Description of problem: Output of journalctl after I tried to reboot (with `reboot`): Sep 16 10:15:03 dhcp-28-126.brq.redhat.com polkitd[835]: Registered Authentication Agent for unix-process:27011:578421 (system bus name :1.29 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Sep 16 10:15:03 dhcp-28-126.brq.redhat.com audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=0 uid=0 gid=0 path="/usr/lib/systemd/system/reboot.target" cmdline="reboot" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Sep 16 10:15:03 dhcp-28-126.brq.redhat.com polkitd[835]: Unregistered Authentication Agent for unix-process:27011:578421 (system bus name :1.29, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) What I get: # reboot Failed to start reboot.target: Access denied The same thing happens with poweroff. I was able to reboot after I turned selinux off. After reboot I haven't met any problem. Everything seems to work after reboot. Version-Release number of selected component (if applicable): selinux-policy{,-targeted}-3.13.1-147.fc23.noarch How reproducible: I tested with virtual machine and bare metal machine Steps to Reproduce: 1. Do installation from RC1 Server DVD 2. Boot to system and update it (dnf update) Actual results: User will be unable to reboot without setting selinux to permissive Expected results: Additional info: I propose this as final blocker (as it is in updates-testing and probably won't get to beta) as it violates the alpha criterion: It must be possible to trigger a clean system shutdown using standard console commands.
Petr, can you really confirm, you get this AVC with selinux-policy{,-targeted}-3.13.1-147.fc23.noarch #============= unconfined_t ============== #!!!! This avc is allowed in the current policy allow unconfined_t power_unit_file_t:service start;
The same problem occurs on F22 with selinux-policy-3.13.1-128.13.fc22. Until reboot, systemctl can't be used (*any* command). After reboot, everything is fine. Offline updates are not affected, just live dnf updates.
I believe that I suffered from the same bug yesterday, and so did several users in #fedora. It seems that the fix is as simple as `systemctl daemon-reexec`, I however do not know enough about SELinux to tell whether this is really sufficient, why it is even necessary etc. A reboot, of course including a restart of systemd, also works. #1261747 appears to be the very same problem.
You are correct, `systemctl daemon-reexec` is needed. The problem is with policy update which is not paired with systemd update. There are backported policy changes which require also systemd reload to make SELinux+systemd working correctly.
Discussed at 2015-09-22 blocker review meeting: https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2015-09-22/f23-blocker-review.2015-09-22-16.00.html . We agreed that there is not sufficient data to determine whether this is a release blocking issue. The release blocker process mainly relates to the packages on the frozen release media - the live images, Server DVD and so on. Is there any circumstance in which this bug would cause a problem if some version of selinux-policy were on the frozen media, or is it an issue that can only happen when doing a package update, and that could thus always be fixed with an update? Thanks!
*** This bug has been marked as a duplicate of bug 1224211 ***