Bug 1350054
Summary: | Refuses to let systemd fix label of /dev/shm/lldpad.state on boot | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 25 | CC: | bitlord0xff, bugzilla, dominick.grift, dwalsh, gmarr, kparal, lvrabec, mgrepl, micsim2007, plautrba, reklov, robatino, sgallagh, simon.sinx17 |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | AcceptedFreezeException | ||
Fixed In Version: | selinux-policy-3.13.1-222.fc25 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-10 16:37:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1277289, 1277290 | ||
Attachments: |
Description
Adam Williamson
2016-06-24 23:20:48 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle. Changing version to '25'. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. Seems to be fixed this morning after applying selinux-policy 3.13.1.219.fc25 and selinux-policy-targeted 3.13.1.219.fc25 Spoke too soon, the message returned after disappearing for the reboot after applying the selinux update. I cold booted just now and it's back. Created attachment 1215942 [details] dmesg output - SELinux denial notification still getting this error message after updating my clean install this evening to kernel 4.8.5-300.fc25. is it another potential release blocker due to https://bugzilla.redhat.com/show_bug.cgi?id=1383471#c6 "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." reason I ask is it also comes up when booting the nightly ISO Fedora-MATE_Compiz-Live-x86_64-25-20161031.n.0.iso selinux-policy-3.13.1-222.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-d1908bac81 (In reply to Fedora Update System from comment #6) > selinux-policy-3.13.1-222.fc25 has been submitted as an update to Fedora 25. > https://bodhi.fedoraproject.org/updates/FEDORA-2016-d1908bac81 Thanks Lukas, I've installed the necessary files from koji. So far I've restarted once after updating the kernel to 4.8.6-300, a couple of cold boots and it's been okay but the other crucial test will be when that package goes stable and is included in the nightly ISO image. I'm at least +1 FE for this (need a bit more certainty on whether a notification reliably appears on boot of a clean install to decide whether it's a blocker). Created attachment 1216717 [details]
Further Evidence from my notebook to show it isn't system specific
My understanding is that SELinux denial notifications or crash notifications
on boot of the live image;
or
during installation from a live image;
or at first login after a default install of a desktop from a live image are all classed as release blockers.
I'm really not making this up as there would be no sense in doing so, wasting my and everyone else's time.
The denial message is consistently coming up every time on boot of the actual Live image regardless of the system it is put in which technically makes it a release-blocker. FYI, the burnt live image passed the boot time media check. I wouldn't have booted from it at all if it didn't.
You know have evidence of it from two of my machines with completely different specifications.
Whether it's decided this denial message isn't a blocker and to release anyway with it unfixed or otherwise, as a user I felt obligated to flag up the issue after reading Jon Haas' post. Had I known of this critical fact sooner then of course I would have brought it to your attention far sooner too.
Created attachment 1216757 [details]
Further Evidence from another desktop I have
last one. three different systems all with the same error
Mike: that's fine, I'm just saying, before voting +1 blocker I'd want to double check it. Created attachment 1216783 [details]
Booting from older Beta 1-1
please do so
I'm definitely +1 FE. I haven't seen anything to tell me that this results in broken functionality (just an odd error message), so I'd be -1 blocker if this came up during a Go/No-Go meeting. It may be 'just an odd error message' and I have no issue with using as it is myself. however you also need to take into account the fact it doesn't look professional and may put quite a few users off using the operating system if they perceive it as broken from the outset. i guess that is why the guideline is in place but I agree there also needs to be some common sense applied here. If you all decide it's not a blocker and the release ISO is still affected by SELinux denial message, please at least add it to the Common F25 bugs list so people are made aware of it's existence beforehand and won't panic. also those who never bother reading that page before diving in and loading the ISOs can be referred to it as and when they will inevitably bring it up on ask.fedoraproject.org or fedoraforum.org. stephen: the criterion is not about broken functionality. Mike is correct that it's a polish criterion. If the message appears on boot for all or a large number of F25 installs, it is a blocker. The point is that we don't want to ship something which immediately displays an ugly error message to everyone who runs it, whether it actually means anything is broken or not. selinux-policy-3.13.1-222.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-d1908bac81 Discussed during the 2016-11-07 blocker review meeting: [1] The decision to delay the classification of this as a blocker and instead classify it as an AcceptedFreezeException was made as there is debate as to if this bug is is encountered frequently enough; also, as there is a fix for this, we expect that this will not have to be revisited for blocker classification. [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2016-11-07/f25-blocker-review.2016-11-07-17.01.txt I can't reproduce the problem neither before the update nor after it. But multiple people claim in the bodhi update that this is fixed. Fixing trackers. I'd be fascinated to know how people can claim on bodhi it is fixed without an ISO containing the patched version to boot and see if the error comes up. That is why I left the message on bodhi that I did. You can't say categorically it has been fixed without testing that. If it is possible to create an