Bug 1561072

Summary:	Selinux endless flood after upgrading to F28 from F26
Product:	[Fedora] Fedora	Reporter:	Alessio <alciregi>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED NOTABUG	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	28	CC:	alciregi, awilliam, dwalsh, lvrabec, mgrepl, plautrba, pmoore
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-03-27 17:23:29 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Alessio 2018-03-27 14:58:15 UTC

Updated F26 to F28 via gnome-software.

Logged in and I'm flooded by an endless loop of SELinux security alert.

This is a snippet of /var/log/audit/audit.log

type=PATH msg=audit(1522162491.958:1507): item=0 name="/run/systemd/units/invocation:dbus.service" inode=27763 dev=00:16 mode=0120777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1522162491.958:1507): proctitle="/usr/lib/systemd/systemd-journald"
type=AVC msg=audit(1522162491.994:1508): avc:  denied  { read } for  pid=4830 comm="systemd-journal" name="invocation:user" dev="tmpfs" ino=47904 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1522162491.994:1508): arch=c000003e syscall=267 success=no exit=-13 a0=ffffff9c a1=7fffa35189b0 a2=55b666af5af0 a3=63 items=1 ppid=1 pid=4830 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
type=CWD msg=audit(1522162491.994:1508): cwd="/"
type=PATH msg=audit(1522162491.994:1508): item=0 name="/run/systemd/units/invocation:user" inode=47904 dev=00:16 mode=0120777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1522162491.994:1508): proctitle="/usr/lib/systemd/systemd-journald"
type=AVC msg=audit(1522162492.080:1509): avc:  denied  { read } for  pid=4830 comm="systemd-journal" name="invocation:session-2.scope" dev="tmpfs" ino=48094 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1522162492.080:1509): arch=c000003e syscall=267 success=no exit=-13 a0=ffffff9c a1=7fffa35189b0 a2=55b666b61170 a3=63 items=1 ppid=1 pid=4830 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
type=CWD msg=audit(1522162492.080:1509): cwd="/"
type=PATH msg=audit(1522162492.080:1509): item=0 name="/run/systemd/units/invocation:session-2.scope" inode=48094 dev=00:16 mode=0120777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1522162492.080:1509): proctitle="/usr/lib/systemd/systemd-journald"

