Description of problem: After a machine is installed using a non-live custom spin, whether using a graphical login manager or the virtual console, I get kicked back out after entering valid root or user credentials. In the virtual terminal, if the password is correct, a message is displayed too quickly for me to read, and the login prompt is reset. Then, when I insert the install media back, select "Troubleshooting", and "Rescue a Fedora System" option. When the shell in repair mode is ready, I do nothing except to exit. When the system reboots, I see this: *** Warning -- SELinux targeted policy relabel is required. Then the system reboots again and the problem is solved. Permanently. When I look at the journal, here is what I see: Jun 11 00:41:48 localhost.localdomain login[1491]: ROOT LOGIN ON tty2 Jun 11 00:41:48 localhost.localdomain audit[1498]: <audit-1400> avc: denied { transition } for pid=1498 comm="login" path="/usr/bin/bash" dev="dm-1" ino=656488 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 Jun 11 00:41:48 localhost.localdomain audit[1491]: <audit-1104> pid=1491 uid=0 auid=0 ses=3 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/login" hostname=? addr=? terminal=tty2 res=success' Jun 11 00:41:48 localhost.localdomain login[1491]: pam_unix(login:session): session closed for user root Jun 11 00:41:48 localhost.localdomain audit[1491]: <audit-1106> pid=1491 uid=0 auid=0 ses=3 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_console,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="root" exe="/usr/bin/login" hostname=? addr=? terminal=tty2 res=success' Jun 11 00:41:48 localhost.localdomain audit[1]: <audit-1131> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=getty@tty2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 11 00:41:48 localhost.localdomain systemd[1]: getty has no holdoff time, scheduling restart. Jun 11 00:41:48 localhost.localdomain systemd-logind[822]: Removed session 3. Jun 11 00:41:48 localhost.localdomain audit[1]: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=getty@tty2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 11 00:41:48 localhost.localdomain audit[1]: <audit-1131> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=getty@tty2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 11 00:41:48 localhost.localdomain systemd[1]: Started Getty on tty2. Jun 11 00:41:48 localhost.localdomain systemd[1]: Starting Getty on tty2... Version-Release number of selected component (if applicable): Fedora 22 Pungi 3.14 Lorax 22.11 How reproducible: Any custom spin I have tried. Steps to Reproduce: 1. Use this kickstart with pungi: repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch --excludepkgs=fedora-productimg-cloud,fedora-productimg-server repo --name=updates --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f$releasever&arch=$basearch --excludepkgs=fedora-productimg-cloud,fedora-productimg-server %packages kernel* @base-x @standard @core @dial-up @fonts @hardware-support @multimedia @networkmanager-submodules @guest-desktop-agents @basic-desktop # pungi is an inclusive depsolver so that multiple packages are brought # in to satisify dependencies and we don't always want that. So we use # an exclusion list to cut out things we don't want -kernel*debug* -kernel-kdump* -kernel-tools* -astronomy-bookmarks -generic* # Things needed for installation @anaconda-tools # Exclude unwanted packages from @anaconda-tools group -gfs2-utils -reiserfs-utils # Branding for the installer fedora-productimg-workstation %end 2. pungi --isfinal --force --nosource --nodebuginfo --all-stages --family Fedora --variant=Special --ver=22 --cachedir /mycache --destdir /mydest --config /myconfig 3. Select "Minimal Install" or "Basic Desktop Environment" in Anaconda, install, reboot and try to login Actual results: Getting kicked out with message that lasts less than 1 second and goes away after loading repair disk. Expected results: Should not have to get to the repair shell and SELinux targeted policy relabel. Additional info: This may not be a bug, but instead a bad composition. However, I've tweaked it many times, and all my spins work well except for the initial login. These spins did not have a problem in Fedora 21 with the same build process.
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.