1435310 – avc denial during F26 Atomic Host and Cloud Base boot - 'error_name=org.freedesktop.systemd1.NoSuchDynamicUser'

Bug 1435310 - avc denial during F26 Atomic Host and Cloud Base boot - 'error_name=org.freedesktop.systemd1.NoSuchDynamicUser'

Summary: avc denial during F26 Atomic Host and Cloud Base boot - 'error_name=org.freed...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	26
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	AcceptedFreezeException AcceptedBlocker
Depends On:
Blocks:	F26AlphaFreezeException F26FinalBlocker
TreeView+	depends on / blocked

Reported:	2017-03-23 14:15 UTC by Micah Abbott
Modified:	2017-03-29 05:05 UTC (History)
CC List:	14 users (show)
Fixed In Version:	selinux-policy-3.13.1-249.fc26
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-29 05:05:52 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Micah Abbott 2017-03-23 14:15:02 UTC

Using the early F26 Atomic Host qcow2 cloud image here:

https://kojipkgs.fedoraproject.org/compose/branched/Fedora-26-20170322.n.0/compose/CloudImages/x86_64/images/

...I observed the mutliple denials in the journal during the boot process that looked like:

Mar 23 13:34:53 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.9 spid=1 tpid=779 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus



Here's the context from the jounal:



Mar 23 13:34:57 rhel-atomic-7.2-test systemd[1]: Started Network Manager Wait Online.
Mar 23 13:34:57 rhel-atomic-7.2-test audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-wait-online comm="systemd" exe="/usr/lib/systemd/
systemd" hostname=? addr=? terminal=? res=success'
Mar 23 13:35:05 rhel-atomic-7.2-test audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/sy
stemd" hostname=? addr=? terminal=? res=success'
Mar 23 13:35:18 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error erro
r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.10 spid=1 tpid=904 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
                                                  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Mar 23 13:35:23 rhel-atomic-7.2-test audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" h
ostname=? addr=? terminal=? res=success'
Mar 23 13:35:43 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error erro
r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.11 spid=1 tpid=904 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
                                                  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Mar 23 13:35:58 rhel-atomic-7.2-test kernel: random: crng init done
Mar 23 13:36:08 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error erro
r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.12 spid=1 tpid=904 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
                                                  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Mar 23 13:36:33 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error erro
r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.13 spid=1 tpid=904 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
                                                  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Mar 23 13:36:58 rhel-atomic-7.2-test useradd[904]: new group: name=cloud-user, GID=1000
Mar 23 13:36:58 rhel-atomic-7.2-test audit[904]: ADD_GROUP pid=904 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cloud_init_t:s0 msg='op=add-group acct="cloud-user" exe="/usr/sbin/useradd" hostname
=? addr=? terminal=? res=success'
Mar 23 13:36:58 rhel-atomic-7.2-test useradd[904]: new user: name=cloud-user, UID=1000, GID=1000, home=/home/cloud-user, shell=/bin/bash
Mar 23 13:36:58 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error erro
r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.14 spid=1 tpid=904 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
                                                  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Mar 23 13:37:23 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error erro
r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.15 spid=1 tpid=904 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
                                                  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Mar 23 13:37:48 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error erro
r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.16 spid=1 tpid=904 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
                                                  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Mar 23 13:38:13 rhel-atomic-7.2-test audit[904]: ADD_USER pid=904 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cloud_init_t:s0 msg='op=add-user id=1000 exe="/usr/sbin/useradd" hostname=? addr=? te
rminal=? res=success'
Mar 23 13:38:13 rhel-atomic-7.2-test audit[904]: USER_MGMT pid=904 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cloud_init_t:s0 msg='op=add-home-dir id=1000 exe="/usr/sbin/useradd" hostname=? addr
=? terminal=? res=success'
Mar 23 13:38:14 rhel-atomic-7.2-test audit[909]: USER_CHAUTHTOK pid=909 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:passwd_t:s0 msg='op=lock password id=1000 exe="/usr/bin/passwd" hostname=? addr
=? terminal=? res=success'
Mar 23 13:38:14 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error erro
r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.17 spid=1 tpid=779 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
                                                  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Mar 23 13:38:39 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error erro
r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.18 spid=1 tpid=910 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
                                                  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Mar 23 13:39:04 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error erro
r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.19 spid=1 tpid=910 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
                                                  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Mar 23 13:39:29 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error erro
r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.20 spid=1 tpid=910 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
                                                  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Mar 23 13:39:54 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error erro
r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.21 spid=1 tpid=910 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
                                                  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Mar 23 13:40:19 rhel-atomic-7.2-test audit[910]: ADD_GROUP pid=910 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cloud_init_t:s0 msg='op=add-group acct="fedora" exe="/usr/sbin/useradd" hostname=? a
ddr=? terminal=? res=success'
Mar 23 13:40:19 rhel-atomic-7.2-test useradd[910]: new group: name=fedora, GID=1001
Mar 23 13:40:19 rhel-atomic-7.2-test useradd[910]: new user: name=fedora, UID=1001, GID=1001, home=/home/fedora, shell=/bin/bash
Mar 23 13:40:19 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error erro
r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.22 spid=1 tpid=910 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
                                                  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Mar 23 13:40:44 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error erro
r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.23 spid=1 tpid=910 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
                                                  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Mar 23 13:41:09 rhel-atomic-7.2-test audit[737]: USER_AVC pid=737 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error erro
r_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.24 spid=1 tpid=910 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
                                                  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Mar 23 13:41:34 rhel-atomic-7.2-test audit[910]: ADD_USER pid=910 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cloud_init_t:s0 msg='op=add-user id=1001 exe="/usr/sbin/useradd" hostname=? addr=? te
rminal=? res=success'
Mar 23 13:41:34 rhel-atomic-7.2-test audit[910]: USER_MGMT pid=910 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cloud_init_t:s0 msg='op=add-user-to-group grp="wheel" acct="fedora" exe="/usr/sbin/u
seradd" hostname=? addr=? terminal=? res=success'
Mar 23 13:41:34 rhel-atomic-7.2-test audit[910]: USER_MGMT pid=910 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cloud_init_t:s0 msg='op=add-to-shadow-group grp="wheel" acct="fedora" exe="/usr/sbin
/useradd" hostname=? addr=? terminal=? res=success'
Mar 23 13:41:34 rhel-atomic-7.2-test useradd[910]: add 'fedora' to group 'wheel'
Mar 23 13:41:34 rhel-atomic-7.2-test useradd[910]: add 'fedora' to shadow group 'wheel'
Mar 23 13:41:34 rhel-atomic-7.2-test audit[910]: USER_MGMT pid=910 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cloud_init_t:s0 msg='op=add-home-dir id=1001 exe="/usr/sbin/useradd" hostname=? addr
=? terminal=? res=success'
Mar 23 13:41:34 rhel-atomic-7.2-test audit[917]: USER_CHAUTHTOK pid=917 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:passwd_t:s0 msg='op=lock password id=1001 exe="/usr/bin/passwd" hostname=? addr
=? terminal=? res=success'
Mar 23 13:41:34 rhel-atomic-7.2-test cloud-init[779]: Cloud-init v. 0.7.9 running 'init' at Thu, 23 Mar 2017 13:34:53 +0000. Up 8.81 seconds.

