:230) : avc: denied { search } for pid=1239 comm=at-spi-bus-laun name=gnome-initial-setup dev="tmpfs" ino=1293 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(2021-09-07 14:34:12.342:231) : proctitle=/usr/libexec/at-spi-bus-launcher type=PATH msg=audit(2021-09-07 14:34:12.342:231) : item=0 name=/run/gnome-initial-setup/.local/share/glib-2.0/schemas/gschemas.compiled nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(2021-09-07 14:34:12.342:231) : cwd=/run/gnome-initial-setup type=SYSCALL msg=audit(2021-09-07 14:34:12.342:231) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x5555e75e5650 a2=O_RDONLY a3=0x0 items=1 ppid=1257 pid=1258 auid=unset uid=gnome-initial-setup gid=gnome-initial-setup euid=gnome-initial-setup suid=gnome-initial-setup fsuid=gnome-initial-setup egid=gnome-initial-setup sgid=gnome-initial-setup fsgid=gnome-initial-setup tty=(none) ses=unset comm=at-spi-bus-laun exe=/usr/libexec/at-spi-bus-launcher subj=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(2021-09-07 14:34:12.342:231) : avc: denied { search } for pid=1258 comm=at-spi-bus-laun name=gnome-initial-setup dev="tmpfs" ino=1293 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(2021-09-07 14:34:12.356:232) : proctitle=/usr/libexec/at-spi-bus-launcher type=PATH msg=audit(2021-09-07 14:34:12.356:232) : item=0 name=/run/gnome-initial-setup/.config/dconf/user nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(2021-09-07 14:34:12.356:232) : cwd=/run/gnome-initial-setup type=SYSCALL msg=audit(2021-09-07 14:34:12.356:232) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x5555e75f14b0 a2=O_RDONLY a3=0x0 items=1 ppid=1257 pid=1258 auid=unset uid=gnome-initial-setup gid=gnome-initial-setup euid=gnome-initial-setup suid=gnome-initial-setup fsuid=gnome-initial-setup egid=gnome-initial-setup sgid=gnome-initial-setup fsgid=gnome-initial-setup tty=(none) ses=unset comm=at-spi-bus-laun exe=/usr/libexec/at-spi-bus-launcher subj=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(2021-09-07 14:34:12.356:232) : avc: denied { search } for pid=1258 comm=at-spi-bus-laun name=gnome-initial-setup dev="tmpfs" ino=1293 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(2021-09-07 14:34:37.151:250) : proctitle=/usr/libexec/at-spi-bus-launcher type=PATH msg=audit(2021-09-07 14:34:37.151:250) : item=0 name=/run/gnome-initial-setup/.local/share/glib-2.0/schemas/gschemas.compiled nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(2021-09-07 14:34:37.151:250) : cwd=/run/gnome-initial-setup type=SYSCALL msg=audit(2021-09-07 14:34:37.151:250) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x5589250f1650 a2=O_RDONLY a3=0x0 items=1 ppid=1307 pid=1308 auid=unset uid=gnome-initial-setup gid=gnome-initial-setup euid=gnome-initial-setup suid=gnome-initial-setup fsuid=gnome-initial-setup egid=gnome-initial-setup sgid=gnome-initial-setup fsgid=gnome-initial-setup tty=(none) ses=unset comm=at-spi-bus-laun exe=/usr/libexec/at-spi-bus-launcher subj=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(2021-09-07 14:34:37.151:250) : avc: denied { search } for pid=1308 comm=at-spi-bus-laun name=gnome-initial-setup dev="tmpfs" ino=1293 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(2021-09-07 14:34:37.153:251) : proctitle=/usr/libexec/at-spi-bus-launcher type=PATH msg=audit(2021-09-07 14:34:37.153:251) : item=0 