Comment 1 Alessio 2018-03-27 16:54:51 UTC

These are the last lines of dmesg

[  123.483390] kauditd_printk_skb: 4 callbacks suppressed
[  123.483391] audit: type=1130 audit(1522169249.248:15): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='unit=systemd-vconsole-setup comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  123.483393] audit: type=1131 audit(1522169249.248:16): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='unit=systemd-vconsole-setup comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  196.043250] audit: type=1130 audit(1522169321.807:17): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='unit=systemd-cryptsetup@luks\x2d243baa82\x2d2971\x2d4b43\x2d9910\x2d3c132531774d comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  196.580935] audit: type=1130 audit(1522169322.345:18): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='unit=dracut-initqueue comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  196.796955] audit: type=1130 audit(1522169322.561:19): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='unit=systemd-fsck-root comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  196.843475] EXT4-fs (dm-1): mounted filesystem with ordered data mode. Opts: (null)
[  196.956721] audit: type=1130 audit(1522169322.721:20): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='unit=initrd-parse-etc comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  196.956817] audit: type=1131 audit(1522169322.721:21): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='unit=initrd-parse-etc comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  197.094971] audit: type=1130 audit(1522169322.859:22): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='unit=dracut-pre-pivot comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  197.106417] audit: type=1130 audit(1522169322.871:23): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='unit=initrd-cleanup comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  197.106519] audit: type=1131 audit(1522169322.871:24): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='unit=initrd-cleanup comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  197.109249] audit: type=1131 audit(1522169322.874:25): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='unit=dracut-pre-pivot comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  197.111564] audit: type=1130 audit(1522169322.876:26): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='unit=dracut-initqueue comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  197.212118] systemd-journald[188]: Received SIGTERM from PID 1 (systemd).
[  197.233781] systemd: 18 output lines suppressed due to ratelimiting
[  197.333904] SELinux: 32768 avtab hash slots, 112648 rules.
[  197.348646] SELinux: 32768 avtab hash slots, 112648 rules.
[  197.700046] SELinux:  8 users, 14 roles, 5102 types, 315 bools, 1 sens, 1024 cats
[  197.700048] SELinux:  129 classes, 112648 rules
[  197.705256] SELinux:  Class bpf not defined in policy.
[  197.705257] SELinux: the above unknown classes and permissions will be allowed
[  197.705264] SELinux:  policy capability network_peer_controls=1
[  197.705265] SELinux:  policy capability open_perms=1
[  197.705265] SELinux:  policy capability extended_socket_class=1
[  197.705266] SELinux:  policy capability always_check_network=0
[  197.705266] SELinux:  policy capability cgroup_seclabel=1
[  197.705267] SELinux:  policy capability nnp_nosuid_transition=1
[  197.705267] SELinux:  Completing initialization.
[  197.705268] SELinux:  Setting up existing superblocks.
[  197.715558] systemd[1]: Successfully loaded SELinux policy in 407.411ms.
[  198.030170] systemd[1]: Unable to fix SELinux security context of /run/systemd/units/invocation:initrd-switch-root.service: Permission denied
[  198.031939] systemd[1]: Unable to fix SELinux security context of /run/systemd/units/invocation:sysroot.mount: Permission denied
[  198.035198] systemd[1]: Unable to fix SELinux security context of /run/systemd/units/invocation:systemd-fsck-root.service: Permission denied
[  198.038069] systemd[1]: Unable to fix SELinux security context of /run/systemd/units/invocation:systemd-cryptsetup@luks\x2d243baa82\x2d2971\x2d4b43\x2d9910\x2d3c132531774d.service: Permission denied
[  198.041362] systemd[1]: Unable to fix SELinux security context of /run/systemd/units/invocation:plymouth-start.service: Permission denied
[  198.043656] systemd[1]: Unable to fix SELinux security context of /run/systemd/units/invocation:sys-kernel-config.mount: Permission denied
[  198.046532] systemd[1]: Unable to fix SELinux security context of /run/systemd/units/invocation:systemd-journald.service: Permission denied
[  198.050772] systemd[1]: Relabelled /dev, /run and /sys/fs/cgroup in 78.225ms.
[  198.053954] systemd[1]: systemd 238 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
[  198.053986] systemd[1]: Detected virtualization kvm.
[  198.053989] systemd[1]: Detected architecture x86-64.
[  198.057434] systemd[1]: Set hostname to <localhost.localdomain>.
[  198.249097] systemd[1]: /usr/lib/systemd/system/virtlockd-admin.socket:7: Unknown lvalue 'Server' in section 'Socket'
[  198.294907] systemd[1]: Unnecessary job for dev-disk-by\x2duuid-243baa82\x2d2971\x2d4b43\x2d9910\x2d3c132531774d.device was removed.
[  198.300154] systemd[1]: Stopped Switch Root.
[  198.300411] systemd[1]: systemd-journald.service: Service has no hold-off time, scheduling restart.
[  198.300506] systemd[1]: systemd-journald.service: Scheduled restart job, restart counter is at 1.
[  198.300524] systemd[1]: Stopped Journal Service.
[  198.392129] EXT4-fs (dm-1): re-mounted. Opts: (null)
[  198.452733] systemd-journald[4366]: Received request to flush runtime journal from PID 1
[  199.029112] piix4_smbus 0000:00:01.3: SMBus Host Controller at 0x700, revision 0
[  199.370447] Adding 2097148k swap on /dev/mapper/fedora-swap.  Priority:-2 extents:1 across:2097148k FS
[  199.511919] snd_hda_codec_generic hdaudioC0D0: autoconfig for Generic: line_outs=1 (0x3/0x0/0x0/0x0/0x0) type:line
[  199.511921] snd_hda_codec_generic hdaudioC0D0:    speaker_outs=0 (0x0/0x0/0x0/0x0/0x0)
[  199.511922] snd_hda_codec_generic hdaudioC0D0:    hp_outs=0 (0x0/0x0/0x0/0x0/0x0)
[  199.511923] snd_hda_codec_generic hdaudioC0D0:    mono: mono_out=0x0
[  199.511924] snd_hda_codec_generic hdaudioC0D0:    inputs:
[  199.511925] snd_hda_codec_generic hdaudioC0D0:      Line=0x5
[  199.581722] EXT4-fs (vda1): mounted filesystem with ordered data mode. Opts: (null)
[  199.832544] RPC: Registered named UNIX socket transport module.
[  199.832546] RPC: Registered udp transport module.
[  199.832546] RPC: Registered tcp transport module.
[  199.832546] RPC: Registered tcp NFSv4.1 backchannel transport module.
[  201.818799] IPv6: ADDRCONF(NETDEV_UP): enp0s3: link is not ready
[  202.151512] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[  205.784029] tun: Universal TUN/TAP device driver, 1.6
[  205.785681] virbr0: port 1(virbr0-nic) entered blocking state
[  205.785682] virbr0: port 1(virbr0-nic) entered disabled state
[  205.788077] device virbr0-nic entered promiscuous mode
[  206.161700] virbr0: port 1(virbr0-nic) entered blocking state
[  206.161702] virbr0: port 1(virbr0-nic) entered listening state
[  206.354964] virbr0: port 1(virbr0-nic) entered disabled state
[  207.806245] input: spice vdagent tablet as /devices/virtual/input/input5
[  218.189763] fuse init (API version 7.26)
[  221.238850] input: spice vdagent tablet as /devices/virtual/input/input6

