Upgrading to selinux-policy-3.13.1-240.fc26, the system is no longer dropping to an emergency shell, but still fails to load some modules and thus no network on the booted system. AVC's below:

Feb 21 09:47:05 localhost.localdomain audit[467]: AVC avc:  denied  { module_load } for  pid=467 comm="systemd-udevd" path="/usr/lib/modules/4.10.0-0.rc8.git2.1.fc26.aarch64/kernel/drivers/mtd/chips/chipreg.ko" dev="dm-0" ino=135512 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
Feb 21 09:47:05 localhost.localdomain audit[467]: AVC avc:  denied  { module_load } for  pid=467 comm="systemd-udevd" path="/usr/lib/modules/4.10.0-0.rc8.git2.1.fc26.aarch64/kernel/drivers/net/virtio_net.ko" dev="dm-0" ino=133714 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0

Seeing this across aarch64 and ARMv7 across a number of devices.

Created attachment 1256505 [details]
Rawhide-20170222.n.0 AVC

Created attachment 1256506 [details]
Rawhide-20170222.n.0 journalctl

Attached avcs and journalctl from Fedora-Minimal-armhfp-Rawhide-20170222.n.0 boot on the wandboard with selinux-policy-3.13.1-241.fc26.noarch.

Proposing as an Alpha Blocker, without kernel modules many of the system services fail, including network. Citing criteria 'The installed system must be able to download and install updates with the default console package manager.'

Booting Fedora-Minimal-armhfp-Rawhide-20170226.n.0:

..
[  OK  ] Reached target Switch Root.
         Starting Switch Root...
[   43.241717] systemd-journald[170]: Received SIGTERM from PID 1 (systemd).
[   45.331480] systemd: 16 output lines suppressed due to ratelimiting
[   47.320421] SELinux:  Class sctp_socket not defined in policy.
[   47.326945] SELinux:  Class icmp_socket not defined in policy.
[   47.333148] SELinux:  Class ax25_socket not defined in policy.
[   47.339337] SELinux:  Class ipx_socket not defined in policy.
[   47.345434] SELinux:  Class netrom_socket not defined in policy.
[   47.351799] SELinux:  Class atmpvc_socket not defined in policy.
[   47.358163] SELinux:  Class x25_socket not defined in policy.
[   47.364254] SELinux:  Class rose_socket not defined in policy.
[   47.370435] SELinux:  Class decnet_socket not defined in policy.
[   47.376797] SELinux:  Class atmsvc_socket not defined in policy.
[   47.383160] SELinux:  Class rds_socket not defined in policy.
[   47.389250] SELinux:  Class irda_socket not defined in policy.
[   47.395431] SELinux:  Class pppox_socket not defined in policy.
[   47.401704] SELinux:  Class llc_socket not defined in policy.
[   47.407793] SELinux:  Class can_socket not defined in policy.
[   47.414167] SELinux:  Class tipc_socket not defined in policy.
[   47.420380] SELinux:  Class bluetooth_socket not defined in policy.
[   47.427023] SELinux:  Class iucv_socket not defined in policy.
[   47.433206] SELinux:  Class rxrpc_socket not defined in policy.
[   47.439479] SELinux:  Class isdn_socket not defined in policy.
[   47.445660] SELinux:  Class phonet_socket not defined in policy.
[   47.452022] SELinux:  Class ieee802154_socket not defined in policy.
[   47.458749] SELinux:  Class caif_socket not defined in policy.
[   47.464930] SELinux:  Class alg_socket not defined in policy.
[   47.471019] SELinux:  Class nfc_socket not defined in policy.
[   47.477109] SELinux:  Class vsock_socket not defined in policy.
[   47.483380] SELinux:  Class kcm_socket not defined in policy.
[   47.489469] SELinux:  Class qipcrtr_socket not defined in policy.
[   47.495923] SELinux:  Class smc_socket not defined in policy.
[   47.502017] SELinux: the above unknown classes and permissions will be allowed
[   47.728502] kauditd_printk_skb: 57 callbacks suppressed
[   47.734283] audit: type=1403 audit(1478193440.225:51): policy loaded auid=4294967295 ses=4294967295
[   47.786587] systemd[1]: Successfully loaded SELinux policy in 2.189002s.
[   48.645206] systemd[1]: Relabelled /dev and /run in 655.580ms.
..

Created attachment 1258178 [details]
Fedora-Minimal-armhfp-Rawhide-20170226 audit.log

Created attachment 1258180 [details]
Fedora-Minimal-armhfp-Rawhide-20170226 journalctl

Discussed during the 2017-02-27 blocker review meeting: [1]

The decision to classify this bug as an accepted blocker was made as it violates the following Alpha-blocker criteria:

"The installed system must be able to download and install updates with the default console package manager."

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-02-27/f26-blocker-review.2017-02-27-17.00.txt

This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

This is expected to be addressed in the next selinux-policy build, but builds have been failing. Adjusting status to MODIFIED to reflect this.

SELinux folks, can you please get a build done and an update submitted? We are now one week from Alpha go/no-go. Thanks!

FYI I just fixed the selinux-policy-3.13.1-244.fc26 build and it's building now, I was planning on submitting it once it was complete so we can at least begin the process to verify that build.

It failed.
https://koji.fedoraproject.org/koji/taskinfo?taskID=18287440

/usr/bin/semodule_expand tmp/test.lnk tmp/policy.bin
libsepol.expand_terule_helper: conflicting TE rule for (abrt_t, exim_exec_t:process):  old was system_mail_t, new is sendmail_t
libsepol.expand_module: Error during expand
/usr/bin/semodule_expand:  Error while expanding policy
make: *** [Rules.modular:203: validate] Error 1

Yep, I fixed two other issues and it builds with 'fedpkg local' now but fails in koji.

Sorry guys I was busy these days. Thank you Peter for help on broken builds. I fixed F26 build and it's right now in koji. 

Also rules related to module_load looks fixed: 

# cat avc
type=AVC msg=audit(1487177543.990:126): avc:  denied  { module_load } for  pid=724 comm="modprobe" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/fs/fat/fat.ko" dev="dm-0" ino=2363271 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
type=AVC msg=audit(1487177551.520:127): avc:  denied  { module_load } for  pid=725 comm="modprobe" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/fs/fat/fat.ko" dev="dm-0" ino=2363271 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
type=AVC msg=audit(1487177559.600:129): avc:  denied  { module_load } for  pid=727 comm="modprobe" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/fs/fat/fat.ko" dev="dm-0" ino=2363271 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=1

# audit2allow -i avc 


#============= insmod_t ==============

#!!!! This avc is allowed in the current policy
allow insmod_t modules_object_t:system module_load;

#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t modules_object_t:system module_load;

# sesearch -A -s udev_t -t modules_object_t | grep module_load
   allow can_load_kernmodule modules_object_t : system module_load ;

selinux-policy-3.13.1-244.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-52e704bb92

selinux-policy-3.13.1-244.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-52e704bb92

selinux-policy-3.13.1-244.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.