name=/run/gnome-initial-setup/.config/dconf/user nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(2021-09-07 14:34:37.153:251) : cwd=/run/gnome-initial-setup type=SYSCALL msg=audit(2021-09-07 14:34:37.153:251) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x5589250fd4b0 a2=O_RDONLY a3=0x0 items=1 ppid=1307 pid=1308 auid=unset uid=gnome-initial-setup gid=gnome-initial-setup euid=gnome-initial-setup suid=gnome-initial-setup fsuid=gnome-initial-setup egid=gnome-initial-setup sgid=gnome-initial-setup fsgid=gnome-initial-setup tty=(none) ses=unset comm=at-spi-bus-laun exe=/usr/libexec/at-spi-bus-launcher subj=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(2021-09-07 14:34:37.153:251) : avc: denied { search } for pid=1308 comm=at-spi-bus-laun name=gnome-initial-setup dev="tmpfs" ino=1293 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(2021-09-07 14:34:38.137:258) : proctitle=/usr/libexec/at-spi-bus-launcher type=PATH msg=audit(2021-09-07 14:34:38.137:258) : item=0 name=/run/gnome-initial-setup/.local/share/glib-2.0/schemas/gschemas.compiled nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(2021-09-07 14:34:38.137:258) : cwd=/run/gnome-initial-setup type=SYSCALL msg=audit(2021-09-07 14:34:38.137:258) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55e1a0101650 a2=O_RDONLY a3=0x0 items=1 ppid=1396 pid=1397 auid=unset uid=gnome-initial-setup gid=gnome-initial-setup euid=gnome-initial-setup suid=gnome-initial-setup fsuid=gnome-initial-setup egid=gnome-initial-setup sgid=gnome-initial-setup fsgid=gnome-initial-setup tty=(none) ses=unset comm=at-spi-bus-laun exe=/usr/libexec/at-spi-bus-launcher subj=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(2021-09-07 14:34:38.137:258) : avc: denied { search } for pid=1397 comm=at-spi-bus-laun name=gnome-initial-setup dev="tmpfs" ino=1293 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(2021-09-07 14:34:38.138:259) : proctitle=/usr/libexec/at-spi-bus-launcher type=PATH msg=audit(2021-09-07 14:34:38.138:259) : item=0 name=/run/gnome-initial-setup/.config/dconf/user nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(2021-09-07 14:34:38.138:259) : cwd=/run/gnome-initial-setup type=SYSCALL msg=audit(2021-09-07 14:34:38.138:259) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55e1a010d4b0 a2=O_RDONLY a3=0x0 items=1 ppid=1396 pid=1397 auid=unset uid=gnome-initial-setup gid=gnome-initial-setup euid=gnome-initial-setup suid=gnome-initial-setup fsuid=gnome-initial-setup egid=gnome-initial-setup sgid=gnome-initial-setup fsgid=gnome-initial-setup tty=(none) ses=unset comm=at-spi-bus-laun exe=/usr/libexec/at-spi-bus-launcher subj=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(2021-09-07 14:34:38.138:259) : avc: denied { search } for pid=1397 comm=at-spi-bus-laun name=gnome-initial-setup dev="tmpfs" ino=1293 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 I will attach the full audit.log too.
Created attachment 1821373 [details] /var/log/audit/audit.log from an affected boot, with full auditing enabled Here's /var/log/audit/audit.log from an affected boot, after completing g-i-s and logging in, so there may be other stuff there too.
There are now builds available for F34, F35, and F36. I believe there will not be any delays or failures caused by a missing SELinux permission. Not all AVC denials which appeared in this BZ are resolved though yet.