Comment 2 Alessio 2018-03-27 16:56:07 UTC

Please note: the disk encryption was enabled during F26 installation. So there is an encrypted disk.

Comment 3 Alessio 2018-03-27 16:58:03 UTC

And this is journalctl -xf


Mar 27 18:57:13 localhost.localdomain setroubleshoot[6961]: SELinux is preventing /usr/lib/systemd/systemd-journald from read access on the lnk_file invocation:session-2.scope. For complete SELinux messages run: sealert -l f3dba62b-771d-4f2e-93d6-b54a4f8fad34
Mar 27 18:57:13 localhost.localdomain audit[4366]: AVC avc:  denied  { read } for  pid=4366 comm="systemd-journal" name="invocation:dbus.service" dev="tmpfs" ino=26971 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=lnk_file permissive=0
Mar 27 18:57:13 localhost.localdomain audit[4366]: SYSCALL arch=c000003e syscall=267 success=no exit=-13 a0=ffffff9c a1=7ffde0f4ed40 a2=559c920d1b70 a3=63 items=1 ppid=1 pid=4366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
Mar 27 18:57:13 localhost.localdomain audit: CWD cwd="/"
Mar 27 18:57:13 localhost.localdomain audit: PATH item=0 name="/run/systemd/units/invocation:dbus.service" inode=26971 dev=00:16 mode=0120777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
Mar 27 18:57:13 localhost.localdomain audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-journald"
Mar 27 18:57:13 localhost.localdomain python3[6961]: SELinux is preventing /usr/lib/systemd/systemd-journald from read access on the lnk_file invocation:session-2.scope.
                                                     
                                                     *****  Plugin catchall (100. confidence) suggests   **************************
                                                     
                                                     If you believe that systemd-journald should be allowed read access on the invocation:session-2.scope lnk_file by default.
                                                     Then you should report this as a bug.
                                                     You can generate a local policy module to allow this access.
                                                     Do
                                                     allow this access for now by executing:
                                                     # ausearch -c 'systemd-journal' --raw | audit2allow -M my-systemdjournal
                                                     # semodule -X 300 -i my-systemdjournal.pp
                                                     
