Using the early F26 Atomic Host qcow2 cloud image here: https://kojipkgs.fedoraproject.org/compose/branched/Fedora-26-20170322.n.0/compose/CloudImages/x86_64/images/ ...I observed the mutliple denials in the journal during the boot process that looked like: Mar 23 13:34:53 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.9 spid=1 tpid=779 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus Here's the context from the jounal: Mar 23 13:34:57 rhel-atomic-7.2-test systemd[1]: Started Network Manager Wait Online. Mar 23 13:34:57 rhel-atomic-7.2-test audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-wait-online comm="systemd" exe="/usr/lib/systemd/ systemd" hostname=? addr=? terminal=? res=success' Mar 23 13:35:05 rhel-atomic-7.2-test audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/sy stemd" hostname=? addr=? terminal=? res=success' Mar 23 13:35:18 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error erro r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.10 spid=1 tpid=904 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Mar 23 13:35:23 rhel-atomic-7.2-test audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" h ostname=? addr=? terminal=? res=success' Mar 23 13:35:43 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error erro r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.11 spid=1 tpid=904 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Mar 23 13:35:58 rhel-atomic-7.2-test kernel: random: crng init done Mar 23 13:36:08 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error erro r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.12 spid=1 tpid=904 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Mar 23 13:36:33 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error erro r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.13 spid=1 tpid=904 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Mar 23 13:36:58 rhel-atomic-7.2-test useradd[904]: new group: name=cloud-user, GID=1000 Mar 23 13:36:58 rhel-atomic-7.2-test audit[904]: ADD_GROUP pid=904 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cloud_init_t:s0 msg='op=add-group acct="cloud-user" exe="/usr/sbin/useradd" hostname =? addr=? terminal=? res=success' Mar 23 13:36:58 rhel-atomic-7.2-test useradd[904]: new user: name=cloud-user, UID=1000, GID=1000, home=/home/cloud-user, shell=/bin/bash Mar 23 13:36:58 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error erro r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.14 spid=1 tpid=904 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Mar 23 13:37:23 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error erro r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.15 spid=1 tpid=904 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Mar 23 13:37:48 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error erro r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.16 spid=1 tpid=904 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Mar 23 13:38:13 rhel-atomic-7.2-test audit[904]: ADD_USER pid=904 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cloud_init_t:s0 msg='op=add-user id=1000 exe="/usr/sbin/useradd" hostname=? addr=? te rminal=? res=success' Mar 23 13:38:13 rhel-atomic-7.2-test audit[904]: USER_MGMT pid=904 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cloud_init_t:s0 msg='op=add-home-dir id=1000 exe="/usr/sbin/useradd" hostname=? addr =? terminal=? res=success' Mar 23 13:38:14 rhel-atomic-7.2-test audit[909]: USER_CHAUTHTOK pid=909 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:passwd_t:s0 msg='op=lock password id=1000 exe="/usr/bin/passwd" hostname=? addr =? terminal=? res=success' Mar 23 13:38:14 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error erro r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.17 spid=1 tpid=779 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Mar 23 13:38:39 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error erro r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.18 spid=1 tpid=910 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Mar 23 13:39:04 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error erro r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.19 spid=1 tpid=910 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Mar 23 13:39:29 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error erro r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.20 spid=1 tpid=910 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Mar 23 13:39:54 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error erro r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.21 spid=1 tpid=910 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Mar 23 13:40:19 rhel-atomic-7.2-test audit[910]: ADD_GROUP pid=910 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cloud_init_t:s0 msg='op=add-group acct="fedora" exe="/usr/sbin/useradd" hostname=? a ddr=? terminal=? res=success' Mar 23 13:40:19 rhel-atomic-7.2-test useradd[910]: new group: name=fedora, GID=1001 Mar 23 13:40:19 rhel-atomic-7.2-test useradd[910]: new user: name=fedora, UID=1001, GID=1001, home=/home/fedora, shell=/bin/bash Mar 23 13:40:19 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error erro