openQA tests with the update still show the exact same symptoms (slow boot to g-i-s, online accounts page missing). I will download the ISO locally and confirm that setting SELinux to permissive mode still 'fixes' it, but it looks like this does not fix the problem. See video: https://openqa.fedoraproject.org/tests/976494/video?filename=video.ogv&t=49.12,49.17
So this is definitely still broken with the new update, and booting with enforcing=0 definitely fixes it. Same symptoms as before. I have been trying to come up with an SELinux policy that makes it work, but have not yet succeeded. I have all these policies loaded: +++++++ module atspi10 1.0; require { type gnome_atspi_t; type tty_device_t; type init_t; type xdm_t; class chr_file { read write }; class unix_stream_socket { read write }; class file open; } #============= gnome_atspi_t ============== allow gnome_atspi_t init_t:file open; #!!!! This avc can be allowed using the boolean 'daemons_use_tty' allow gnome_atspi_t tty_device_t:chr_file { read write }; allow gnome_atspi_t xdm_t:unix_stream_socket { read write }; module atspi11 1.0; require { type init_t; type gnome_atspi_t; type xdm_t; class file { getattr ioctl }; class unix_stream_socket getattr; } #============= gnome_atspi_t ============== allow gnome_atspi_t init_t:file { getattr ioctl }; allow gnome_atspi_t xdm_t:unix_stream_socket getattr; module atspi2 1.0; require { type gnome_atspi_t; type unconfined_dbusd_t; class dbus send_msg; } #============= gnome_atspi_t ============== allow gnome_atspi_t unconfined_dbusd_t:dbus send_msg; module atspi3 1.0; require { type xdm_var_run_t; type gnome_atspi_t; type unconfined_dbusd_t; class file read; class dbus acquire_svc; } #============= gnome_atspi_t ============== allow gnome_atspi_t unconfined_dbusd_t:dbus acquire_svc; allow gnome_atspi_t xdm_var_run_t:file read; module atspi4 1.0; require { type system_dbusd_t; type gnome_atspi_t; type xdm_var_run_t; class file open; class process sigkill; } #============= gnome_atspi_t ============== allow gnome_atspi_t xdm_var_run_t:file open; #============= system_dbusd_t ============== allow system_dbusd_t gnome_atspi_t:process sigkill; module atspi5 1.0; require { type system_dbusd_t; type unconfined_service_t; class process sigkill; } #============= system_dbusd_t ============== allow system_dbusd_t unconfined_service_t:process sigkill; module atspi6 1.0; require { type xdm_var_run_t; type gnome_atspi_t; class file getattr; } #============= gnome_atspi_t ============== allow gnome_atspi_t xdm_var_run_t:file getattr; module atspi7 1.0; require { type gnome_atspi_t; type xdm_var_run_t; class file map; } #============= gnome_atspi_t ============== #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow gnome_atspi_t xdm_var_run_t:file map; module atspi8 1.0; require { type system_dbusd_t; type gnome_atspi_t; class process { noatsecure rlimitinh setsched siginh }; } #============= gnome_atspi_t ============== allow gnome_atspi_t self:process setsched; #============= system_dbusd_t ============== allow system_dbusd_t gnome_atspi_t:process { noatsecure rlimitinh siginh }; module atspi9 1.0; require { type gnome_atspi_t; type init_t; type system_dbusd_t; class dir search; class process { noatsecure rlimitinh siginh }; } #============= gnome_atspi_t ============== allow gnome_atspi_t init_t:dir search; allow gnome_atspi_t system_dbusd_t:process { noatsecure rlimitinh siginh }; module atspi 1.0; require { type xdm_var_run_t; type gnome_atspi_t; class dir search; } #============= gnome_atspi_t ============== allow gnome_atspi_t xdm_var_run_t:dir search; module xxdbus1 1.0; require { type xdm_t; type system_dbusd_t; type init_t; type gnome_atspi_t; type rpm_t; type tty_device_t; class capability net_admin; class chr_file { read write }; class unix_stream_socket { read write }; class file read; class dbus send_msg; } #============= gnome_atspi_t ============== allow gnome_atspi_t init_t:file read; #============= system_dbusd_t ============== allow system_dbusd_t self:capability net_admin; allow system_dbusd_t tty_device_t:chr_file { read write }; allow system_dbusd_t xdm_t:unix_stream_socket { read write }; #============= xdm_t ============== allow xdm_t rpm_t:dbus send_msg; +++++++ ...and now booting in enforcing=0 shows no AVCs. However, booting with enforcing=0 still causes g-i-s to come up fast and include the GOA page, but booting in enforcing mode results in g-i-s coming up slow and missing the GOA page. With semodule -DB I obviously get more AVCs, but can't find any more that seem relevant (several of the above rules already came from AVCs I found with semodule -DB).