Mar 27 18:57:13 localhost.localdomain gnome-shell[5993]: Object St.Widget (0x55bc945fcca0), has been already finalized. Impossible to get any property from it.
Mar 27 18:57:13 localhost.localdomain audit[4366]: AVC avc:  denied  { read } for  pid=4366 comm="systemd-journal" name="invocation:session-2.scope" dev="tmpfs" ino=46625 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=lnk_file permissive=0
Mar 27 18:57:13 localhost.localdomain audit[4366]: SYSCALL arch=c000003e syscall=267 success=no exit=-13 a0=ffffff9c a1=7ffde0f4ed50 a2=559c920cfca0 a3=63 items=1 ppid=1 pid=4366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
Mar 27 18:57:13 localhost.localdomain audit: CWD cwd="/"
Mar 27 18:57:13 localhost.localdomain audit: PATH item=0 name="/run/systemd/units/invocation:session-2.scope" inode=46625 dev=00:16 mode=0120777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
Mar 27 18:57:13 localhost.localdomain audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-journald"
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: == Stack trace for context 0x55bc8ec74240 ==
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #0 0x7ffd368881a0 I   resource:///org/gnome/shell/ui/tweener.js:73 (0x7ff3142c7cd0 @ 9)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #1 0x7ffd36888240 b   resource:///org/gnome/shell/ui/tweener.js:105 (0x7ff3142c7f78 @ 36)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #2 0x7ffd368882e0 b   resource:///org/gnome/shell/ui/tweener.js:92 (0x7ff3142c7de0 @ 52)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #3 0x7ffd368891e0 b   resource:///org/gnome/gjs/modules/tweener/tweener.js:203 (0x7ff3142d2918 @ 54)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #4 0x7ffd36889330 b   resource:///org/gnome/gjs/modules/tweener/tweener.js:332 (0x7ff3142d29a0 @ 1626)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #5 0x7ffd368893e0 b   resource:///org/gnome/gjs/modules/tweener/tweener.js:345 (0x7ff3142d2a28 @ 100)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #6 0x7ffd36889470 b   resource:///org/gnome/gjs/modules/tweener/tweener.js:360 (0x7ff3142d2ab0 @ 10)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #7 0x7ffd368894f0 I   resource:///org/gnome/gjs/modules/signals.js:126 (0x7ff3142cff78 @ 386)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #8 0x7ffd36889540 I   resource:///org/gnome/shell/ui/tweener.js:207 (0x7ff3142cf5e8 @ 159)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #9 0x7ffd368895b0 I   resource:///org/gnome/gjs/modules/_legacy.js:82 (0x7ff3142b4de0 @ 71)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #10 0x7ffd368895b0 I   resource:///org/gnome/shell/ui/tweener.js:182 (0x7ff3142cf560 @ 15)
Mar 27 18:57:13 localhost.localdomain gnome-shell[5993]: Object St.Widget (0x55bc945fcca0), has been already finalized. Impossible to set any property to it.
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: == Stack trace for context 0x55bc8ec74240 ==
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #0 0x7ffd368881a0 I   resource:///org/gnome/shell/ui/tweener.js:80 (0x7ff3142c7cd0 @ 82)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #1 0x7ffd36888240 b   resource:///org/gnome/shell/ui/tweener.js:105 (0x7ff3142c7f78 @ 36)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #2 0x7ffd368882e0 b   resource:///org/gnome/shell/ui/tweener.js:92 (0x7ff3142c7de0 @ 52)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #3 0x7ffd368891e0 b   resource:///org/gnome/gjs/modules/tweener/tweener.js:203 (0x7ff3142d2918 @ 54)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #4 0x7ffd36889330 b   resource:///org/gnome/gjs/modules/tweener/tweener.js:332 (0x7ff3142d29a0 @ 1626)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #5 0x7ffd368893e0 b   resource:///org/gnome/gjs/modules/tweener/tweener.js:345 (0x7ff3142d2a28 @ 100)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #6 0x7ffd36889470 b   resource:///org/gnome/gjs/modules/tweener/tweener.js:360 (0x7ff3142d2ab0 @ 10)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #7 0x7ffd368894f0 I   resource:///org/gnome/gjs/modules/signals.js:126 (0x7ff3142cff78 @ 386)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #8 0x7ffd36889540 I   resource:///org/gnome/shell/ui/tweener.js:207 (0x7ff3142cf5e8 @ 159)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #9 0x7ffd368895b0 I   resource:///org/gnome/gjs/modules/_legacy.js:82 (0x7ff3142b4de0 @ 71)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #10 0x7ffd368895b0 I   resource:///org/gnome/shell/ui/tweener.js:182 (0x7ff3142cf560 @ 15)
Mar 27 18:57:13 localhost.localdomain setroubleshoot[6961]: SELinux is preventing /usr/lib/systemd/systemd-journald from read access on the lnk_file /run/systemd/units/invocation:dbus.service. For complete SELinux messages run: sealert -l f3dba62b-771d-4f2e-93d6-b54a4f8fad34
Mar 27 18:57:13 localhost.localdomain python3[6961]: SELinux is preventing /usr/lib/systemd/systemd-journald from read access on the lnk_file /run/systemd/units/invocation:dbus.service.
                                                     
