Hide Forgot
Description of problem: Branched Fedora-SoaS-Live-x86_64-27-20170911.n.0.iso does not login to liveuser Version-Release number of selected component (if applicable): How reproducible: anaconda starts after setenforce=0 used; but still does not login after QEMU/kvm install Steps to Reproduce: 1.qemu/kvm user session: select branched live: fails to start 2.anaconda starts after add setenforce=0 in edited boot line; but still does not login after QEMU/kvm install 3. Actual results: SELinux is preventing qemu-system-x86 from search access on the directory 20655. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that qemu-system-x86 should be allowed search access on the 20655 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'qemu-system-x86' --raw | audit2allow -M my-qemusystemx86 # semodule -X 300 -i my-qemusystemx86.pp Additional Information: Source Context unconfined_u:unconfined_r:svirt_t:s0:c840,c976 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects 20655 [ dir ] Source qemu-system-x86 Source Path qemu-system-x86 Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-260.6.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 4.12.8-300.fc26.x86_64 #1 SMP Thu Aug 17 15:30:20 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-09-11 16:29:55 PDT Last Seen 2017-09-11 16:29:55 PDT Local ID c1abe421-0d6d-4c4e-95e2-6621b6ee08ba Raw Audit Messages type=AVC msg=audit(1505172595.116:1141): avc: denied { search } for pid=22358 comm="qemu-system-x86" name="20655" dev="proc" ino=7315920 scontext=unconfined_u:unconfined_r:svirt_t:s0:c840,c976 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=0 Hash: qemu-system-x86,svirt_t,unconfined_t,dir,search Expected results: login to liveuser and allow install to work Additional info:
Proposed as a Freeze Exception for 27-beta by Fedora user satellit using the blocker tracking app because: non-blocking spin
selinux-policy-3.13.1-283.3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a1b4dab97d
Discussed at blocker review meeting [1]: AcceptedFreezeException - This bug would be a blocker, because SoaS is secondary DE it is accepted as FE [1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-09-18
selinux-policy-3.13.1-283.3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a1b4dab97d
selinux-policy-3.13.1-283.3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Fedora-SoaS-Live-x86_64-27-20170919.n.0.iso still does not login to live user in QEMU/KVM user (f26)
You need to test 20170920 compose, that should contain the new selinux-policy (make sure to check).
Kamil, tested on 20170920 , it still fails to login. Just shows a black screen and throws back to live user login.
I tried to login on compose: Fedora-SoaS-Live-x86_64-27-20170920.n.0 but I also cannot login when SELinux is disabled or in Permissive mode. I don't think that this is SELinux policy issue.
Also, I was wrong, you need to test with 20170921 compose. 20170920 doesn't contain the correct selinux-policy I believe (why nobody checks this?!).
Kparal, tested Fedora-27-20170921.n.0 compose fails too.
Just tested , 923 compose doesnt fix this.
I can still reproduce this on Fedora-SoaS-Live-x86_64-27-20171017. It's weird that it has selinux-policy-3.13.1-283.10.fc27.src.rpm but it still doesnt seem to fix this
It might be an issue with config changes for the display manager that needs to be adjusted in the kickstart. I'm not sure which other desktops use lightdm (I think at least lxde/xfce) so it might be worth chcecking those to see if the kickstart changed.
Observed on Fedora-SoaS-Live-x86_64-27-20171023.n.0.iso (similar failure on Fedora-SoaS-Live-x86_64-27_Beta-1.5.iso). $ journalctl -ab -o short-monotonic > soas27bootjournal.txt see https://gist.github.com/FGrose/97d834d362c7e1e3f690b97612c673dd
https://download.fedoraproject.org/pub/fedora/linux/releases/test/27_Beta/Spins/x86_64/iso/Fedora-SoaS-Live-x86_64-27_Beta-1.5.iso fails to start liveuser
https://paste.fedoraproject.org/paste/8ZPkQlrHDD0k~OkmzCi0gQ mtd: Using the F26-SOAS-x86_64-20171005.iso media, it boots just fine. Recording a screencapture of it booting, doing an install... and will paste the command line.