Here are all the AVCs I get booting with enforcing=0 after doing semodule -DB: Sep 10 14:55:53 fedora audit[547]: AVC avc: denied { siginh } for pid=547 comm="readlink" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1 Sep 10 14:55:53 fedora audit[569]: AVC avc: denied { net_admin } for pid=569 comm="systemd-modules" capability=12 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:systemd_modules_load_t:s0 tclass=capability permissive=1 Sep 10 14:55:54 fedora audit[578]: AVC avc: denied { net_admin } for pid=578 comm="systemd-tmpfile" capability=12 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability permissive=1 Sep 10 14:55:55 fedora audit[633]: AVC avc: denied { siginh } for pid=633 comm="import-state" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1 Sep 10 14:55:55 fedora audit[650]: AVC avc: denied { net_admin } for pid=650 comm="systemd-tmpfile" capability=12 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability permissive=1 Sep 10 14:55:55 fedora audit[693]: AVC avc: denied { search } for pid=693 comm="avahi-daemon" name="1" dev="proc" ino=12004 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1 Sep 10 14:55:55 fedora audit[693]: AVC avc: denied { read } for pid=693 comm="avahi-daemon" name="environ" dev="proc" ino=14380 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1 Sep 10 14:55:55 fedora audit[693]: AVC avc: denied { open } for pid=693 comm="avahi-daemon" path="/proc/1/environ" dev="proc" ino=14380 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1 Sep 10 14:55:55 fedora audit[694]: AVC avc: denied { siginh } for pid=694 comm="livesys" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1 Sep 10 14:55:55 fedora audit[695]: AVC avc: denied { siginh } for pid=695 comm="low-memory-moni" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1 Sep 10 14:55:56 fedora audit[707]: AVC avc: denied { sys_nice } for pid=707 comm="accounts-daemon" capability=23 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1 Sep 10 14:55:56 fedora audit[707]: AVC avc: denied { setsched } for pid=707 comm="accounts-daemon" scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=process permissive=1 Sep 10 14:55:56 fedora audit[722]: AVC avc: denied { siginh } for pid=722 comm="bash" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1 Sep 10 14:55:56 fedora audit[769]: AVC avc: denied { setsched } for pid=769 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=1 Sep 10 14:55:56 fedora audit[782]: AVC avc: denied { noatsecure } for pid=782 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=1 Sep 10 14:55:56 fedora audit[782]: AVC avc: denied { rlimitinh } for pid=782 comm="iptables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=1 Sep 10 14:55:56 fedora audit[782]: AVC avc: denied { siginh } for pid=782 comm="iptables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=1 Sep 10 14:55:57 fedora audit[788]: AVC avc: denied { siginh } for pid=788 comm="nm-online" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1 Sep 10 14:55:57 fedora audit[802]: AVC avc: denied { noatsecure } for pid=802 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=1 Sep 10 14:55:57 fedora audit[802]: AVC avc: denied { rlimitinh } for pid=802 comm="iptables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=1 Sep 10 14:55:57 fedora audit[802]: AVC avc: denied { siginh } for pid=802 comm="iptables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=1 Sep 10 14:55:57 fedora audit[789]: AVC avc: denied { net_admin } for pid=789 comm="cupsd" capability=12 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=capability permissive=1 Sep 10 14:55:57 fedora audit[817]: AVC avc: denied { noatsecure } for pid=817 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1 Sep 10 14:55:57 fedora audit[817]: AVC avc: denied { rlimitinh } for pid=817 comm="04-iscsi" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1 Sep 10 14:55:57 fedora audit[817]: AVC avc: denied { siginh } for pid=817 comm="04-iscsi" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1 Sep 10 14:55:57 fedora audit[821]: AVC avc: denied { noatsecure } for pid=821 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1 Sep 10 14:55:57 fedora audit[821]: AVC avc: denied { rlimitinh } for pid=821 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1 Sep 10 14:55:57 fedora audit[821]: AVC avc: denied { siginh } for pid=821 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1 Sep 10 14:55:57 fedora audit[880]: AVC avc: denied { noatsecure } for pid=880 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:kmod_t:s0 tclass=process permissive=1 Sep 10 14:55:57 fedora audit[880]: AVC avc: denied { rlimitinh } for pid=880 comm="modprobe" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:kmod_t:s0 tclass=process permissive=1 Sep 10 14:55:57 