Bug 2402492

Summary: SELinux AVC denial on I3 Live might prevent liveinst from starting through the menu.
Product: [Fedora] Fedora Reporter: Lukas Ruzicka <lruzicka>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 43CC: dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-10-08 12:52:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Ruzicka 2025-10-08 11:58:21 UTC 
The I3 installation has been failing for some time in openQA, see https://openqa.fedoraproject.org/tests/3843926. 
I downloaded the affected iso, 20251006.n.0, and tried manually. The installer does not start when invoked through the menu and when tried from the terminal, it starts but show the following AVC denial.


*****  Plugin catchall (100. confidence) suggests  **************************

If you believe that systemd should be allowed open access on the webui-cockpit-ws.env file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp

Additional Information:
Source Context               system_u:system_r:init_t:s0
Target Context               unconfined_u:object_r:user_tmp_t:s0
Target Objects               /tmp/webui-cockpit-ws.env [ file ]
Source                       systemd
Source Path                  systemd
Port                         <Unknown>
Host                         localhost-live
Source RPM Packages
Target RPM Packages
SELinux Policy RPM           selinux-policy-targeted-42.8-1.fc43.noarch
Local Policy RPM             selinux-policy-targeted-42.8-1.fc43.noarch
Selinux Enabled              True
Policy Type                  targeted
Enforcing Mode               Permissive
Host Name                    localhost-live
Platform                     Linux localhost-live 6.17.0-63.fc43.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Mon Sep 29 15:19:54 UTC 2025
                              x86_64
Alert Count                  1
First Seen                   2025-10-08 10:16:12 UTC
Last Seen                    2025-10-08 10:16:12 UTC
Local ID                     51f70a48-5c22-45df-a544-7537856d7ed2

Raw Audit Messages
type=AVC msg=audit(1759918572.768:154): avc:  denied  { open } for  pid=1 comm="systemd" path="/tmp/webui-cockpit-ws.env" dev="tmpfs" ino=53 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1


Reproducible: Always

Steps to Reproduce:
1. Boot the i3 Live image.
2. Press Esc to cancel custom config.
3. Press Alt-Enter to start terminal.
4. Type `liveinst` to start installer.
5. See the AVC denial.
Actual Results:
Denials shown after clean installation.

Expected Results:
No denials should be seen.
Comment 1 Zdenek Pytela 2025-10-08 12:52:12 UTC 
Already reported (by you) and resolved.

*** This bug has been marked as a duplicate of bug 2394561 ***