Bug 1107796 - initial-setup-graphical fails to run when selinux enforcing
Summary: initial-setup-graphical fails to run when selinux enforcing
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: arm
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: ARMTracker F21AlphaBlocker
TreeView+ depends on / blocked
 
Reported: 2014-06-10 15:59 UTC by Paul Whalen
Modified: 2014-06-17 20:09 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-17 20:09:03 UTC


Attachments (Terms of Use)

Description Paul Whalen 2014-06-10 15:59:00 UTC
Description of problem:
When Selinux is enforcing, initial-setup-graphical fails to run.

Version-Release number of selected component (if applicable):
initial-setup-0.3.21-2.fc21.armv7hl

How reproducible:
everytime. 

Steps to Reproduce:
1. Boot ARM graphical image

Actual results:
Boots to log in screen

Expected results:
Initial-setup-graphical

Additional info:
systemctl status initial-setup-graphical -l
��● initial-setup-graphical.service - Initial Setup configuration program
   Loaded: loaded (/usr/lib/systemd/system/initial-setup-graphical.service; enabled)
   Active: failed (Result: exit-code) since Sat 2000-01-01 16:29:45 EST; 14 years 5 months ago
  Process: 435 ExecStart=/bin/xinit /bin/firstboot-windowmanager /bin/initial-setup -- /bin/Xorg :9 -ac -nolisten tcp (code=exited, status=1/FAILURE)
  Process: 394 ExecStartPre=/bin/plymouth quit (code=exited, status=0/SUCCESS)
 Main PID: 435 (code=exited, status=1/FAILURE)

Jan 01 16:29:31 localhost xinit[435]: (EE)
Jan 01 16:29:31 localhost xinit[435]: Please consult the Fedora Project support
Jan 01 16:29:31 localhost xinit[435]: at http://wiki.x.org
Jan 01 16:29:31 localhost xinit[435]: for help.
Jan 01 16:29:31 localhost xinit[435]: (EE) Please also check the log file at "/var/log/Xorg.9.log" for additional information.
Jan 01 16:29:31 localhost xinit[435]: (EE)
Jan 01 16:29:31 localhost xinit[435]: (EE) Server terminated with error (1). Closing log file.
Jan 01 16:29:45 localhost xinit[435]: /bin/xinit: giving up
Jan 01 16:29:45 localhost xinit[435]: /bin/xinit: unable to connect to X server: Connection refused
Jan 01 16:29:45 localhost xinit[435]: /bin/xinit: server error
Jan 01 16:29:45 localhost systemd[1]: initial-setup-graphical.service: main process exited, code=exited, status=1/FAILURE
Jan 01 16:29:45 localhost systemd[1]: Failed to start Initial Setup configuration program.
Jan 01 16:29:45 localhost systemd[1]: Unit initial-setup-graphical.service entered failed state.

When SE Linux is permissive, initial-setup-graphical runs as expected.

Comment 1 Adam Williamson 2014-06-10 16:10:48 UTC
can you find an AVC anywhere? does the X log provide any useful information?

Comment 2 Adam Williamson 2014-06-13 21:19:56 UTC
I built an x86_64 Xfce live image with today's anaconda and python-blivet (so it'd be possible to run an install). initial-setup-graphical runs on reboot, but the system seems frozen at that point - can't interact with i-s-g or do a ctrl-alt-f2. odd, but probably not the same bug. this one may be ARM-specific.

Comment 3 Paul Whalen 2014-06-17 14:19:48 UTC
Hi Adam, 

AVC:

type=AVC msg=audit(1403013537.525:407): avc:  denied  { connectto } for  pid=712 comm="dbus-daemon" path="/run/systemd/journal/stdout" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket

type=SYSCALL msg=audit(1403013537.525:407): arch=40000028 syscall=283 per=800000 success=no exit=-13 a0=23 a1=be83e69c a2=1d a3=ffffffff items=0 ppid=1 pid=712 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/usr/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)


*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that dbus-daemon should be allowed connectto access on the stdout unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dbus-daemon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Jun 17 10:05:32 localhost setroubleshoot: SELinux is preventing /usr/bin/dbus-daemon from connectto access on the unix_stream_socket /run/systemd/journal/stdout. For complete SELinux messages. run sealert -l 2baf4b71-f642-4443-a723-beb668f1d141
Jun 17 10:05:32 localhost python: SELinux is preventing /usr/bin/dbus-daemon from connectto access on the unix_stream_socket /run/systemd/journal/stdout.

Moving to selinux-policy.

Comment 4 Daniel Walsh 2014-06-17 20:09:03 UTC
Should be fixed in selinux-policy-3.13.1-59.fc21


Note You need to log in before you can comment on or make changes to this bug.