                                                     *****  Plugin catchall (100. confidence) suggests   **************************
                                                     
                                                     If you believe that systemd-journald should be allowed read access on the invocation:dbus.service lnk_file by default.
                                                     Then you should report this as a bug.
                                                     You can generate a local policy module to allow this access.
                                                     Do
                                                     allow this access for now by executing:
                                                     # ausearch -c 'systemd-journal' --raw | audit2allow -M my-systemdjournal
                                                     # semodule -X 300 -i my-systemdjournal.pp
                                                     
Mar 27 18:57:13 localhost.localdomain gnome-shell[5993]: Object St.Widget (0x55bc9462bc40), has been already finalized. Impossible to get any property from it.
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: == Stack trace for context 0x55bc8ec74240 ==
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #0 0x7ffd36888130 I   resource:///org/gnome/shell/ui/tweener.js:73 (0x7ff3142c7cd0 @ 9)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #1 0x7ffd368881d0 b   resource:///org/gnome/shell/ui/tweener.js:105 (0x7ff3142c7f78 @ 36)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #2 0x7ffd36888270 b   resource:///org/gnome/shell/ui/tweener.js:92 (0x7ff3142c7de0 @ 52)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #3 0x7ffd368891e0 b   resource:///org/gnome/gjs/modules/tweener/tweener.js:203 (0x7ff3142d2918 @ 54)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #4 0x7ffd36889330 b   resource:///org/gnome/gjs/modules/tweener/tweener.js:332 (0x7ff3142d29a0 @ 1626)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #5 0x7ffd368893e0 b   resource:///org/gnome/gjs/modules/tweener/tweener.js:345 (0x7ff3142d2a28 @ 100)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #6 0x7ffd36889470 b   resource:///org/gnome/gjs/modules/tweener/tweener.js:360 (0x7ff3142d2ab0 @ 10)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #7 0x7ffd368894f0 I   resource:///org/gnome/gjs/modules/signals.js:126 (0x7ff3142cff78 @ 386)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #8 0x7ffd36889540 I   resource:///org/gnome/shell/ui/tweener.js:207 (0x7ff3142cf5e8 @ 159)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #9 0x7ffd368895b0 I   resource:///org/gnome/gjs/modules/_legacy.js:82 (0x7ff3142b4de0 @ 71)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #10 0x7ffd368895b0 I   resource:///org/gnome/shell/ui/tweener.js:182 (0x7ff3142cf560 @ 15)
Mar 27 18:57:13 localhost.localdomain gnome-shell[5993]: Object St.Widget (0x55bc9462bc40), has been already finalized. Impossible to set any property to it.
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: == Stack trace for context 0x55bc8ec74240 ==
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #0 0x7ffd36888130 I   resource:///org/gnome/shell/ui/tweener.js:80 (0x7ff3142c7cd0 @ 82)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #1 0x7ffd368881d0 b   resource:///org/gnome/shell/ui/tweener.js:105 (0x7ff3142c7f78 @ 36)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #2 0x7ffd36888270 b   resource:///org/gnome/shell/ui/tweener.js:92 (0x7ff3142c7de0 @ 52)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #3 0x7ffd368891e0 b   resource:///org/gnome/gjs/modules/tweener/tweener.js:203 (0x7ff3142d2918 @ 54)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #4 0x7ffd36889330 b   resource:///org/gnome/gjs/modules/tweener/tweener.js:332 (0x7ff3142d29a0 @ 1626)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #5 0x7ffd368893e0 b   resource:///org/gnome/gjs/modules/tweener/tweener.js:345 (0x7ff3142d2a28 @ 100)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #6 0x7ffd36889470 b   resource:///org/gnome/gjs/modules/tweener/tweener.js:360 (0x7ff3142d2ab0 @ 10)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #7 0x7ffd368894f0 I   resource:///org/gnome/gjs/modules/signals.js:126 (0x7ff3142cff78 @ 386)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #8 0x7ffd36889540 I   resource:///org/gnome/shell/ui/tweener.js:207 (0x7ff3142cf5e8 @ 159)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #9 0x7ffd368895b0 I   resource:///org/gnome/gjs/modules/_legacy.js:82 (0x7ff3142b4de0 @ 71)
Mar 27 18:57:13 localhost.localdomain org.gnome.Shell.desktop[5993]: #10 0x7ffd368895b0 I   resource:///org/gnome/shell/ui/tweener.js:182 (0x7ff3142cf560 @ 15)

