Bug 1355861

Summary:

20160712 Workstation Rawhide nightly fails to boot in enforcing mode, boots in permissive

Product:

[Fedora] Fedora

Reporter:

Adam Williamson <awilliam>

Component:

selinux-policy

Assignee:

Lukas Vrabec <lvrabec>

Status:

CLOSED RAWHIDE

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

urgent

Docs Contact:

Priority:

urgent

Version:

rawhide

CC:

dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, renault, robatino

Target Milestone:

---

Target Release:

---

Hardware:

x86_64

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2016-07-15 22:58:09 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

1277284

Attachments:

Description	Flags
sealert -a /var/log/audit/audit.log output on 20160711	none
sealert -a /var/log/audit/audit.log output on 20160712	none
journalctl -b \| grep -i avc \| grep den output on 20160711	none
journalctl -b \| grep -i avc \| grep den output on 20160712	none

Description Adam Williamson 2016-07-12 18:27:48 UTC

Today's Rawhide Workstation nightly live:

https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20160712.n.0/compose/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-Rawhide-20160712.n.0.iso

does not boot in enforcing mode, it gets stuck in a loop during GNOME init. It boots fine in permissive mode.

The previous day's nightly:

https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20160711.n.0/compose/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-Rawhide-20160711.n.0.iso

boots OK in enforcing mode. A new selinux-policy landed in 20160712.n.0 - selinux-policy-3.13.1-201.fc25 - so this is the obvious suspect.

Booting both images in permissive mode seems to produce the same five AVCs:

SELinux is preventing (-localed) from mounton access on the directory /dev.
SELinux is preventing accounts-daemon from write access on the directory root.
SELinux is preventing accounts-daemon from add_name access on the directory .cache.
SELinux is preventing accounts-daemon from create access on the directory .cache.
SELinux is preventing gdbus from write access on the fifo_file /run/systemd/inhibit/1.ref.

according to 'sealert -a /var/log/audit/audit.log' as root. However, looking at the journal - 'journalctl -b | grep -i avc | grep den' - shows one on 20160712 that is not apparent on 20160711:

Jul 12 18:23:57 localhost audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-logind" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system

that does not appear in 20160711.

Proposing as an F25 Alpha blocker: violates "All release-blocking images must boot in their supported configurations" for the Workstation live, which is a release-blocking image.

Comment 1 Adam Williamson 2016-07-12 18:29:38 UTC

Created attachment 1178971 [details]
sealert -a /var/log/audit/audit.log output on 20160711

Comment 2 Adam Williamson 2016-07-12 18:29:56 UTC

Created attachment 1178972 [details]
sealert -a /var/log/audit/audit.log output on 20160712

Comment 3 Adam Williamson 2016-07-12 18:30:22 UTC

Created attachment 1178973 [details]
journalctl -b | grep -i avc | grep den output on 20160711

Comment 4 Adam Williamson 2016-07-12 18:30:39 UTC

Created attachment 1178974 [details]
journalctl -b | grep -i avc | grep den output on 20160712

Comment 5 Lukas Vrabec 2016-07-13 06:42:42 UTC

I probably see the issue here. I will fix this ASAP.

Comment 6 Lukas Vrabec 2016-07-13 08:46:42 UTC

I built selinux-policy-3.13.1-202.fc25 selinux policy package. This should fix the issue.

Comment 7 Adam Williamson 2016-07-13 15:57:00 UTC

Thanks. We didn't get a nightly today because of https://fedorahosted.org/rel-eng/ticket/6442 , I'll be able to confirm the fix (or not) when that's resolved.

Comment 8 Couret Charles-Antoine 2016-07-15 21:55:50 UTC

The update doesn't fix the issue for me.
Many services couldn't be started and the boot failed. With selinux=0 in the command line to boot, no problem.

Comment 9 Adam Williamson 2016-07-15 22:58:09 UTC

It does fix nightly live image boots, though. The last couple of days of Workstation nightly lives have booted OK.

Comment 10 Couret Charles-Antoine 2016-07-18 07:14:52 UTC

It's fixed for me after manual relabelling.
Thanks.