fedora audit[880]: AVC avc: denied { siginh } for pid=880 comm="modprobe" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:kmod_t:s0 tclass=process permissive=1 Sep 10 14:55:57 fedora audit[770]: AVC avc: denied { search } for pid=770 comm="firewalld" name=".cache" dev="vda2" ino=155575 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:cache_home_t:s0 tclass=dir permissive=1 Sep 10 14:55:58 fedora audit[935]: AVC avc: denied { siginh } for pid=935 comm="uresourced" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1 Sep 10 14:55:58 fedora audit[936]: AVC avc: denied { net_admin } for pid=936 comm="systemd-user-ru" capability=12 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=1 Sep 10 14:55:58 fedora audit[943]: AVC avc: denied { siginh } for pid=943 comm="unix_chkpwd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=process permissive=1 Sep 10 14:55:58 fedora audit[942]: AVC avc: denied { siginh } for pid=942 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:55:58 fedora audit[958]: AVC avc: denied { noatsecure } for pid=958 comm="dbus-run-sessio" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:55:58 fedora audit[958]: AVC avc: denied { rlimitinh } for pid=958 comm="dbus-daemon" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:55:58 fedora audit[958]: AVC avc: denied { siginh } for pid=958 comm="dbus-daemon" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:00 fedora audit[996]: AVC avc: denied { noatsecure } for pid=996 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:00 fedora audit[996]: AVC avc: denied { rlimitinh } for pid=996 comm="gvfsd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:00 fedora audit[996]: AVC avc: denied { siginh } for pid=996 comm="gvfsd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:00 fedora audit[1020]: AVC avc: denied { noatsecure } for pid=1020 comm="polkitd" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 Sep 10 14:56:00 fedora audit[1020]: AVC avc: denied { rlimitinh } for pid=1020 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 Sep 10 14:56:00 fedora audit[1020]: AVC avc: denied { siginh } for pid=1020 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 Sep 10 14:56:00 fedora audit[1034]: AVC avc: denied { setsched } for pid=1034 comm="geoclue" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=process permissive=1 Sep 10 14:56:01 fedora audit[1138]: AVC avc: denied { noatsecure } for pid=1138 comm="polkitd" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 Sep 10 14:56:01 fedora audit[1138]: AVC avc: denied { rlimitinh } for pid=1138 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 Sep 10 14:56:01 fedora audit[1138]: AVC avc: denied { siginh } for pid=1138 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 Sep 10 14:56:01 fedora audit[1213]: AVC avc: denied { noatsecure } for pid=1213 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:01 fedora audit[1213]: AVC avc: denied { rlimitinh } for pid=1213 comm="gjs" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:01 fedora audit[1213]: AVC avc: denied { siginh } for pid=1213 comm="gjs" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:01 fedora audit[1235]: AVC avc: denied { sys_nice } for pid=1235 comm="pcscd" capability=23 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability permissive=1 Sep 10 14:56:01 fedora audit[1235]: AVC avc: denied { setsched } for pid=1235 comm="pcscd" scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=process permissive=1 Sep 10 14:56:01 fedora audit[789]: AVC avc: denied { net_admin } for pid=789 comm="cupsd" capability=12 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=capability permissive=1 Sep 10 14:56:01 fedora audit[1258]: AVC avc: denied { noatsecure } for pid=1258 comm="polkitd" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 Sep 10 14:56:01 fedora audit[1258]: AVC avc: denied { rlimitinh } for pid=1258 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 Sep 10 14:56:01 fedora audit[1258]: AVC avc: denied { siginh } for pid=1258 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 Sep 10 14:56:01 fedora audit[1273]: AVC avc: denied { noatsecure } for pid=1273 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:01 fedora audit[1273]: AVC avc: denied { rlimitinh } for pid=1273 comm="gjs" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:01 fedora audit[1273]: AVC avc: denied { siginh } for pid=1273 comm="gjs" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:01 fedora audit[1272]: AVC avc: denied { setsched } for pid=1272 comm="colord" scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:colord_t:s0 tclass=process permissive=1 Sep 10 14:56:02 fedora audit[1312]: AVC avc: denied { sys_nice } for pid=1312 comm="spice-vdagentd" capability=23 scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:system_r:vdagent_t:s0 tclass=capability permissive=1 Sep 10 14:56:02 fedora audit[1312]: AVC avc: denied { setsched } for pid=1312 comm="spice-vdagentd" scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:system_r:vdagent_t:s0 tclass=process permissive=1 Sep 10 14:56:03 fedora audit[1343]: AVC avc: denied { noatsecure } for pid=1343 comm="polkitd" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 Sep 10 14:56:03 fedora audit[1343]: AVC avc: denied { rlimitinh } for pid=1343 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 Sep 10 14:56:03 fedora audit[1343]: AVC avc: denied { siginh } for pid=1343 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 Sep 10 14:56:06 fedora audit[1432]: AVC avc: denied { noatsecure } for pid=1432 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:06 fedora audit[1432]: AVC avc: denied { rlimitinh } for pid=1432 comm="goa-daemon" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:06 fedora audit[1432]: AVC avc: denied { siginh } for pid=1432 comm="goa-daemon" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:09 fedora audit[1464]: AVC avc: denied { noatsecure } for pid=1464 comm="agetty" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:09 fedora audit[1464]: AVC avc: denied { rlimitinh } for pid=1464 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:09 fedora audit[1464]: AVC avc: denied { siginh } for pid=1464 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:09 fedora audit[1464]: AVC avc: denied { net_admin } for pid=1464 comm="login" capability=12 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability permissive=1 Sep 10 14:56:10 fedora audit[1490]: AVC avc: denied { noatsecure } for pid=1490 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:10 fedora audit[1490]: AVC avc: denied { read write } for pid=1490 comm="unix_chkpwd" path="/dev/tty2" dev="devtmpfs" ino=21 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=1 Sep 10 14:56:10 fedora audit[1490]: AVC avc: denied { rlimitinh } for pid=1490 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:10 fedora audit[1490]: AVC avc: denied { siginh } for pid=1490 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:11 fedora audit[1491]: AVC avc: denied { read write } for pid=1491 comm="unix_chkpwd" path="/dev/tty2" dev="devtmpfs" ino=21 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=1 Sep 10 14:56:11 fedora audit[1493]: AVC avc: denied { net_admin } for pid=1493 comm="systemd-user-ru" capability=12 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=1 Sep 10 14:56:11 fedora audit[1494]: AVC avc: denied { noatsecure } for pid=1494 comm="polkitd" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 Sep 10 14:56:11 fedora audit[1494]: AVC avc: denied { rlimitinh } for pid=1494 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 Sep 10 14:56:11 fedora audit[1494]: AVC avc: denied { siginh } for pid=1494 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 Sep 10 14:56:11 fedora audit[1497]: AVC avc: denied { siginh } for pid=1497 comm="unix_chkpwd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=process permissive=1 Sep 10 14:56:11 fedora audit[1495]: AVC avc: denied { siginh } for pid=1495 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:11 fedora audit[1512]: AVC avc: denied { noatsecure } for pid=1512 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:11 fedora audit[1512]: AVC avc: denied { siginh } for pid=1512 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1 Sep 10 14:56:11 fedora audit[1513]: AVC avc: denied { noatsecure } for pid=1513 comm="polkitd" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 Sep 10 14:56:11 fedora audit[1513]: AVC avc: denied { rlimitinh } for pid=1513 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 Sep 10 14:56:11 fedora audit[1513]: AVC avc: denied { siginh } for pid=1513 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1
Current state: selinux-policy-34.19-2.fc35 pushed to stable, should resolve some of the issues reported here and the linked bzs I am working on the other problems
Current state: When installing https://kojipkgs.fedoraproject.org/compose/branched/Fedora-35-20210913.n.0/compose/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-35-20210913.n.0.iso and using builds from this PR: https://github.com/fedora-selinux/selinux-policy/pull/874 Checks -> Details -> Artifacts -> rpms and updating before first boot, the system seems to work without a glitch. The "Oh no" screen still appears, at the beginning and at the end of the process, but I can't confirm any actual impact. It is there even in selinux permissive, I'll create a separate bug for that. There will be a new build of the selinux-policy package, I'd appreciate any further feedback as I haven't tested many possible scenarios.
