Bug 1088990

Summary: Acount service doesn't start on liveCD
Product: [Fedora] Fedora Reporter: Petr Schindler <pschindl>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: awilliam, dominick.grift, dwalsh, extras-orphan, lvrabec, mclasen, mgrepl, mitr, pschindl, walters
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-05 19:20:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Boot output (without quiet) none

Description Petr Schindler 2014-04-17 15:07:33 UTC 
Description of problem:
Every boot of Desktop (gnome) liveCD (built in 20140416) ends with message: "Failed to start Accounts Service"

After a while screen goes dark and nothing more happens.


Version-Release number of selected component (if applicable):
I guess it's accountsservice-0.6.35-2.fc21.x86_64 (it is version from the day after liveCD was built)

How reproducible:
100%

Steps to Reproduce:
1. Boot liveCD

Actual results:
It will end with black screen.

Expected results:
Live system boots and the default user is logged in

Additional info:
Comment 1 Petr Schindler 2014-04-18 08:24:35 UTC 
Created attachment 887459 [details]
Boot output (without quiet)

some relevant parts:
....
[   11.395170] accounts-daemon[675]: segfault at 10 ip 00007f5a67eac4a1 sp 00007fff580cb6d8 error 4 in libpthread-2.19.90.so[7f5a67ea3000+17000]
[FAILED] Failed to start Accounts Service.
....
         Starting Authorization Manager...
[   14.448444] accounts-daemon[886]: segfault at 10 ip 00007fd9ac8e64a1 sp 00007fffcb2c42f8 error 4 in libpthread-2.19.90.so[7fd9ac8dd000+17000]
[   14.714115] polkitd[897]: segfault at 10 ip 00007f1cc7b794a1 sp 00007fff385be688 error 4 in libpthread-2.19.90.so[7f1cc7b70000+17000]
[FAILED] Failed to start Authorization Manager.
See 'systemctl status polkit.service' for details.
[FAILED] Failed to start Accounts Service.
Comment 2 Miloslav Trmač 2014-04-18 23:01:37 UTC 
(In reply to Petr Schindler from comment #0)
> Description of problem:
> Every boot of Desktop (gnome) liveCD (built in 20140416)

What image is this?  Google find nothing obvious, and neither can I find a live image browsing download.fedoraproject.org.  Could you provide an exact URL, please?
Comment 3 Petr Schindler 2014-04-19 17:05:05 UTC 
You can find it here: http://kojipkgs.fedoraproject.org//work/tasks/6981/6746981/Fedora-Live-Desktop-x86_64-rawhide-20140416.iso

Generally we got newest livecds from here: https://apps.fedoraproject.org/releng-dash/#livecds

I tested with today's livecd (http://kojipkgs.fedoraproject.org/work/tasks/6358/6756358/Fedora-Live-Desktop-x86_64-rawhide-20140419.iso) and it is still the same.
Comment 4 Josh Boyer 2014-04-25 19:24:32 UTC 
I'm seeing the same with a locally built live image.  This still seems to be a problem.
Comment 5 Colin Walters 2014-04-25 19:50:59 UTC 
I'm pretty sure this is actually a SELinux policy issue.  polkit was hitting a denial and it just wasn't ready for it.  I don't have the AVC to hand.
Comment 6 Josh Boyer 2014-04-25 19:53:30 UTC 
Yeah.  Booting the local live image with enforcing=0 seems to get past the issue.
Comment 7 Josh Boyer 2014-04-25 20:04:08 UTC 
OK, looking at the logs it seems we're getting AVC denials on /dev/urandom

type=AVC msg=audit(1398455505.523:17): avc:  denied  { read } for  pid=683 comm="accounts-daemon" name="urandom" dev="devtmpfs" ino=6267 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1398455505.523:17): avc:  denied  { open } for  pid=683 comm="accounts-daemon" path="/dev/urandom" dev="devtmpfs" ino=6267 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file

type=AVC msg=audit(1398455506.150:26): avc:  denied  { read } for  pid=735 comm="polkitd" name="urandom" dev="devtmpfs" ino=6267 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1398455506.150:26): avc:  denied  { open } for  pid=735 comm="polkitd" path="/dev/urandom" dev="devtmpfs" ino=6267 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file

Colin pointed to 1081429 for the SELinux issue.  That's probably one problem, but polkitd probably shouldn't segfault.
Comment 8 Adam Williamson 2014-04-29 17:11:26 UTC 
Are folks still seeing this? I just booted the 0428 nightly in a VM and it booted fine.

Josh, did you build your image from an F20 or F21 host? I've found that SELinux pain can sometimes result when trying to build lives 'cross-release', it always seems to work better to match up the host and image version.
Comment 9 Daniel Walsh 2014-05-05 19:19:55 UTC 
Looks like this is fixed in selinux-policy-3.13.1-48.fc21.noarch