Bug 1210045 - AVC Denials after i386 Workstation netinst
Summary: AVC Denials after i386 Workstation netinst
Keywords:
Status: CLOSED DUPLICATE of bug 1190377
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: i386
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: F22FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2015-04-08 18:48 UTC by Mike Ruckman
Modified: 2015-04-27 09:37 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-27 09:37:35 UTC
Type: Bug


Attachments (Terms of Use)

Description Mike Ruckman 2015-04-08 18:48:18 UTC
Description of problem:
Fresh installation of i386 Workstation from netinst results in 5 selinux denials on first login.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-119.fc22.noarch

How reproducible:
Always

Steps to Reproduce:
1. Boot workstation netinst
2. Use all defaults, don't create a user
3. Install
4. Go through g-i-s
5. log in with user from step 4
6. See notifications for avc denials

Actual results:
avc denials

Expected results:
no avc denials

Additional info:
Also proposing as a Final Blocker per the following criterion: There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop.

Comment 1 Mike Ruckman 2015-04-08 18:54:42 UTC
The denials are for:
 - usesradd
 - gdm-session-worker
 - polkitd
 - colord
 - cupsd

All for "read" under "Attempted Access."

Comment 2 Lukas Vrabec 2015-04-09 14:43:18 UTC
Do you have these AVCs?
Personally, I think this domains trying to read /etc/localtime. 
Could you confirm this? 

Thank you.

Comment 3 Adam Williamson 2015-04-20 18:38:39 UTC
FWIW I didn't see this on an x86_64 Workstation network install today which got selinux-policy -122.

Comment 4 Petr Schindler 2015-04-20 18:49:25 UTC
Discussed at today's blocker review meeting [1].

It was decided to delay the decision -  adamw couldn't reproduce this today and the report is short on detail, let's give roshi a chance to provide more info

[1] http://meetbot.fedoraproject.org/fedora-blocker-review/2015-04-20/

Comment 5 Mike Ruckman 2015-04-23 22:49:54 UTC
Here are the selinux logs.
 -> http://paste.fedoraproject.org/214975/42982639/

Lukas, looks like you're correct.

I've only seen this on i386 and only when g-i-s is used to create the user. If you create the user in anaconda there are no denials. -122 was installed.

Sorry it took me so long to respond :(

Comment 6 Lukas Vrabec 2015-04-27 09:37:35 UTC

*** This bug has been marked as a duplicate of bug 1190377 ***


Note You need to log in before you can comment on or make changes to this bug.