Description of problem: Fresh installation of i386 Workstation from netinst results in 5 selinux denials on first login. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-119.fc22.noarch How reproducible: Always Steps to Reproduce: 1. Boot workstation netinst 2. Use all defaults, don't create a user 3. Install 4. Go through g-i-s 5. log in with user from step 4 6. See notifications for avc denials Actual results: avc denials Expected results: no avc denials Additional info: Also proposing as a Final Blocker per the following criterion: There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop.
The denials are for: - usesradd - gdm-session-worker - polkitd - colord - cupsd All for "read" under "Attempted Access."
Do you have these AVCs? Personally, I think this domains trying to read /etc/localtime. Could you confirm this? Thank you.
FWIW I didn't see this on an x86_64 Workstation network install today which got selinux-policy -122.
Discussed at today's blocker review meeting [1]. It was decided to delay the decision - adamw couldn't reproduce this today and the report is short on detail, let's give roshi a chance to provide more info [1] http://meetbot.fedoraproject.org/fedora-blocker-review/2015-04-20/
Here are the selinux logs. -> http://paste.fedoraproject.org/214975/42982639/ Lukas, looks like you're correct. I've only seen this on i386 and only when g-i-s is used to create the user. If you create the user in anaconda there are no denials. -122 was installed. Sorry it took me so long to respond :(
*** This bug has been marked as a duplicate of bug 1190377 ***