1490668 – Fedora-SoaS-Live-x86_64-27-20170911.n.0.iso does not login to liveuser

Bug 1490668 - Fedora-SoaS-Live-x86_64-27-20170911.n.0.iso does not login to liveuser

Summary: Fedora-SoaS-Live-x86_64-27-20170911.n.0.iso does not login to liveuser

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	sugar
Sub Component:
Version:	27
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	urgent
Target Milestone:	---
Assignee:	Simon Schampijer
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	AcceptedFreezeException
Depends On:
Blocks:	F27BetaFreezeException F27FinalFreezeException
TreeView+	depends on / blocked

Reported:	2017-09-12 01:01 UTC by satellitgo
Modified:	2017-10-31 15:39 UTC (History)
CC List:	16 users (show)
Fixed In Version:	selinux-policy-3.13.1-283.3.fc27 sugar-0.110.0-6.fc27
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-10-31 15:39:13 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description satellitgo 2017-09-12 01:01:38 UTC

Description of problem:
Branched Fedora-SoaS-Live-x86_64-27-20170911.n.0.iso does not login to liveuser

Version-Release number of selected component (if applicable):


How reproducible:
anaconda starts after setenforce=0 used; but still does not login after QEMU/kvm install

Steps to Reproduce:
1.qemu/kvm user session: select branched live: fails to start
2.anaconda starts after add setenforce=0 in edited boot line; but still does not login after QEMU/kvm install
3.

Actual results:
SELinux is preventing qemu-system-x86 from search access on the directory 20655.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-system-x86 should be allowed search access on the 20655 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'qemu-system-x86' --raw | audit2allow -M my-qemusystemx86
# semodule -X 300 -i my-qemusystemx86.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:svirt_t:s0:c840,c976
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                20655 [ dir ]
Source                        qemu-system-x86
Source Path                   qemu-system-x86
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-260.6.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.12.8-300.fc26.x86_64
                              #1 SMP Thu Aug 17 15:30:20 UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-09-11 16:29:55 PDT
Last Seen                     2017-09-11 16:29:55 PDT
Local ID                      c1abe421-0d6d-4c4e-95e2-6621b6ee08ba

Raw Audit Messages
type=AVC msg=audit(1505172595.116:1141): avc:  denied  { search } for  pid=22358 comm="qemu-system-x86" name="20655" dev="proc" ino=7315920 scontext=unconfined_u:unconfined_r:svirt_t:s0:c840,c976 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=0


Hash: qemu-system-x86,svirt_t,unconfined_t,dir,search



Expected results:
login to liveuser and allow install to work

Additional info:

Comment 1 Fedora Blocker Bugs Application 2017-09-12 01:03:05 UTC

Proposed as a Freeze Exception for 27-beta by Fedora user satellit using the blocker tracking app because:

 non-blocking spin

Comment 2 Fedora Update System 2017-09-18 13:37:27 UTC

selinux-policy-3.13.1-283.3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a1b4dab97d

Comment 3 Kamil Páral 2017-09-18 17:53:37 UTC

Discussed at blocker review meeting [1]:

AcceptedFreezeException - This bug would be a blocker, because SoaS is secondary DE it is accepted as FE

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-09-18

Comment 4 Fedora Update System 2017-09-18 22:23:34 UTC

selinux-policy-3.13.1-283.3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a1b4dab97d

Comment 5 Fedora Update System 2017-09-20 15:26:53 UTC

selinux-policy-3.13.1-283.3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 satellitgo 2017-09-20 22:21:53 UTC

Fedora-SoaS-Live-x86_64-27-20170919.n.0.iso still does not login to live user in QEMU/KVM user (f26)

Comment 7 Kamil Páral 2017-09-21 07:30:02 UTC

You need to test 20170920 compose, that should contain the new selinux-policy (make sure to check).

Comment 8 sumantro 2017-09-21 11:18:24 UTC

Kamil, tested on 20170920 , it still fails to login. Just shows a black screen and throws back to live user login.

Comment 9 Lukas Vrabec 2017-09-21 12:36:15 UTC

I tried to login on compose: Fedora-SoaS-Live-x86_64-27-20170920.n.0

but I also cannot login when SELinux is disabled or in Permissive mode. 

I don't think that this is SELinux policy issue.

Comment 10 Kamil Páral 2017-09-21 15:20:28 UTC

Also, I was wrong, you need to test with 20170921 compose. 20170920 doesn't contain the correct selinux-policy I believe (why nobody checks this?!).

Comment 11 sumantro 2017-09-21 16:10:23 UTC

Kparal, tested Fedora-27-20170921.n.0  compose fails too.

Comment 12 sumantro 2017-09-24 12:09:13 UTC

Just tested , 923 compose doesnt fix this.

Comment 13 sumantro 2017-10-19 05:59:39 UTC

I can still reproduce this on Fedora-SoaS-Live-x86_64-27-20171017. It's weird that it has selinux-policy-3.13.1-283.10.fc27.src.rpm  but it still doesnt seem to fix this

Comment 14 Peter Robinson 2017-10-19 08:21:48 UTC

It might be an issue with config changes for the display manager that needs to be adjusted in the kickstart. I'm not sure which other desktops use lightdm (I think at least lxde/xfce) so it might be worth chcecking those to see if the kickstart changed.