(In reply to Zdenek Pytela from comment #25) > The "Oh no" screen still appears, at the beginning and at the end of the > process, but I can't confirm any actual impact. > It is there even in selinux permissive, I'll create a separate bug for that. We already have bug #1950669 for this and are finally beginning to understand that it's not related to selinux after all. If you filed a new one, please mark it as a duplicate.
Zdenek, can we please get official build/update with the fix soon? It would be good to have this fixed by tomorrow so we can see what things look like with other possibly-related bugs. Thanks.
Adam, you're confident that disabling selinux resolves the "every D-Bus call is timing out" issue in the initial setup session? (In reply to Michael Catanzaro from comment #26) > We already have bug #1950669 for this and are finally beginning to > understand that it's not related to selinux after all. If you filed a new > one, please mark it as a duplicate. At this point, we're starting to think that: * D-Bus was broken due to gnome-shell using setcap * D-Bus is *also* broken due to selinux * Previous state: we thought it wasn't related to selinux because the crashing still occurred with selinux disabled * Current state: disabling selinux now fixes the crashes, because gnome-shell is not using setcap anymore
yeah, that's basically what I'm thinking too, as I wrote in the other bug. indeed if you boot with selinux in permissive mode and the 'no capabilities' build of gnome-shell, the journal doesn't seem to log a ton of timed out dbus calls.
A scratchbuild is available since yesterday https://koji.fedoraproject.org/koji/taskinfo?taskID=75777102 and I hoped the build will be right after that, but it got stuck in the CI pipeline
FEDORA-2021-a850b07511 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-a850b07511
The CI has passed successfully just a while ago and a new build is available: https://koji.fedoraproject.org/koji/taskinfo?taskID=75844840
Thanks. openQA testing confirms the bug is fixed.
FEDORA-2021-a850b07511 has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-a850b07511` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-a850b07511 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-a850b07511 has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.
Created attachment 1824236 [details] warnnig at GIS bug is fixed indeed. tested a new iso build with this fix Fedora-Workstation-Live-x86_64-35-20210918.n.0 only thing I noticed is a delay after setting a week pasword and pressing twice the ok button. it showed the warn attached. BUT OVERALL, BUG IS FIXED
*** Bug 2003778 has been marked as a duplicate of this bug. ***
*** Bug 2003253 has been marked as a duplicate of this bug. ***
(In reply to Geraldo Simião from comment #36) > Created attachment 1824236 [details] > warnnig at GIS > > bug is fixed indeed. tested a new iso build with this fix > Fedora-Workstation-Live-x86_64-35-20210918.n.0 only thing I noticed is a > delay after setting a week pasword and pressing twice the ok button. it > showed the warn attached. > BUT OVERALL, BUG IS FIXED Let's discuss this in bug #2005625. I'm curious whether you were able to successfully complete gnome-initial-setup. I gave up.