Description of problem: SELinux is preventing /usr/lib/systemd/systemd from 'mounton' accesses on the directory /usr/lib/modules. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd should be allowed mounton access on the modules directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(fwupd)' --raw | audit2allow -M my-fwupd # semodule -X 300 -i my-fwupd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:modules_object_t:s0 Target Objects /usr/lib/modules [ dir ] Source (fwupd) Source Path /usr/lib/systemd/systemd Port <Unknown> Host (removed) Source RPM Packages systemd-232-15.fc26.x86_64 Target RPM Packages kernel-core-4.10.0-0.rc7.git1.1.fc26.x86_64 kernel-core-4.10.0-0.rc8.git0.1.fc26.x86_64 kernel-core-4.11.0-0.rc0.git4.1.fc26.x86_64 Policy RPM selinux-policy-3.13.1-241.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.10.0-0.rc8.git0.1.fc26.x86_64 #1 SMP Mon Feb 13 16:40:00 UTC 2017 x86_64 x86_64 Alert Count 6 First Seen 2017-02-16 09:38:43 EST Last Seen 2017-02-27 16:41:22 EST Local ID fa577e75-1cb8-47d4-a591-0d0895e10f46 Raw Audit Messages type=AVC msg=audit(1488231682.360:325): avc: denied { mounton } for pid=3857 comm="(fwupd)" path="/usr/lib/modules" dev="dm-1" ino=1443710 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir permissive=1 type=SYSCALL msg=audit(1488231682.360:325): arch=x86_64 syscall=mount success=yes exit=0 a0=7f4790b69db7 a1=5571910bf4f0 a2=0 a3=5000 items=0 ppid=1 pid=3857 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=(fwupd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) Hash: (fwupd),init_t,modules_object_t,dir,mounton Version-Release number of selected component: selinux-policy-3.13.1-241.fc26.noarch Additional info: component: selinux-policy reporter: libreport-2.9.0 hashmarkername: setroubleshoot kernel: 4.10.0-0.rc8.git0.1.fc26.x86_64 type: libreport
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'.
Description of problem: Happens on boot of a freshly installed Fedora 26 Workstation system. Version-Release number of selected component: selinux-policy-3.13.1-244.fc26.noarch Additional info: reporter: libreport-2.9.0 hashmarkername: setroubleshoot kernel: 4.11.0-0.rc1.git0.1.fc26.x86_64 type: libreport
Nominating as a Final blocker: this seems like a violation of "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop" - https://fedoraproject.org/wiki/Fedora_26_Final_Release_Criteria#SELinux_and_crash_notifications
selinux-policy-3.13.1-245.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-58233b1a16
It looks like there's another one lurking behind this one: https://bugzilla.redhat.com/show_bug.cgi?id=1429341
selinux-policy-3.13.1-246.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-58233b1a16
Discussed during the 2017-03-20 blocker review meeting: [1] The decision was made to classify this bug as an AcceptedBlocker (Final) as it violates the following criteria: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-03-20/f26-blocker-review.2017-03-20-16.06.txt
selinux-policy-3.13.1-246.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.