Description of problem: I upgraded from F25 to Rawhide and, after the reboot and the login, I found this issue. SELinux is preventing spice-vdagentd from 'getattr' accesses on the filesystem /sys/fs/cgroup/systemd. ***** Plugin catchall (100. confidence) suggests ************************** If si crede che spice-vdagentd dovrebbe avere possibilità di accesso getattr sui systemd filesystem in modo predefinito. Then si dovrebbe riportare il problema come bug. E' possibile generare un modulo di politica locale per consentire questo accesso. Do allow this access for now by executing: # ausearch -c 'spice-vdagentd' --raw | audit2allow -M my-spicevdagentd # semodule -X 300 -i my-spicevdagentd.pp Additional Information: Source Context system_u:system_r:vdagent_t:s0 Target Context system_u:object_r:cgroup_t:s0 Target Objects /sys/fs/cgroup/systemd [ filesystem ] Source spice-vdagentd Source Path spice-vdagentd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-233.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.10.0-0.rc3.git1.1.fc26.x86_64 #1 SMP Tue Jan 10 15:32:37 UTC 2017 x86_64 x86_64 Alert Count 2 First Seen 2017-01-15 14:37:07 CET Last Seen 2017-01-15 17:39:04 CET Local ID 3e822920-2508-4bc8-aef7-9c1e1820a41c Raw Audit Messages type=AVC msg=audit(1484498344.95:254): avc: denied { getattr } for pid=786 comm="spice-vdagentd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0 Hash: spice-vdagentd,vdagent_t,cgroup_t,filesystem,getattr Version-Release number of selected component: selinux-policy-3.13.1-233.fc26.noarch Additional info: component: selinux-policy reporter: libreport-2.9.0 hashmarkername: setroubleshoot kernel: 4.10.0-0.rc3.git1.1.fc26.x86_64 type: libreport
Description of problem: Simply booted a freshly installed Rawhide VM and logged in. Version-Release number of selected component: selinux-policy-3.13.1-233.fc26.noarch Additional info: reporter: libreport-2.9.0 hashmarkername: setroubleshoot kernel: 4.10.0-0.rc3.git4.1.fc26.x86_64 type: libreport
Description of problem: Happens during boot of current Fedora Rawhide Workstation live image (20170115.n.0) in a VM. Seems to prevent copy/paste between host and guest working: with `enforcing=0`, it works. Version-Release number of selected component: selinux-policy-3.13.1-233.fc26.noarch Additional info: reporter: libreport-2.9.0 hashmarkername: setroubleshoot kernel: 4.10.0-0.rc3.git4.1.fc26.x86_64 type: libreport
This prevents autoresizing as well :/ $ rpm selinux-policy -q selinux-policy-3.13.1-236.fc26.noarch
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'.
Nominating as a Final blocker: this seems like a violation of "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop" - https://fedoraproject.org/wiki/Fedora_26_Final_Release_Criteria#SELinux_and_crash_notifications - at least in the case of VMs. Also proposing as an Alpha FE, as the inability to paste into / copy from an Alpha live image is a pain.
Discussed at today's Go/No-Go meeting. This would be good to get pulled in for Alpha release if a tested fix is available.
Description of problem: booting the F26 Alpha candidate Workstation ISO in a KVM virtual machine Version-Release number of selected component: selinux-policy-3.13.1-244.fc26.noarch Additional info: reporter: libreport-2.9.0 hashmarkername: setroubleshoot kernel: 4.11.0-0.rc2.git2.2.fc26.x86_64 type: libreport
selinux-policy-3.13.1-245.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-58233b1a16
selinux-policy-3.13.1-246.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-58233b1a16
Discussed during the 2017-03-20 blocker review meeting: [1] The decision was made to classify this bug as an AcceptedBlocker (Final) as it violates the following criteria: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-03-20/f26-blocker-review.2017-03-20-16.06.txt
selinux-policy-3.13.1-246.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.