Bug 1735481

Summary: selinux AVC denied create for modprobe and d-logind, results in startup hang before gdm/shell
Product: [Fedora] Fedora Reporter: Chris Murphy <bugzilla>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: bugzilla, dwalsh, lnykryn, lvrabec, mgrepl, msekleta, plautrba, robatino, ssahani, s, systemd-maint, zbyszek, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-01 06:06:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1644937    
Attachments:
Description Flags
journal none

Description Chris Murphy 2019-07-31 22:47:13 UTC 
Description of problem:

Failure during startup of Fedora-Workstation-Live-x86_64-Rawhide-20190731.n.0.iso

Version-Release number of selected component (if applicable):
systemd-243~rc1-1.fc31.x86_64

How reproducible:
Always


Steps to Reproduce:
1. Boot
2.
3.

Actual results:

Multiple "Failed to start Login Service" messages, followed by a hang while still in text startup, "Started GNOME Display Manager" appears but no gdm.

via early debug shell I see this

[   20.508996] localhost-live systemd[1]: systemd-logind.service: Start request repeated too quickly.
[   20.509133] localhost-live systemd[1]: systemd-logind.service: Failed with result 'exit-code'.

Expected results:

Should get to gdm.

Additional info:
Comment 1 Chris Murphy 2019-07-31 22:47:49 UTC 
Created attachment 1596824 [details]
journal
Comment 2 Chris Murphy 2019-07-31 22:49:47 UTC 
Succeeds with enforcing=0

[   17.511743] localhost audit[1231]: AVC avc:  denied  { create } for  pid=1231 comm="(modprobe)" name="linger" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0
[   17.511882] localhost systemd[1231]: systemd-logind.service: Failed to set up special execution directory in /var/lib: Permission denied
[   17.512664] localhost systemd[1231]: systemd-logind.service: Failed at step (null) spawning /sbin/modprobe: Permission denied
[   17.518924] localhost polkitd[1229]: Started polkitd version 0.116
[   17.524663] localhost audit[1232]: AVC avc:  denied  { create } for  pid=1232 comm="(d-logind)" name="linger" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0
Comment 3 Chris Murphy 2019-07-31 22:56:36 UTC 
selinux-policy-3.14.4-26.fc31.noarch
Comment 4 Fedora Blocker Bugs Application 2019-08-01 01:53:04 UTC 
Proposed as a Blocker for 31-beta by Fedora user chrismurphy using the blocker tracking app because:

 https://fedoraproject.org/wiki/Basic_Release_Criteria#Initialization_requirements

"All release-blocking images must boot in their supported configurations." Strictly speaking it does boot, it just doesn't finish startup and arrive at the desktop.

"Release-blocking live images must boot to the expected boot menu, and then to a desktop or to a login prompt where it is clear how to log in to a desktop." That's definitely not happening.

"The installer must run when launched normally from the release-blocking images." This is also violated. 

I'm not seeing an exception for intervening with enforcing=0 and also it doesn't seem like a good idea to ship a beta with a common bug that tells everyone they have to boot with enforcing=0 so I'm gonna go with this is a blocker.
Comment 5 Zbigniew Jędrzejewski-Szmek 2019-08-01 06:06:21 UTC 

*** This bug has been marked as a duplicate of bug 1734831 ***