Bug 1350054 - Refuses to let systemd fix label of /dev/shm/lldpad.state on boot
Summary: Refuses to let systemd fix label of /dev/shm/lldpad.state on boot
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 25
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedFreezeException
Depends On:
Blocks: F25FinalBlocker F25FinalFreezeException
TreeView+ depends on / blocked
 
Reported: 2016-06-24 23:20 UTC by Adam Williamson
Modified: 2016-11-10 16:37 UTC (History)
14 users (show)

Fixed In Version: selinux-policy-3.13.1-222.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-10 16:37:43 UTC


Attachments (Terms of Use)
dmesg output - SELinux denial notification (3.67 KB, text/plain)
2016-10-31 23:47 UTC, Mike Simms
no flags Details
Further Evidence from my notebook to show it isn't system specific (335.50 KB, application/x-gzip)
2016-11-02 20:13 UTC, Mike Simms
no flags Details
Further Evidence from another desktop I have (1.36 MB, application/x-gzip)
2016-11-02 20:28 UTC, Mike Simms
no flags Details
Booting from older Beta 1-1 (161.01 KB, application/x-gzip)
2016-11-02 21:23 UTC, Mike Simms
no flags Details
20161108 Nightly - Fedora-MATE-Live-25-1-1 dmesg output (71.17 KB, text/plain)
2016-11-09 09:24 UTC, Mike Simms
no flags Details

Description Adam Williamson 2016-06-24 23:20:48 UTC
There's this whole mechanism where /dev/shm/lldpad.state gets synced from the initramfs to the 'real' root on boot, by something called 'fedora-import-state'. That seems to leave its label wrong. On boot, systemd tries to fix it, but is refused:

Jun 24 16:13:18 localhost.localdomain kernel: audit: type=1400 audit(1466809995.830:45): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="lldpad.state" dev="tmpfs" ino=10115 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:lldpad_tmpfs_t:s0 tclass=file permissive=0
Jun 24 16:13:18 localhost.localdomain systemd[1]: Unable to fix SELinux security context of /dev/shm/lldpad.state: Permission denied
Jun 24 16:13:15 localhost.localdomain audit[1]: AVC avc:  denied  { relabelto } for  pid=1 comm="systemd" name="lldpad.state" dev="tmpfs" ino=10115 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:lldpad_tmpfs_t:s0 tclass=file permissive=0

Comment 1 Jan Kurik 2016-07-26 04:44:29 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.

Comment 2 Fedora Admin XMLRPC Client 2016-09-27 15:02:44 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 3 Mike Simms 2016-10-13 11:00:23 UTC
Seems to be fixed this morning after applying selinux-policy 3.13.1.219.fc25 and selinux-policy-targeted 3.13.1.219.fc25

Comment 4 Mike Simms 2016-10-13 15:33:14 UTC
Spoke too soon, the message returned after disappearing for the reboot after applying the selinux update. I cold booted just now and it's back.

Comment 5 Mike Simms 2016-10-31 23:47:26 UTC
Created attachment 1215942 [details]
dmesg output - SELinux denial notification

still getting this error message after updating my clean install this evening to kernel 4.8.5-300.fc25.

is it another potential release blocker due to https://bugzilla.redhat.com/show_bug.cgi?id=1383471#c6

"There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."

reason I ask is it also comes up when booting the nightly ISO Fedora-MATE_Compiz-Live-x86_64-25-20161031.n.0.iso

Comment 6 Fedora Update System 2016-11-02 17:51:09 UTC
selinux-policy-3.13.1-222.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-d1908bac81

Comment 7 Mike Simms 2016-11-02 18:58:50 UTC
(In reply to Fedora Update System from comment #6)
> selinux-policy-3.13.1-222.fc25 has been submitted as an update to Fedora 25.
> https://bodhi.fedoraproject.org/updates/FEDORA-2016-d1908bac81

Thanks Lukas, I've installed the necessary files from koji. So far I've restarted once after updating the kernel to 4.8.6-300, a couple of cold boots and it's been okay but the other crucial test will be when that package goes stable and is included in the nightly ISO image.

Comment 8 Adam Williamson 2016-11-02 19:03:42 UTC
I'm at least +1 FE for this (need a bit more certainty on whether a notification reliably appears on boot of a clean install to decide whether it's a blocker).

Comment 9 Mike Simms 2016-11-02 20:13:35 UTC
Created attachment 1216717 [details]
Further Evidence from my notebook to show it isn't system specific

My understanding is that SELinux denial notifications or crash notifications

on boot of the live image;

or

during installation from a live image;

or at first login after a default install of a desktop from a live image are all classed as release blockers.

I'm really not making this up as there would be no sense in doing so, wasting my and everyone else's time.

