Bug 1027509

Summary: selinux-policy-3.12.1-98.fc20 prevents system login entirely
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 20CC: awilliam, collura, dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-25 20:11:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Adam Williamson 2013-11-07 01:16:18 UTC 
I built a live image with selinux-policy-3.12.1-98.fc20 (because I was having troubles with the current 'stable' one, so I figured I'd just try the newest thing). Unless I boot with enforcing=0 , I cannot log in to the system, from a VT or a graphical DM. If I boot with enforcing=0, I can log in just fine. If I boot with enforcing=0 and check for AVCs in /var/log/audit/audit.log, I get:

type=AVC msg=audit(1383786700.878:55): avc:  denied  { transition } for  pid=899 comm="sddm-auth" path="/etc/X11/xinit/Xsession" dev="dm-0" ino=173445 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1383786879.426:475): avc:  denied  { transition } for  pid=1793 comm="login" path="/usr/bin/bash" dev="dm-0" ino=136570 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process

If this selinux-policy went stable, this would be a release blocker, so please don't submit it.
Comment 1 Miroslav Grepl 2013-11-07 11:51:05 UTC 
This is strange. I have been trying to reproduce it but I don't see this issue with the latest policy.

And does it work with an older policy?
Comment 2 Adam Williamson 2013-11-07 18:44:53 UTC 
-90 is fine. It may be an issue only on live images, I suppose?
Comment 3 Miroslav Grepl 2013-11-07 20:14:33 UTC 
It looks something went wrong. If you re-install the policy on the live image, does it blow up?
Comment 4 Adam Williamson 2013-11-07 23:03:49 UTC 
I've blown the live away, now. Could be that the selinux-policy on the live builder has to be newer too, I suppose? I can play with it some more later, I guess.
Comment 5 Adam Williamson 2013-11-25 20:11:29 UTC 
Sorry for the delay on this one: turns out it's just a mismatch between builder and guest. If the builder has a new enough selinux-policy (same as the one you're putting into the guest) it works fine. My bad. Tested with -104: if I built an image with -104 on a host with -90 it fails as described, but if I update the builder to -104 and try again, the live image works fine.