Bug 1801087

Summary: colord fails to start due to selinux
Product: [Fedora] Fedora Reporter: Daniel Mach <dmach>
Component: colordAssignee: Richard Hughes <rhughes>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 32CC: bugzilla, fzatlouk, gnome-sig, lruzicka, mcatanza, rhughes, robatino, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedBlocker
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-06 18:54:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1705305    

Description Daniel Mach 2020-02-10 08:47:52 UTC 
Description of problem:
colord fails to start due to selinux


Version-Release number of selected component (if applicable):
colord-1.4.4-4.fc32.x86_64
colord-libs-1.4.4-4.fc32.x86_64
colord-gtk-0.2.0-3.fc32.x86_64
colord-kde-0.5.0-11.fc32.x86_64
selinux-policy-3.14.5-24.fc32.noarch
selinux-policy-targeted-3.14.5-24.fc32.noarch


How reproducible:


Steps to Reproduce:
1. systemctl start colord
2. systemctl status colord

Actual results:
● colord.service - Manage, Install and Generate Color Profiles
     Loaded: loaded (/usr/lib/systemd/system/colord.service; static; vendor preset: disabled)
     Active: failed (Result: signal) since Mon 2020-02-10 09:42:42 CET; 6s ago
    Process: 3745 ExecStart=/usr/libexec/colord (code=killed, signal=TRAP)
   Main PID: 3745 (code=killed, signal=TRAP)

Feb 10 09:42:42 nb systemd[1]: Starting Manage, Install and Generate Color Profiles...
Feb 10 09:42:42 nb colord[3745]: Failed to set scheduler settings: Permission denied
Feb 10 09:42:42 nb systemd[1]: colord.service: Main process exited, code=killed, status=5/TRAP
Feb 10 09:42:42 nb systemd[1]: colord.service: Failed with result 'signal'.
Feb 10 09:42:42 nb systemd[1]: Failed to start Manage, Install and Generate Color Profiles.


Expected results:
● colord.service - Manage, Install and Generate Color Profiles
     Loaded: loaded (/usr/lib/systemd/system/colord.service; static; vendor preset: disabled)
     Active: active (running) since Mon 2020-02-10 09:43:34 CET; 2s ago
   Main PID: 3778 (colord)
      Tasks: 4 (limit: 18993)
     Memory: 3.1M
     CGroup: /system.slice/colord.service
             └─3778 /usr/libexec/colord

Feb 10 09:43:34 nb systemd[1]: Starting Manage, Install and Generate Color Profiles...
Feb 10 09:43:34 nb systemd[1]: Started Manage, Install and Generate Color Profiles.


Additional info:
Running `setenforce 0` fixes the problem.
Relabeling the file system did not help.
Comment 1 Fedora Blocker Bugs Application 2020-02-10 16:21:06 UTC 
Proposed as a Blocker and Freeze Exception for 32-final by Fedora user lruzicka using the blocker tracking app because:

 There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop.
Comment 2 František Zatloukal 2020-02-10 18:12:54 UTC 
Discussed during the 2020-02-10 blocker review meeting: [1]

The decision to classify this bug as an AcceptedBlocker was made:

"All system services present after installation with one of the release-blocking package sets must start properly, unless they require hardware which is not present"

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2020-02-10/f32-blocker-review.2020-02-10-17.01.log.txt
Comment 3 Ben Cotton 2020-02-11 16:32:25 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle.
Changing version to 32.
Comment 4 Chris Murphy 2020-03-01 09:17:57 UTC 
[   14.983762] fmac.local audit[1442]: AVC avc:  denied  { setsched } for  pid=1442 comm="colord" scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:colord_t:s0 tclass=process permissive=1

selinux-policy-3.14.5-28.fc32.noarch

Is this related to bug 1795524? This is also selinux setsched related according to the AVC denial.
Comment 5 Zdenek Pytela 2020-03-02 08:31:32 UTC 
Chris,

it looks so.
Comment 6 Chris Murphy 2020-03-03 19:54:06 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=1795524#c84

selinux will continue to deny setsched, so a fix is still needed in colord. Other daemons are affected, but I'm not sure whether there's a generic solution possible.
Comment 7 Michael Catanzaro 2020-03-06 18:54:12 UTC 
We're not going to change GThreadPool to stop trying to use setsched, but GThreadPool has been fixed to at least not abort.

Nothing about this issue is unique to colord, other than that SELinux seems to be allowing some apps to use setsched but not others.

*** This bug has been marked as a duplicate of bug 1795524 ***
Comment 8 Michael Catanzaro 2020-03-06 19:00:16 UTC 
BTW the abort on failure to call setsched() should be fixed since GLib 2.63.4, which should have hit F32 quite a while ago. If colord is still failing to launch nowadays, then you can reopen this issue (as if so, there must be multiple bugs involved).