The denial message is consistently coming up every time on boot of the actual Live image regardless of the system it is put in which technically makes it a release-blocker. FYI, the burnt live image passed the boot time media check. I wouldn't have booted from it at all if it didn't.

You know have evidence of it from two of my machines with completely different specifications.

Whether it's decided this denial message isn't a blocker and to release anyway with it unfixed or otherwise, as a user I felt obligated to flag up the issue after reading Jon Haas' post. Had I known of this critical fact sooner then of course I would have brought it to your attention far sooner too.

Comment 10 Mike Simms 2016-11-02 20:28:09 UTC
Created attachment 1216757 [details]
Further Evidence from another desktop I have

last one. three different systems all with the same error

Comment 11 Adam Williamson 2016-11-02 20:42:19 UTC
Mike: that's fine, I'm just saying, before voting +1 blocker I'd want to double check it.

Comment 12 Mike Simms 2016-11-02 21:23:39 UTC
Created attachment 1216783 [details]
Booting from older Beta 1-1

please do so

Comment 13 Stephen Gallagher 2016-11-04 13:52:44 UTC
I'm definitely +1 FE. I haven't seen anything to tell me that this results in broken functionality (just an odd error message), so I'd be -1 blocker if this came up during a Go/No-Go meeting.

Comment 14 Mike Simms 2016-11-04 17:32:17 UTC
It may be 'just an odd error message' and I have no issue with using as it is myself.

however you also need to take into account the fact it doesn't look professional and may put quite a few users off using the operating system if they perceive it as broken from the outset.

i guess that is why the guideline is in place but I agree there also needs to be some common sense applied here. If you all decide it's not a blocker and the release ISO is still affected by SELinux denial message, please at least add it to the Common F25 bugs list so people are made aware of it's existence beforehand and won't panic. also those who never bother reading that page before diving in and loading the ISOs can be referred to it as and when they will inevitably bring it up on ask.fedoraproject.org or fedoraforum.org.

Comment 15 Adam Williamson 2016-11-04 20:09:31 UTC
stephen: the criterion is not about broken functionality. Mike is correct that it's a polish criterion. If the message appears on boot for all or a large number of F25 installs, it is a blocker. The point is that we don't want to ship something which immediately displays an ugly error message to everyone who runs it, whether it actually means anything is broken or not.

Comment 16 Fedora Update System 2016-11-05 18:57:04 UTC
selinux-policy-3.13.1-222.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-d1908bac81

Comment 17 Geoffrey Marr 2016-11-08 00:46:54 UTC
Discussed during the 2016-11-07 blocker review meeting: [1]

The decision to delay the classification of this as a blocker and instead classify it as an AcceptedFreezeException was made as there is debate as to if this bug is is encountered frequently enough; also, as there is a fix for this, we expect that this will not have to be revisited for blocker classification.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2016-11-07/f25-blocker-review.2016-11-07-17.01.txt

Comment 18 Kamil Páral 2016-11-08 12:51:30 UTC
I can't reproduce the problem neither before the update nor after it. But multiple people claim in the bodhi update that this is fixed.

Comment 19 Kamil Páral 2016-11-08 12:52:28 UTC
Fixing trackers.

Comment 20 Mike Simms 2016-11-08 14:24:56 UTC
I'd be fascinated to know how people can claim on bodhi it is fixed without an ISO containing the patched version to boot and see if the error comes up. That is why I left the message on bodhi that I did. You can't say categorically it has been fixed without testing that.

If it is possible to create an ISO containing stuff from updates-testing please enlighten me. I'm not new to compiling live-spin ISOs using kickstarts and tried to do it. the process of course failed.

Anyhow, I'll burn tonight's ISO as it appears the 'fix' will be in the stable repositories by the time the nightly builds are compiled and see what happens then.

Thanks for at least looking into it though

Comment 21 Stephen Gallagher 2016-11-08 14:41:33 UTC
(In reply to Mike Simms from comment #20)
> I'd be fascinated to know how people can claim on bodhi it is fixed without
> an ISO containing the patched version to boot and see if the error comes up.
> That is why I left the message on bodhi that I did. You can't say
> categorically it has been fixed without testing that.
> 

It happens on every boot of an installed OS. To verify it, you just need to install the fixed package and reboot. If the message doesn't appear in the bootloader, it's fixed.

Comment 22 Mike Simms 2016-11-08 15:06:41 UTC
Stephen, you clearly missed my and Adam's point completely here.

For the last time... it happens on boot of the LIVE ISO AS WELL ergo release blocking ugly error message.

I'm well aware that it is looking to be fixed after applying the update as I've found that much myself. The crux of the matter is unless you include the patched selinux-policy in the final release ISO, the ISO ITSELF IS STILL BROKEN.