Comment 1 Colin Walters 2017-03-23 14:25:16 UTC

Since systemd added an nss module, *every* single process that does a username look up is going to end up speaking dbus to init_t.

I think we should just globally allow this.

Comment 2 Fedora Blocker Bugs Application 2017-03-23 14:43:20 UTC

Proposed as a Blocker for 26-final by Fedora user roshi using the blocker tracking app because:

 "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop" - https://fedoraproject.org/wiki/Fedora_26_Final_Release_Criteria#SELinux_and_crash_notifications

Comment 3 Mike Ruckman 2017-03-23 14:46:44 UTC

Sorry, wasn't thinking. Atomic doesn't block release so it can't be a blocker. Apologies for the noise.

Comment 4 Colin Walters 2017-03-23 14:53:13 UTC

What?  Is that really still true?  Why?

Comment 5 Micah Abbott 2017-03-23 15:04:23 UTC

https://fedoraproject.org/wiki/Releases/26/ReleaseBlocking?rd=Fedora_Program_Management/ReleaseBlocking/Fedora26

It looks like the only blocking image in the Cloud space is the 'Fedora Cloud Base' cloud image.

Comment 6 Zbigniew Jędrzejewski-Szmek 2017-03-23 18:09:50 UTC

I'd expect this to be seen everywhere. None of this code or packages is specific to Atomic. That said, I thought we had the selinux issues with systemd-233 already fixed, so I'm a bit surprised to see this.

Comment 7 Dusty Mabe 2017-03-23 18:33:56 UTC

FYI this also affects the cloud base image 
Fedora-Cloud-Base-26_Alpha-1.2.x86_64.qcow2 from alpha 1.2 RC.

```
[root@cloudhost ~]# journalctl | grep USER_AVC
Mar 23 18:27:00 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.12 spid=1 tpid=689 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
Mar 23 18:27:25 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.13 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
Mar 23 18:27:50 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.14 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
Mar 23 18:28:15 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.15 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
Mar 23 18:28:40 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.16 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
Mar 23 18:29:05 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.17 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
Mar 23 18:29:30 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.18 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
Mar 23 18:29:55 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.19 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
[root@cloudhost ~]# cat /etc/os-release 
NAME=Fedora
VERSION="26 (Cloud Edition)"
ID=fedora
VERSION_ID=26
PRETTY_NAME="Fedora 26 (Cloud Edition)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:fedoraproject:fedora:26"
HOME_URL="https://fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=26
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=26
PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
VARIANT="Cloud Edition"
VARIANT_ID=cloud
```

Comment 8 Dusty Mabe 2017-03-23 18:35:54 UTC

from previous comment here are the versions that are in that image:

```
[root@cloudhost ~]# rpm -q systemd selinux-policy
systemd-233-2.fc26.x86_64
selinux-policy-3.13.1-247.fc26.noarch
```

Comment 9 Mike Ruckman 2017-03-23 18:39:46 UTC

(In reply to Colin Walters from comment #4)
> What?  Is that really still true?  Why?

