Bug 1210045

Summary: AVC Denials after i386 Workstation netinst
Product: [Fedora] Fedora Reporter: Mike Ruckman <mruckman>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 22CC: awilliam, dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, pschindl, robatino
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-27 09:37:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1043130    

Description Mike Ruckman 2015-04-08 18:48:18 UTC 
Description of problem:
Fresh installation of i386 Workstation from netinst results in 5 selinux denials on first login.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-119.fc22.noarch

How reproducible:
Always

Steps to Reproduce:
1. Boot workstation netinst
2. Use all defaults, don't create a user
3. Install
4. Go through g-i-s
5. log in with user from step 4
6. See notifications for avc denials

Actual results:
avc denials

Expected results:
no avc denials

Additional info:
Also proposing as a Final Blocker per the following criterion: There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop.
Comment 1 Mike Ruckman 2015-04-08 18:54:42 UTC 
The denials are for:
 - usesradd
 - gdm-session-worker
 - polkitd
 - colord
 - cupsd

All for "read" under "Attempted Access."
Comment 2 Lukas Vrabec 2015-04-09 14:43:18 UTC 
Do you have these AVCs?
Personally, I think this domains trying to read /etc/localtime. 
Could you confirm this? 

Thank you.
Comment 3 Adam Williamson 2015-04-20 18:38:39 UTC 
FWIW I didn't see this on an x86_64 Workstation network install today which got selinux-policy -122.
Comment 4 Petr Schindler 2015-04-20 18:49:25 UTC 
Discussed at today's blocker review meeting [1].

It was decided to delay the decision -  adamw couldn't reproduce this today and the report is short on detail, let's give roshi a chance to provide more info

[1] http://meetbot.fedoraproject.org/fedora-blocker-review/2015-04-20/
Comment 5 Mike Ruckman 2015-04-23 22:49:54 UTC 
Here are the selinux logs.
 -> http://paste.fedoraproject.org/214975/42982639/

Lukas, looks like you're correct.

I've only seen this on i386 and only when g-i-s is used to create the user. If you create the user in anaconda there are no denials. -122 was installed.

Sorry it took me so long to respond :(
Comment 6 Lukas Vrabec 2015-04-27 09:37:35 UTC 

*** This bug has been marked as a duplicate of bug 1190377 ***