Description of problem: This happened when I was going through "QA:Testcase_desktop_login" on Fedora 27 with KDE. I created a new user with kuser application, then I logged out and tried to login with the newly created user. Screen blinked and returned me back to login screen. Checking journal, it seems that selinux is preventing to create some dot-files in ~/ of the new user (see attached logs). With setenforce 0, login works as expected. Version-Release number of selected component (if applicable): libselinux-utils-2.7-2.fc27.x86_64 selinux-policy-3.13.1-283.3.fc27.noarch selinux-policy-targeted-3.13.1-283.3.fc27.noarch pam-kwallet-5.10.5-1.fc27.x86_64 sddm-0.15.0-1.fc27.x86_64 Steps to Reproduce: 1. on Fedora 27 KDE, create another user with kuser 2. log out 3. try to login with the other user
Created attachment 1329000 [details] journalctl -b
Created attachment 1329002 [details] ausearch -m AVC -ts today
Created attachment 1329003 [details] audit.log
Proposed as a Blocker for 27-beta by Fedora user lbrabec using the blocker tracking app because: Unable to complete step 5 of "QA:Testcase desktop login", which violates associated beta release criterion Post-install requirements - Shutdown, reboot, logout
Lukas, Could you please try following scenario: 1. chcon -t useradd_exec_t /usr/sbin/kuser 2. add new user like in bug description 3. check AVCs Thanks, Lukas.
Created attachment 1329086 [details] ausearch -m AVC -ts today (with chcon -t useradd_exec_t /usr/sbin/kuser)
Created attachment 1329087 [details] audit.log (with chcon -t useradd_exec_t /usr/sbin/kuser)
Discussed during blocker review [1]: RejectedBlocker (beta) AcceptedBlocker (final) - This bug violates the final criterion: "All applications that can be launched using the standard graphical mechanism of a release-blocking desktop after a default installation of that desktop must start successfully and withstand a basic functionality test." [1] https://meetbot-raw.fedoraproject.org/fedora-meeting-1/2017-09-21/
Lukas, What is output of: # ls -Z /home/ If you run: # restorecon -Rv /home/ and then try to create new user with kuser (with chcon -t useradd_exec_t /usr/sbin/kuser) are you still able to catch any AVC? Thanks, Lukas.
# ls -Z /home/ unconfined_u:object_r:user_home_dir_t:s0 ejohn unconfined_u:object_r:home_root_t:s0 test2 unconfined_u:object_r:home_root_t:s0 test1 after: # restorecon -Rv /home/ I'm able to login with previously created users, but with other new users I encounter the same problem.
Created attachment 1329218 [details] usearch -m AVC -ts today (with chcon, restorecon before creation of test3 )
selinux-policy-3.13.1-283.4.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-1fd5e1aff6
(In reply to Fedora Update System from comment #12) > selinux-policy-3.13.1-283.4.fc27 has been submitted as an update to Fedora > 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-1fd5e1aff6 this fixes the bug
Lukas, Thanks for testing. :)
selinux-policy-3.13.1-283.4.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-1fd5e1aff6
selinux-policy-3.13.1-283.4.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.