Hide Forgot
I built a live image with selinux-policy-3.12.1-98.fc20 (because I was having troubles with the current 'stable' one, so I figured I'd just try the newest thing). Unless I boot with enforcing=0 , I cannot log in to the system, from a VT or a graphical DM. If I boot with enforcing=0, I can log in just fine. If I boot with enforcing=0 and check for AVCs in /var/log/audit/audit.log, I get: type=AVC msg=audit(1383786700.878:55): avc: denied { transition } for pid=899 comm="sddm-auth" path="/etc/X11/xinit/Xsession" dev="dm-0" ino=173445 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process type=AVC msg=audit(1383786879.426:475): avc: denied { transition } for pid=1793 comm="login" path="/usr/bin/bash" dev="dm-0" ino=136570 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process If this selinux-policy went stable, this would be a release blocker, so please don't submit it.
This is strange. I have been trying to reproduce it but I don't see this issue with the latest policy. And does it work with an older policy?
-90 is fine. It may be an issue only on live images, I suppose?
It looks something went wrong. If you re-install the policy on the live image, does it blow up?
I've blown the live away, now. Could be that the selinux-policy on the live builder has to be newer too, I suppose? I can play with it some more later, I guess.
Sorry for the delay on this one: turns out it's just a mismatch between builder and guest. If the builder has a new enough selinux-policy (same as the one you're putting into the guest) it works fine. My bad. Tested with -104: if I built an image with -104 on a host with -90 it fails as described, but if I update the builder to -104 and try again, the live image works fine.