Today's Rawhide Workstation nightly live: https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20160712.n.0/compose/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-Rawhide-20160712.n.0.iso does not boot in enforcing mode, it gets stuck in a loop during GNOME init. It boots fine in permissive mode. The previous day's nightly: https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20160711.n.0/compose/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-Rawhide-20160711.n.0.iso boots OK in enforcing mode. A new selinux-policy landed in 20160712.n.0 - selinux-policy-3.13.1-201.fc25 - so this is the obvious suspect. Booting both images in permissive mode seems to produce the same five AVCs: SELinux is preventing (-localed) from mounton access on the directory /dev. SELinux is preventing accounts-daemon from write access on the directory root. SELinux is preventing accounts-daemon from add_name access on the directory .cache. SELinux is preventing accounts-daemon from create access on the directory .cache. SELinux is preventing gdbus from write access on the fifo_file /run/systemd/inhibit/1.ref. according to 'sealert -a /var/log/audit/audit.log' as root. However, looking at the journal - 'journalctl -b | grep -i avc | grep den' - shows one on 20160712 that is not apparent on 20160711: Jul 12 18:23:57 localhost audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-logind" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system that does not appear in 20160711. Proposing as an F25 Alpha blocker: violates "All release-blocking images must boot in their supported configurations" for the Workstation live, which is a release-blocking image.
Created attachment 1178971 [details] sealert -a /var/log/audit/audit.log output on 20160711
Created attachment 1178972 [details] sealert -a /var/log/audit/audit.log output on 20160712
Created attachment 1178973 [details] journalctl -b | grep -i avc | grep den output on 20160711
Created attachment 1178974 [details] journalctl -b | grep -i avc | grep den output on 20160712
I probably see the issue here. I will fix this ASAP.
I built selinux-policy-3.13.1-202.fc25 selinux policy package. This should fix the issue.
Thanks. We didn't get a nightly today because of https://fedorahosted.org/rel-eng/ticket/6442 , I'll be able to confirm the fix (or not) when that's resolved.
The update doesn't fix the issue for me. Many services couldn't be started and the boot failed. With selinux=0 in the command line to boot, no problem.
It does fix nightly live image boots, though. The last couple of days of Workstation nightly lives have booted OK.
It's fixed for me after manual relabelling. Thanks.