Another casualty of the new 'map' permission is PostgreSQL. The openQA test which tests deployment of the 'database server' role (which uses postgre) fails due to postgre failing to start up. Looking at the logs, this is clearly caused by a couple of 'map' denials: Aug 22 14:07:20 db.domain.local audit[2144]: AVC avc: denied { map } for pid=2144 comm="postgres" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev="hugetlbfs" ino=27249 scontext=system_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=file permissive=0 Aug 22 14:07:20 db.domain.local audit[2144]: AVC avc: denied { map } for pid=2144 comm="postgres" path="/dev/shm/PostgreSQL.621596145" dev="tmpfs" ino=27252 scontext=system_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:postgresql_tmp_t:s0 tclass=file permissive=0 Aug 22 14:07:20 db.domain.local postgresql-ctl[2142]: FATAL: could not map shared memory segment "/PostgreSQL.621596145": Permission denied Aug 22 14:07:20 db.domain.local postgresql-ctl[2142]: LOG: database system is shut down Aug 22 14:07:21 db.domain.local postgresql-ctl[2142]: pg_ctl: could not start server Aug 22 14:07:21 db.domain.local postgresql-ctl[2142]: Examine the log output. Aug 22 14:07:21 db.domain.local systemd[1]: postgresql.service: Control process exited, code=exited status=1 Aug 22 14:07:21 db.domain.local systemd[1]: Failed to start PostgreSQL database server. Aug 22 14:07:21 db.domain.local systemd[1]: postgresql.service: Unit entered failed state. This is another clear Beta blocker, per Alpha criterion "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started..." - 'database server' is a release-blocking role.
openQA testing confirms this is fixed in recent composes with selinux-policy-3.13.1-278.fc27 .
selinux-policy-3.13.1-283.3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a1b4dab97d
selinux-policy-3.13.1-283.3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a1b4dab97d
Closing again, bug is fixed in latest update.
I believe it's SOP for blocker bugs to be left open until they actually get pushed stable, for tracking purposes. Adam could confirm that (or close it again if not).
Never mind, I see it's not an accepted blocker. I'll close it again.
To be safe I'm going to reopen this. The blocker bug tracker doesn't appear to show any closed bugs. If this bug is visible on the tracker, its status can be fixed if necessary. Sorry for the extra noise.
Adam verified this is fixed with a build that's already stable, so there's no harm having it closed.
selinux-policy-3.13.1-283.3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.