" The point is that we don't want to ship something which immediately displays an ugly error message " - Adam, https://bugzilla.redhat.com/show_bug.cgi?id=1350054#c15

SELinux denial notifications or crash notifications on boot of the live image and not just on first boot after install are classed as ugly error message release blockers in your own guidelines.

email I received last night from a friend:

"From: Leslie S Satenstein 
To: Michael Simms 
Subject: Re: Fedora 25 Final Release Readiness Meeting, Thursday, November  10th @ 19:00 UTC
Date: Mon, 7 Nov 2016 15:43:51 +0000 (UTC)
Reply-To: Leslie S Satenstein

With the RFRemix for F25, been getting that Selinux message during the installation.  Also, can't run Wayland.  Many programs (gparted, for one) will not run under Wayland. As well, many tweak extensions are not Wayland compatible.  I run F25Remix with xorg. Regards 
 Leslie
 Mr. Leslie Satenstein
Montréal Québec, Canada"

In my reply I asked Leslie to report that against this bug because it is a Fedora issue but he hasn't done so yet. He uses Workstation so it must be affecting the Workstation ISO as well as MATE-Compiz.

But as far as I'm concerned I'm done with this now. Certain people can't recreate, do not understand the entire test scenario properly and post it is fixed prematurely. I may as well go through bodhi and post +1 karma against a whole load of bugs I without reading what they actually are for all the good the system is in that case.

Comment 23 Adam Williamson 2016-11-08 18:42:32 UTC
Mike: please relax, we have a process here. The issue is fundamentally the same issue in the live images and the installed system. If people report that the issue is resolved by the update in their installed systems, that gives us strong confidence that the update will also resolve the issue in live images that are built with it.

In an *ideal* world we would build a live image with the fixed package and verify the issue is resolved in a live boot too, but if we don't have time to do that, it's fine to just push the update stable and expect that lives will then be fixed. If it turns out they aren't, we can then look at the problem again.

Comment 24 Mike Simms 2016-11-09 09:24:42 UTC
Created attachment 1218857 [details]
20161108 Nightly - Fedora-MATE-Live-25-1-1 dmesg output

As closure to my part of the process, using Adam's nightly finder (excellent tool that should be adopted officially in my opinion) I have downloaded and ran the last 'nightly' build which looks to be a release candidate ISO now from the label it's been given. It contains the patched SELinux policy and therefore works properly as per the attached output.

https://kojipkgs.fedoraproject.org/compose/25/Fedora-25-20161109.0/compose/Spins/x86_64/iso/Fedora-MATE_Compiz-Live-x86_64-25-1.1.iso

Adam. I respect you and appreciate your comments. I would not have had an issue at all if everyone were as polite and respectful as yourself and actually took on board the factually correct comments made and evidence provided rather than dismissing them off-hat.

As a result I just feel my time and efforts can clearly be better spent elsewhere. I'm not paid to sit in front of the PC testing Fedora, it is entirely voluntary. So if my contributions aren't appreciated then I'll do something more constructive with my free time in future.

Comment 25 Adam Williamson 2016-11-09 09:28:58 UTC
Yes, that is actually the first F25 release candidate, not a nightly (candidate composes do show up in the 'nightly' finder, despite the name). Thanks for confirming this is fixed, as was expected for that compose. Note that true *nightly* composes will continue to have the bug until the update is pushed stable (which will happen quite soon).

Comment 26 Mike Simms 2016-11-09 10:30:33 UTC
It has been pushed stable yesterday afternoon, your nightly finder did point me to that RC compose (see the link hover text at the bottom of opera in the screenshot). presumably it will find and link to the 20161110 nightly anyway over night tonight. I'd anticipate that containing the fix too.

http://tinypic.com/r/2egb7ev/9

Comment 27 Adam Williamson 2016-11-09 15:16:30 UTC
"It has been pushed stable yesterday afternoon"

No, it hasn't. It was *submitted* for stable then. 'Submitted' just means it's been put in a queue to be pushed stable. Usually updates are actually 'pushed' stable as a matter of course shortly after that, but during a freeze, that is not the case, all pushes during freezes are done manually from a specific 'stable push request' that we (QA) file. I'll do one of those today. If you look at the top of https://bodhi.fedoraproject.org/updates/FEDORA-2016-d1908bac81 you'll see that 'Request' is 'stable', but 'Status' is 'testing'. It's only stable when 'Status' is 'stable'.

Comment 28 Mike Simms 2016-11-10 09:11:28 UTC
thanks for the explanation, I thought a freeze exception would be pushed automatically as normal

Comment 29 Adam Williamson 2016-11-10 09:12:38 UTC
Nah, unfortunately it's still manual. We'd *like* to make it more automated.

Comment 30 Fedora Update System 2016-11-10 16:37:43 UTC
selinux-policy-3.13.1-222.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.