1355861 – 20160712 Workstation Rawhide nightly fails to boot in enforcing mode, boots in permissive

Bug 1355861 - 20160712 Workstation Rawhide nightly fails to boot in enforcing mode, boots in permissive

Summary: 20160712 Workstation Rawhide nightly fails to boot in enforcing mode, boots i...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	F25AlphaBlocker
TreeView+	depends on / blocked

Reported:	2016-07-12 18:27 UTC by Adam Williamson
Modified:	2016-07-18 07:14 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-15 22:58:09 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
sealert -a /var/log/audit/audit.log output on 20160711 (11.06 KB, text/plain) 2016-07-12 18:29 UTC, Adam Williamson	no flags	Details
sealert -a /var/log/audit/audit.log output on 20160712 (11.06 KB, text/plain) 2016-07-12 18:29 UTC, Adam Williamson	no flags	Details
journalctl -b \| grep -i avc \| grep den output on 20160711 (1.95 KB, text/plain) 2016-07-12 18:30 UTC, Adam Williamson	no flags	Details
journalctl -b \| grep -i avc \| grep den output on 20160712 (1.98 KB, text/plain) 2016-07-12 18:30 UTC, Adam Williamson	no flags	Details
View All

Description Adam Williamson 2016-07-12 18:27:48 UTC

Today's Rawhide Workstation nightly live:

https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20160712.n.0/compose/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-Rawhide-20160712.n.0.iso

does not boot in enforcing mode, it gets stuck in a loop during GNOME init. It boots fine in permissive mode.

The previous day's nightly:

https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20160711.n.0/compose/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-Rawhide-20160711.n.0.iso

boots OK in enforcing mode. A new selinux-policy landed in 20160712.n.0 - selinux-policy-3.13.1-201.fc25 - so this is the obvious suspect.

Booting both images in permissive mode seems to produce the same five AVCs:

SELinux is preventing (-localed) from mounton access on the directory /dev.
SELinux is preventing accounts-daemon from write access on the directory root.
SELinux is preventing accounts-daemon from add_name access on the directory .cache.
SELinux is preventing accounts-daemon from create access on the directory .cache.
SELinux is preventing gdbus from write access on the fifo_file /run/systemd/inhibit/1.ref.

according to 'sealert -a /var/log/audit/audit.log' as root. However, looking at the journal - 'journalctl -b | grep -i avc | grep den' - shows one on 20160712 that is not apparent on 20160711:

Jul 12 18:23:57 localhost audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-logind" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system

that does not appear in 20160711.

Proposing as an F25 Alpha blocker: violates "All release-blocking images must boot in their supported configurations" for the Workstation live, which is a release-blocking image.

Comment 1 Adam Williamson 2016-07-12 18:29:38 UTC

Created attachment 1178971 [details]
sealert -a /var/log/audit/audit.log output on 20160711

Comment 2 Adam Williamson 2016-07-12 18:29:56 UTC

Created attachment 1178972 [details]
sealert -a /var/log/audit/audit.log output on 20160712

Comment 3 Adam Williamson 2016-07-12 18:30:22 UTC

Created attachment 1178973 [details]
journalctl -b | grep -i avc | grep den output on 20160711

Comment 4 Adam Williamson 2016-07-12 18:30:39 UTC

Created attachment 1178974 [details]
journalctl -b | grep -i avc | grep den output on 20160712

Comment 5 Lukas Vrabec 2016-07-13 06:42:42 UTC

I probably see the issue here. I will fix this ASAP.

Comment 6 Lukas Vrabec 2016-07-13 08:46:42 UTC

I built selinux-policy-3.13.1-202.fc25 selinux policy package. This should fix the issue.

Comment 7 Adam Williamson 2016-07-13 15:57:00 UTC

Thanks. We didn't get a nightly today because of https://fedorahosted.org/rel-eng/ticket/6442 , I'll be able to confirm the fix (or not) when that's resolved.

Comment 8 Couret Charles-Antoine 2016-07-15 21:55:50 UTC

The update doesn't fix the issue for me.
Many services couldn't be started and the boot failed. With selinux=0 in the command line to boot, no problem.

Comment 9 Adam Williamson 2016-07-15 22:58:09 UTC

It does fix nightly live image boots, though. The last couple of days of Workstation nightly lives have booted OK.

Comment 10 Couret Charles-Antoine 2016-07-18 07:14:52 UTC

It's fixed for me after manual relabelling.
Thanks.

Note You need to log in before you can comment on or make changes to this bug.