ISO containing stuff from updates-testing please enlighten me. I'm not new to compiling live-spin ISOs using kickstarts and tried to do it. the process of course failed. Anyhow, I'll burn tonight's ISO as it appears the 'fix' will be in the stable repositories by the time the nightly builds are compiled and see what happens then. Thanks for at least looking into it though (In reply to Mike Simms from comment #20) > I'd be fascinated to know how people can claim on bodhi it is fixed without > an ISO containing the patched version to boot and see if the error comes up. > That is why I left the message on bodhi that I did. You can't say > categorically it has been fixed without testing that. > It happens on every boot of an installed OS. To verify it, you just need to install the fixed package and reboot. If the message doesn't appear in the bootloader, it's fixed. Stephen, you clearly missed my and Adam's point completely here. For the last time... it happens on boot of the LIVE ISO AS WELL ergo release blocking ugly error message. I'm well aware that it is looking to be fixed after applying the update as I've found that much myself. The crux of the matter is unless you include the patched selinux-policy in the final release ISO, the ISO ITSELF IS STILL BROKEN. " The point is that we don't want to ship something which immediately displays an ugly error message " - Adam, https://bugzilla.redhat.com/show_bug.cgi?id=1350054#c15 SELinux denial notifications or crash notifications on boot of the live image and not just on first boot after install are classed as ugly error message release blockers in your own guidelines. email I received last night from a friend: "From: Leslie S Satenstein To: Michael Simms Subject: Re: Fedora 25 Final Release Readiness Meeting, Thursday, November 10th @ 19:00 UTC Date: Mon, 7 Nov 2016 15:43:51 +0000 (UTC) Reply-To: Leslie S Satenstein With the RFRemix for F25, been getting that Selinux message during the installation. Also, can't run Wayland. Many programs (gparted, for one) will not run under Wayland. As well, many tweak extensions are not Wayland compatible. I run F25Remix with xorg. Regards Leslie Mr. Leslie Satenstein Montréal Québec, Canada" In my reply I asked Leslie to report that against this bug because it is a Fedora issue but he hasn't done so yet. He uses Workstation so it must be affecting the Workstation ISO as well as MATE-Compiz. But as far as I'm concerned I'm done with this now. Certain people can't recreate, do not understand the entire test scenario properly and post it is fixed prematurely. I may as well go through bodhi and post +1 karma against a whole load of bugs I without reading what they actually are for all the good the system is in that case. Mike: please relax, we have a process here. The issue is fundamentally the same issue in the live images and the installed system. If people report that the issue is resolved by the update in their installed systems, that gives us strong confidence that the update will also resolve the issue in live images that are built with it. In an *ideal* world we would build a live image with the fixed package and verify the issue is resolved in a live boot too, but if we don't have time to do that, it's fine to just push the update stable and expect that lives will then be fixed. If it turns out they aren't, we can then look at the problem again. Created attachment 1218857 [details] 20161108 Nightly - Fedora-MATE-Live-25-1-1 dmesg output As closure to my part of the process, using Adam's nightly finder (excellent tool that should be adopted officially in my opinion) I have downloaded and ran the last 'nightly' build which looks to be a release candidate ISO now from the label it's been given. It contains the patched SELinux policy and therefore works properly as per the attached output. https://kojipkgs.fedoraproject.org/compose/25/Fedora-25-20161109.0/compose/Spins/x86_64/iso/Fedora-MATE_Compiz-Live-x86_64-25-1.1.iso Adam. I respect you and appreciate your comments. I would not have had an issue at all if everyone were as polite and respectful as yourself and actually took on board the factually correct comments made and evidence provided rather than dismissing them off-hat. As a result I just feel my time and efforts can clearly be better spent elsewhere. I'm not paid to sit in front of the PC testing Fedora, it is entirely voluntary. So if my contributions aren't appreciated then I'll do something more constructive with my free time in future. Yes, that is actually the first F25 release candidate, not a nightly (candidate composes do show up in the 'nightly' finder, despite the name). Thanks for confirming this is fixed, as was expected for that compose. Note that true *nightly* composes will continue to have the bug until the update is pushed stable (which will happen quite soon). It has been pushed stable yesterday afternoon, your nightly finder did point me to that RC compose (see the link hover text at the bottom of opera in the screenshot). presumably it will find and link to the 20161110 nightly anyway over night tonight. I'd anticipate that containing the fix too. http://tinypic.com/r/2egb7ev/9 "It has been pushed stable yesterday afternoon" No, it hasn't. It was *submitted* for stable then. 'Submitted' just means it's been put in a queue to be pushed stable. Usually updates are actually 'pushed' stable as a matter of course shortly after that, but during a freeze, that is not the case, all pushes during freezes are done manually from a specific 'stable push request' that we (QA) file. I'll do one of those today. If you look at the top of https://bodhi.fedoraproject.org/updates/FEDORA-2016-d1908bac81 you'll see that 'Request' is 'stable', but 'Status' is 'testing'. It's only stable when 'Status' is 'stable'. thanks for the explanation, I thought a freeze exception would be pushed automatically as normal Nah, unfortunately it's still manual. We'd *like* to make it more automated. selinux-policy-3.13.1-222.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. |