Comment 15 Frederick Grose 2017-10-23 22:25:50 UTC

Observed on Fedora-SoaS-Live-x86_64-27-20171023.n.0.iso (similar failure on Fedora-SoaS-Live-x86_64-27_Beta-1.5.iso).

$ journalctl -ab -o short-monotonic > soas27bootjournal.txt
   see https://gist.github.com/FGrose/97d834d362c7e1e3f690b97612c673dd

Comment 16 satellitgo 2017-10-25 15:22:28 UTC

https://download.fedoraproject.org/pub/fedora/linux/releases/test/27_Beta/Spins/x86_64/iso/Fedora-SoaS-Live-x86_64-27_Beta-1.5.iso

fails to start liveuser

Comment 17 satellitgo 2017-10-25 16:02:14 UTC

https://paste.fedoraproject.org/paste/8ZPkQlrHDD0k~OkmzCi0gQ

mtd: Using the F26-SOAS-x86_64-20171005.iso media, it boots just fine.  Recording a screencapture of it booting, doing an install... and will paste the command line.

Comment 18 Peter Robinson 2017-10-26 08:54:07 UTC

It's because the sugar session is crashing (check in the sugar logs) and I need a patch from someone upstream to fix it I believe

Comment 19 satellitgo 2017-10-27 12:38:54 UTC

in f27 I get a return of "no match for group package "sugar-help"  when I try to do 'dnf groupinstall sugar-desktop'   can this be the reason sugar desktop fails to boot?

Comment 20 Frederick Grose 2017-10-27 13:41:42 UTC

(In reply to satellitgo from comment #19)
Yes, likely.  See this post and thread,
https://www.mail-archive.com/soas@lists.sugarlabs.org/msg02835.html

Comment 21 Peter Robinson 2017-10-27 15:48:17 UTC

So looks like sugar-help was orphaned and no one picked it up [1], I wasn't aware it was orphaned. So we'll likely have to somehow disable help loading so it doesn't crash.

I don't have time to look at this, can someone assist here?

[1] https://src.fedoraproject.org/rpms/sugar-help/c/f01b6ff474c7a160b76e21eef4af67a3277e20e2?branch=master

Comment 22 James Cameron 2017-10-27 20:25:13 UTC

> have to somehow disable help loading so it doesn't crash.

No, that has nothing to do with it.  Sugar already starts fine without the Help activity present.

What is missing from the .rpm is a file you added in a patch in the .src.rpm.

Adding that file would fix the problem.

Comment 23 Peter Robinson 2017-10-28 06:16:12 UTC

> What is missing from the .rpm is a file you added in a patch in the .src.rpm.
> 
> Adding that file would fix the problem.

Needed to run autoreconf due to the added files. New build shortly

Comment 24 Fedora Update System 2017-10-28 10:27:00 UTC

sugar-0.110.0-6.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f1b18782d4

Comment 25 Peter Robinson 2017-10-28 10:31:36 UTC

Right this build should fix this:
https://koji.fedoraproject.org/koji/buildinfo?buildID=991563

/usr/lib/python2.7/site-packages/jarabe/view/viewhelp.py
/usr/lib/python2.7/site-packages/jarabe/view/viewhelp.pyc
/usr/lib/python2.7/site-packages/jarabe/view/viewhelp.pyo
/usr/lib/python2.7/site-packages/jarabe/view/viewhelp_webkit1.py
/usr/lib/python2.7/site-packages/jarabe/view/viewhelp_webkit1.pyc
/usr/lib/python2.7/site-packages/jarabe/view/viewhelp_webkit1.pyo
/usr/lib/python2.7/site-packages/jarabe/view/viewhelp_webkit2.py
/usr/lib/python2.7/site-packages/jarabe/view/viewhelp_webkit2.pyc
/usr/lib/python2.7/site-packages/jarabe/view/viewhelp_webkit2.pyo

Comment 26 Frederick Grose 2017-10-28 15:16:10 UTC

Confirmed. After updating the image with the following command it now launches Sugar.
# dnf install (downloaded)sugar-*-0.110.0-6.fc27.noarch.rpm

Comment 27 satellitgo 2017-10-28 15:43:13 UTC

https://koji.fedoraproject.org/koji/buildinfo?buildID=991563

(download) installed with software updater; f27 workstation with sugar-runner
sugar starts

sugar-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-all-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-background-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-backup-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-datetime-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-frame-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-keyboard-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-language-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-modemconfiguration-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-network-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-power-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-updater-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-webaccount-0.110.0-6.fc27.noarch.rpm (info) (download)

Comment 28 Fedora Blocker Bugs Application 2017-10-29 23:52:37 UTC

Proposed as a Freeze Exception for 27-final by Fedora user satellit using the blocker tracking app because:

 https://bugzilla.redhat.com/show_bug.cgi?id=1490668#c27
	already accepted as FE for beta now need it for final
sugar-dektop is non blocking spin

Comment 29 Fedora Update System 2017-10-30 14:46:06 UTC

sugar-0.110.0-6.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f1b18782d4

Comment 30 Fedora Update System 2017-10-31 15:39:13 UTC

sugar-0.110.0-6.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.