r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.22 spid=1 tpid=910 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Mar 23 13:40:44 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error erro r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.23 spid=1 tpid=910 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Mar 23 13:41:09 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error erro r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.24 spid=1 tpid=910 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Mar 23 13:41:34 rhel-atomic-7.2-test audit[910]: ADD_USER pid=910 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cloud_init_t:s0 msg='op=add-user id=1001 exe="/usr/sbin/useradd" hostname=? addr=? te rminal=? res=success' Mar 23 13:41:34 rhel-atomic-7.2-test audit[910]: USER_MGMT pid=910 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cloud_init_t:s0 msg='op=add-user-to-group grp="wheel" acct="fedora" exe="/usr/sbin/u seradd" hostname=? addr=? terminal=? res=success' Mar 23 13:41:34 rhel-atomic-7.2-test audit[910]: USER_MGMT pid=910 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cloud_init_t:s0 msg='op=add-to-shadow-group grp="wheel" acct="fedora" exe="/usr/sbin /useradd" hostname=? addr=? terminal=? res=success' Mar 23 13:41:34 rhel-atomic-7.2-test useradd[910]: add 'fedora' to group 'wheel' Mar 23 13:41:34 rhel-atomic-7.2-test useradd[910]: add 'fedora' to shadow group 'wheel' Mar 23 13:41:34 rhel-atomic-7.2-test audit[910]: USER_MGMT pid=910 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cloud_init_t:s0 msg='op=add-home-dir id=1001 exe="/usr/sbin/useradd" hostname=? addr =? terminal=? res=success' Mar 23 13:41:34 rhel-atomic-7.2-test audit[917]: USER_CHAUTHTOK pid=917 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:passwd_t:s0 msg='op=lock password id=1001 exe="/usr/bin/passwd" hostname=? addr =? terminal=? res=success' Mar 23 13:41:34 rhel-atomic-7.2-test cloud-init[779]: Cloud-init v. 0.7.9 running 'init' at Thu, 23 Mar 2017 13:34:53 +0000. Up 8.81 seconds.
Since systemd added an nss module, *every* single process that does a username look up is going to end up speaking dbus to init_t. I think we should just globally allow this.
Proposed as a Blocker for 26-final by Fedora user roshi using the blocker tracking app because: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop" - https://fedoraproject.org/wiki/Fedora_26_Final_Release_Criteria#SELinux_and_crash_notifications
Sorry, wasn't thinking. Atomic doesn't block release so it can't be a blocker. Apologies for the noise.
What? Is that really still true? Why?
https://fedoraproject.org/wiki/Releases/26/ReleaseBlocking?rd=Fedora_Program_Management/ReleaseBlocking/Fedora26 It looks like the only blocking image in the Cloud space is the 'Fedora Cloud Base' cloud image.
I'd expect this to be seen everywhere. None of this code or packages is specific to Atomic. That said, I thought we had the selinux issues with systemd-233 already fixed, so I'm a bit surprised to see this.
FYI this also affects the cloud base image Fedora-Cloud-Base-26_Alpha-1.2.x86_64.qcow2 from alpha 1.2 RC. ``` [root@cloudhost ~]# journalctl | grep USER_AVC Mar 23 18:27:00 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.12 spid=1 tpid=689 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus Mar 23 18:27:25 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.13 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus Mar 23 18:27:50 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.14 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus Mar 23 18:28:15 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.15 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus Mar 23 18:28:40 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.16 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus Mar 23 18:29:05 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.17 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus Mar 23 18:29:30 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.18 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus Mar 23 18:29:55 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.19 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus [root@cloudhost ~]# cat /etc/os-release NAME=Fedora VERSION="26 (Cloud Edition)" ID=fedora VERSION_ID=26 PRETTY_NAME="Fedora 26 (Cloud Edition)" ANSI_COLOR="0;34" CPE_NAME="cpe:/o:fedoraproject:fedora:26" HOME_URL="https://fedoraproject.org/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Fedora" REDHAT_BUGZILLA_PRODUCT_VERSION=26 REDHAT_SUPPORT_PRODUCT="Fedora" REDHAT_SUPPORT_PRODUCT_VERSION=26 PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy VARIANT="Cloud Edition" VARIANT_ID=cloud ```
from previous comment here are the versions that are in that image: ``` [root@cloudhost ~]# rpm -q systemd selinux-policy systemd-233-2.fc26.x86_64 selinux-policy-3.13.1-247.fc26.noarch ```
(In reply to Colin Walters from comment #4) > What? Is that really still true? Why? Because we're on the 2 week release schedule, and we don't build an atomic image with TC/RC requests, I don't know how it could be a blocker. At least not in the traditional sense of the term. Since it affects the Base image, I've reapplied the blocker nomination.
