Bug 1735481
Summary: | selinux AVC denied create for modprobe and d-logind, results in startup hang before gdm/shell | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Chris Murphy <bugzilla> | ||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | rawhide | CC: | bugzilla, dwalsh, lnykryn, lvrabec, mgrepl, msekleta, plautrba, robatino, ssahani, s, systemd-maint, zbyszek, zpytela | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2019-08-01 06:06:21 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1644937 | ||||||
Attachments: |
|
Description
Chris Murphy
2019-07-31 22:47:13 UTC
Created attachment 1596824 [details]
journal
Succeeds with enforcing=0 [ 17.511743] localhost audit[1231]: AVC avc: denied { create } for pid=1231 comm="(modprobe)" name="linger" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0 [ 17.511882] localhost systemd[1231]: systemd-logind.service: Failed to set up special execution directory in /var/lib: Permission denied [ 17.512664] localhost systemd[1231]: systemd-logind.service: Failed at step (null) spawning /sbin/modprobe: Permission denied [ 17.518924] localhost polkitd[1229]: Started polkitd version 0.116 [ 17.524663] localhost audit[1232]: AVC avc: denied { create } for pid=1232 comm="(d-logind)" name="linger" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0 selinux-policy-3.14.4-26.fc31.noarch Proposed as a Blocker for 31-beta by Fedora user chrismurphy using the blocker tracking app because: https://fedoraproject.org/wiki/Basic_Release_Criteria#Initialization_requirements "All release-blocking images must boot in their supported configurations." Strictly speaking it does boot, it just doesn't finish startup and arrive at the desktop. "Release-blocking live images must boot to the expected boot menu, and then to a desktop or to a login prompt where it is clear how to log in to a desktop." That's definitely not happening. "The installer must run when launched normally from the release-blocking images." This is also violated. I'm not seeing an exception for intervening with enforcing=0 and also it doesn't seem like a good idea to ship a beta with a common bug that tells everyone they have to boot with enforcing=0 so I'm gonna go with this is a blocker. *** This bug has been marked as a duplicate of bug 1734831 *** |