Comment 4 Lukas Vrabec 2018-03-27 17:23:29 UTC

Hi, 

At first, please update selinux-policy package to latest one. Then do: 

# fixfiles onboot
# reboot 

This should fix it. 

Lukas.

Comment 5 Adam Williamson 2018-03-28 19:35:14 UTC

Lukas: are you suggesting that Alessio ran into something like https://bugzilla.redhat.com/show_bug.cgi?id=1559174 here, or what?

Alessio, can you tell from logs which selinux-policy package you got in the upgrade?

Thanks!

Comment 6 Alessio 2018-03-28 19:49:44 UTC

(In reply to Adam Williamson from comment #5)
> Alessio, can you tell from logs which selinux-policy package you got in the
> upgrade?

selinux-policy-3.14.1-14.fc28.noarch

Just to add some info:
F26 -> F28 on unecrypted disk, no issues
F27 -> F28 encrypted disk, no issues
F26 -> F28 encrypted disk, here I hit this problem

Comment 7 Adam Williamson 2018-03-28 20:14:07 UTC

The latest stable is 3.14.1-18.fc28; can you possibly re-run the test while ensuring that gets pulled in? Just doing it with updated repos should cause that, if not, you may have to add it to a side repo or something. If you can reproduce with that latest selinux-policy, we should re-open the bug. Thanks!

Comment 8 Alessio 2018-03-28 23:20:08 UTC

(In reply to Adam Williamson from comment #7)
> The latest stable is 3.14.1-18.fc28; can you possibly re-run the test while
> ensuring that gets pulled in? Just doing it with updated repos should cause
> that, if not, you may have to add it to a side repo or something. If you can
> reproduce with that latest selinux-policy, we should re-open the bug. Thanks!

Yeah, the test has succeeded by configuring and using a local side repos containing the selinux-policy-3.14.1-14 RPM (sudo dnf system-upgrade download --refresh --releasever=28 --enablerepo local-repo).
So no need to re-open the bug.

Thank you very much.

Comment 9 Alessio 2018-03-28 23:21:27 UTC

Sorry, I mean selinux-policy-3.14.1-18

Comment 10 Adam Williamson 2018-03-28 23:45:08 UTC

OK, great, thanks for confirming.