It's because the sugar session is crashing (check in the sugar logs) and I need a patch from someone upstream to fix it I believe
in f27 I get a return of "no match for group package "sugar-help" when I try to do 'dnf groupinstall sugar-desktop' can this be the reason sugar desktop fails to boot?
(In reply to satellitgo from comment #19) Yes, likely. See this post and thread, https://www.mail-archive.com/soas@lists.sugarlabs.org/msg02835.html
So looks like sugar-help was orphaned and no one picked it up [1], I wasn't aware it was orphaned. So we'll likely have to somehow disable help loading so it doesn't crash. I don't have time to look at this, can someone assist here? [1] https://src.fedoraproject.org/rpms/sugar-help/c/f01b6ff474c7a160b76e21eef4af67a3277e20e2?branch=master
> have to somehow disable help loading so it doesn't crash. No, that has nothing to do with it. Sugar already starts fine without the Help activity present. What is missing from the .rpm is a file you added in a patch in the .src.rpm. Adding that file would fix the problem.
> What is missing from the .rpm is a file you added in a patch in the .src.rpm. > > Adding that file would fix the problem. Needed to run autoreconf due to the added files. New build shortly
sugar-0.110.0-6.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f1b18782d4
Right this build should fix this: https://koji.fedoraproject.org/koji/buildinfo?buildID=991563 /usr/lib/python2.7/site-packages/jarabe/view/viewhelp.py /usr/lib/python2.7/site-packages/jarabe/view/viewhelp.pyc /usr/lib/python2.7/site-packages/jarabe/view/viewhelp.pyo /usr/lib/python2.7/site-packages/jarabe/view/viewhelp_webkit1.py /usr/lib/python2.7/site-packages/jarabe/view/viewhelp_webkit1.pyc /usr/lib/python2.7/site-packages/jarabe/view/viewhelp_webkit1.pyo /usr/lib/python2.7/site-packages/jarabe/view/viewhelp_webkit2.py /usr/lib/python2.7/site-packages/jarabe/view/viewhelp_webkit2.pyc /usr/lib/python2.7/site-packages/jarabe/view/viewhelp_webkit2.pyo
Confirmed. After updating the image with the following command it now launches Sugar. # dnf install (downloaded)sugar-*-0.110.0-6.fc27.noarch.rpm
https://koji.fedoraproject.org/koji/buildinfo?buildID=991563 (download) installed with software updater; f27 workstation with sugar-runner sugar starts sugar-0.110.0-6.fc27.noarch.rpm (info) (download) sugar-cp-all-0.110.0-6.fc27.noarch.rpm (info) (download) sugar-cp-background-0.110.0-6.fc27.noarch.rpm (info) (download) sugar-cp-backup-0.110.0-6.fc27.noarch.rpm (info) (download) sugar-cp-datetime-0.110.0-6.fc27.noarch.rpm (info) (download) sugar-cp-frame-0.110.0-6.fc27.noarch.rpm (info) (download) sugar-cp-keyboard-0.110.0-6.fc27.noarch.rpm (info) (download) sugar-cp-language-0.110.0-6.fc27.noarch.rpm (info) (download) sugar-cp-modemconfiguration-0.110.0-6.fc27.noarch.rpm (info) (download) sugar-cp-network-0.110.0-6.fc27.noarch.rpm (info) (download) sugar-cp-power-0.110.0-6.fc27.noarch.rpm (info) (download) sugar-cp-updater-0.110.0-6.fc27.noarch.rpm (info) (download) sugar-cp-webaccount-0.110.0-6.fc27.noarch.rpm (info) (download)
Proposed as a Freeze Exception for 27-final by Fedora user satellit using the blocker tracking app because: https://bugzilla.redhat.com/show_bug.cgi?id=1490668#c27 already accepted as FE for beta now need it for final sugar-dektop is non blocking spin
sugar-0.110.0-6.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f1b18782d4
sugar-0.110.0-6.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.