Bug 1797414

Summary: can't login due to AVC denied { sys_nice } for pid=964 comm="accounts-daemon"
Product: [Fedora] Fedora Reporter: Chris Murphy <bugzilla>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: awilliam, bugzilla, dwalsh, grepl.miroslav, lvrabec, plautrba, robatino, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-04 09:38:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
journal none

Description Chris Murphy 2020-02-03 04:34:59 UTC 
Description of problem:

I can't figure out the exactly sequence, if the accounts-daemon trap is caused by the boltd crash, bug 1797412, or the AVC on accounts-daemon.


Version-Release number of selected component (if applicable):
selinux-policy-3.14.5-21.fc32.noarch

How reproducible:
Always

Steps to Reproduce:
1. Boot
2.
3.

Actual results:

[   11.341461] fmac.local kernel: traps: accounts-daemon[882] trap int3 ip:7f01418e6e05 sp:7f01339edb40 error:0 in libglib-2.0.so.0.6304.0[7f01418ab000+84000]

...

[   12.239701] fmac.local audit[964]: AVC avc:  denied  { sys_nice } for  pid=964 comm="accounts-daemon" capability=23  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=0
[   12.239828] fmac.local audit[964]: AVC avc:  denied  { setsched } for  pid=964 comm="accounts-daemon" scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=process permissive=0


...

[   12.737928] fmac.local systemd-coredump[975]: Process 964 (accounts-daemon) of user 0 dumped core.

...
[   37.246372] fmac.local gdm[905]: Failed to contact accountsservice: Error calling StartServiceByName for org.freedesktop.Accounts: Timeout was reached


Expected results:

accountsservice shouldn't crash, or I can't login.


Additional info:

This is happening on an installed system. I don't know that it affects clean installs yet, but if it does, it's a beta blocker:

A system installed without a graphical package set must boot to a working login prompt without any unintended user intervention, and all virtual consoles intended to provide a working login prompt must do so.
Comment 1 Chris Murphy 2020-02-03 04:36:32 UTC 
Created attachment 1657249 [details]
journal
Comment 2 Chris Murphy 2020-02-03 04:52:16 UTC 
This is what I'm seeing:
https://openqa.fedoraproject.org/tests/516083#step/_boot_to_anaconda/11

So I'm willing to bet this bug, or bug 179411 or bug 179412, or all three, are the cause of all these traps and thus startup failure.

Problem doesn't happen with enforcing=0
Comment 3 Fedora Blocker Bugs Application 2020-02-03 04:55:35 UTC 
Proposed as a Blocker for 32-beta by Fedora user chrismurphy using the blocker tracking app because:

 Workstation (not sure if KDE is affected)
No part of any release-blocking desktop's panel (or equivalent) configuration may crash on startup or be entirely non-functional. 

Server:
A system installed without a graphical package set must boot to a working login prompt without any unintended user intervention, and all virtual consoles intended to provide a working login prompt must do so.
Comment 4 Chris Murphy 2020-02-03 15:51:57 UTC 
This might be a dup of bug 1795524.
Comment 5 Lukas Vrabec 2020-02-04 09:38:44 UTC 

*** This bug has been marked as a duplicate of bug 1795524 ***
Comment 6 Adam Williamson 2020-02-06 21:44:30 UTC 
Dropping proposed blocker status, since we've decided it's a dupe.