looks like this bug is the root cause of https://bugzilla.redhat.com/show_bug.cgi?id=1433459 as well. cloud-init is the thing that is making the call that is being denied by systemd.
Transferring Alpha accepted FE status here from #1433459 , since we were really voting on the symptom there. Colin: yes, right now, no Atomic images are release blocking. There's a simple reason for that and a complicated one. Simple: no-one has actually jumped through the correct hoops to get it changed. The way that works, IIRC, is the FPM asks each WG each cycle which of its deliverables it thinks should be 'release blocking', and the list gets updated. I believe that's already happened for F26. The contact would have been to the Cloud WG, for the Atomic images. The list is https://fedoraproject.org/wiki/Releases/26/ReleaseBlocking . Complex: as Mike suggested, if we were to get to actually discussing the change, it'd get a bit fuzzy. Atomic has its own release cycle, effectively: two-week Atomic. While two-week Atomic has been going on, we have not used the main distro release date as the date we cut over two-week Atomic builds. That is, we didn't move two-week Atomic builds from Fedora 24 to Fedora 25 on the day we released the rest of F25, it happened a bit later. We do not ship any Atomic images as part of the main Fedora release, at present - they are left out of those composes entirely. Given that, it doesn't seem to make a lot of sense for an Atomic image to be 'release blocking', in the way we currently define and implement that. What it means for an image to be 'release blocking' is that if there's a release criteria violation related to that image, we hold the release until it's fixed, basically. But what's the point of holding the Fedora 26 (say) release to fix an Atomic-specific bug, if we're not shipping any Atomic images as part of the main Fedora 26 release? Similarly, we don't at present ship Atomic images with Alpha or Beta releases. We don't really have a formal delivery mechanism for Atomic deliverables during pre-release phases *at all* besides 'grab the images from a nightly compose', which is arguably a problem, but it's where we're at right now. So again, it doesn't make any sense to block Alpha or Beta releases on Atomic bugs, since Alphas and Betas don't have Atomic in them at all. Basically, the current 'release blocking' concept is tied to the main distro release process, which Atomic just isn't a part of. What we should really do is come up with some process for 'releasing' Atomic during the pre-release phase that everyone's happy with (there was some discussion of this on #fedora-releng last week, IIRC, but it didn't come to any solid conclusions), and take a wider look at the process documentation for that process together with the post-stable 'two-week Atomic' release process itself, since properly conceived, that's really a whole separate release process we should have documented in parallel to the 'main' release cycle. That'd probably involve rather wider changes to the wiki than just updating the 'release blocking deliverables' list.
https://github.com/fedora-selinux/selinux-policy-contrib/pull/6
Discussed during the 2017-03-27 blocker review meeting: [1] The decision was made to classify this bug as an AcceptedBlocker was made as it violates the following Final criteria: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-03-27/f26-blocker-review.2017-03-27-16.01.txt
Confirmed that the build at [1] fixes the problem for me: ``` [root@cloudhost ~]# systemd-analyze Startup finished in 965ms (kernel) + 1.247s (initrd) + 12.989s (userspace) = 15.203s [root@cloudhost ~]# [root@cloudhost ~]# rpm -q selinux-policy selinux-policy-3.13.1-248.fc26.noarch [root@cloudhost ~]# [root@cloudhost ~]# ausearch -m avc,user_avc <no matches> ``` Can we get the update submitted into bodhi? [1] https://koji.fedoraproject.org/koji/buildinfo?buildID=873056
selinux-policy-3.13.1-249.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f34640326f
selinux-policy-3.13.1-249.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f34640326f
selinux-policy-3.13.1-249.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.