Because we're on the 2 week release schedule, and we don't build an atomic image with TC/RC requests, I don't know how it could be a blocker. At least not in the traditional sense of the term.

Since it affects the Base image, I've reapplied the blocker nomination.

Comment 10 Dusty Mabe 2017-03-24 04:46:24 UTC

looks like this bug is the root cause of https://bugzilla.redhat.com/show_bug.cgi?id=1433459 as well. cloud-init is the thing that is making the call that is being denied by systemd.

Comment 11 Adam Williamson 2017-03-24 16:02:49 UTC

Transferring Alpha accepted FE status here from #1433459 , since we were really voting on the symptom there.

Colin: yes, right now, no Atomic images are release blocking. There's a simple reason for that and a complicated one.

Simple: no-one has actually jumped through the correct hoops to get it changed. The way that works, IIRC, is the FPM asks each WG each cycle which of its deliverables it thinks should be 'release blocking', and the list gets updated. I believe that's already happened for F26. The contact would have been to the Cloud WG, for the Atomic images. The list is https://fedoraproject.org/wiki/Releases/26/ReleaseBlocking .

Complex: as Mike suggested, if we were to get to actually discussing the change, it'd get a bit fuzzy.

Atomic has its own release cycle, effectively: two-week Atomic. While two-week Atomic has been going on, we have not used the main distro release date as the date we cut over two-week Atomic builds. That is, we didn't move two-week Atomic builds from Fedora 24 to Fedora 25 on the day we released the rest of F25, it happened a bit later. We do not ship any Atomic images as part of the main Fedora release, at present - they are left out of those composes entirely.

Given that, it doesn't seem to make a lot of sense for an Atomic image to be 'release blocking', in the way we currently define and implement that. What it means for an image to be 'release blocking' is that if there's a release criteria violation related to that image, we hold the release until it's fixed, basically. But what's the point of holding the Fedora 26 (say) release to fix an Atomic-specific bug, if we're not shipping any Atomic images as part of the main Fedora 26 release?

Similarly, we don't at present ship Atomic images with Alpha or Beta releases. We don't really have a formal delivery mechanism for Atomic deliverables during pre-release phases *at all* besides 'grab the images from a nightly compose', which is arguably a problem, but it's where we're at right now. So again, it doesn't make any sense to block Alpha or Beta releases on Atomic bugs, since Alphas and Betas don't have Atomic in them at all.

Basically, the current 'release blocking' concept is tied to the main distro release process, which Atomic just isn't a part of.

What we should really do is come up with some process for 'releasing' Atomic during the pre-release phase that everyone's happy with (there was some discussion of this on #fedora-releng last week, IIRC, but it didn't come to any solid conclusions), and take a wider look at the process documentation for that process together with the post-stable 'two-week Atomic' release process itself, since properly conceived, that's really a whole separate release process we should have documented in parallel to the 'main' release cycle. That'd probably involve rather wider changes to the wiki than just updating the 'release blocking deliverables' list.

Comment 12 Daniel Walsh 2017-03-24 19:05:07 UTC

https://github.com/fedora-selinux/selinux-policy-contrib/pull/6

Comment 13 Geoffrey Marr 2017-03-27 17:16:32 UTC

Discussed during the 2017-03-27 blocker review meeting: [1]

The decision was made to classify this bug as an AcceptedBlocker was made as it violates the following Final criteria:

"There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-03-27/f26-blocker-review.2017-03-27-16.01.txt

Comment 14 Dusty Mabe 2017-03-28 00:52:32 UTC

Confirmed that the build at [1] fixes the problem for me:

```
[root@cloudhost ~]# systemd-analyze 
Startup finished in 965ms (kernel) + 1.247s (initrd) + 12.989s (userspace) = 15.203s
[root@cloudhost ~]# 
[root@cloudhost ~]# rpm -q selinux-policy 
selinux-policy-3.13.1-248.fc26.noarch
[root@cloudhost ~]# 
[root@cloudhost ~]# ausearch -m avc,user_avc
<no matches>
```

Can we get the update submitted into bodhi? 

[1] https://koji.fedoraproject.org/koji/buildinfo?buildID=873056

Comment 15 Fedora Update System 2017-03-28 13:37:28 UTC

selinux-policy-3.13.1-249.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f34640326f

Comment 16 Fedora Update System 2017-03-28 17:54:14 UTC

selinux-policy-3.13.1-249.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f34640326f

Comment 17 Fedora Update System 2017-03-29 05:05:52 UTC

selinux-policy-3.13.1-249.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.