Description of problem: When Selinux is enforcing, initial-setup-graphical fails to run. Version-Release number of selected component (if applicable): initial-setup-0.3.21-2.fc21.armv7hl How reproducible: everytime. Steps to Reproduce: 1. Boot ARM graphical image Actual results: Boots to log in screen Expected results: Initial-setup-graphical Additional info: systemctl status initial-setup-graphical -l ��● initial-setup-graphical.service - Initial Setup configuration program Loaded: loaded (/usr/lib/systemd/system/initial-setup-graphical.service; enabled) Active: failed (Result: exit-code) since Sat 2000-01-01 16:29:45 EST; 14 years 5 months ago Process: 435 ExecStart=/bin/xinit /bin/firstboot-windowmanager /bin/initial-setup -- /bin/Xorg :9 -ac -nolisten tcp (code=exited, status=1/FAILURE) Process: 394 ExecStartPre=/bin/plymouth quit (code=exited, status=0/SUCCESS) Main PID: 435 (code=exited, status=1/FAILURE) Jan 01 16:29:31 localhost xinit[435]: (EE) Jan 01 16:29:31 localhost xinit[435]: Please consult the Fedora Project support Jan 01 16:29:31 localhost xinit[435]: at http://wiki.x.org Jan 01 16:29:31 localhost xinit[435]: for help. Jan 01 16:29:31 localhost xinit[435]: (EE) Please also check the log file at "/var/log/Xorg.9.log" for additional information. Jan 01 16:29:31 localhost xinit[435]: (EE) Jan 01 16:29:31 localhost xinit[435]: (EE) Server terminated with error (1). Closing log file. Jan 01 16:29:45 localhost xinit[435]: /bin/xinit: giving up Jan 01 16:29:45 localhost xinit[435]: /bin/xinit: unable to connect to X server: Connection refused Jan 01 16:29:45 localhost xinit[435]: /bin/xinit: server error Jan 01 16:29:45 localhost systemd[1]: initial-setup-graphical.service: main process exited, code=exited, status=1/FAILURE Jan 01 16:29:45 localhost systemd[1]: Failed to start Initial Setup configuration program. Jan 01 16:29:45 localhost systemd[1]: Unit initial-setup-graphical.service entered failed state. When SE Linux is permissive, initial-setup-graphical runs as expected.
can you find an AVC anywhere? does the X log provide any useful information?
I built an x86_64 Xfce live image with today's anaconda and python-blivet (so it'd be possible to run an install). initial-setup-graphical runs on reboot, but the system seems frozen at that point - can't interact with i-s-g or do a ctrl-alt-f2. odd, but probably not the same bug. this one may be ARM-specific.
Hi Adam, AVC: type=AVC msg=audit(1403013537.525:407): avc: denied { connectto } for pid=712 comm="dbus-daemon" path="/run/systemd/journal/stdout" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1403013537.525:407): arch=40000028 syscall=283 per=800000 success=no exit=-13 a0=23 a1=be83e69c a2=1d a3=ffffffff items=0 ppid=1 pid=712 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/usr/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) ***** Plugin catchall (100. confidence) suggests ************************** If you believe that dbus-daemon should be allowed connectto access on the stdout unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep dbus-daemon /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Jun 17 10:05:32 localhost setroubleshoot: SELinux is preventing /usr/bin/dbus-daemon from connectto access on the unix_stream_socket /run/systemd/journal/stdout. For complete SELinux messages. run sealert -l 2baf4b71-f642-4443-a723-beb668f1d141 Jun 17 10:05:32 localhost python: SELinux is preventing /usr/bin/dbus-daemon from connectto access on the unix_stream_socket /run/systemd/journal/stdout. Moving to selinux-policy.
Should be fixed in selinux-policy-3.13.1-59.fc21