Description of problem: The Cockpit service is unreachable with SELinux in enforcing mode on the Fedora-Modular-27-20171026.n.3 compose. Version-Release number of selected component (if applicable): cockpit-ws-149-1.module_8a5444d0.x86_64 selinux-policy-3.13.1-275.module_8a5444d0.noarch How reproducible: Every time Steps to Reproduce: 1. Install from the Fedora-Modular-27-20171026.n.3 DVD or boot.iso with the "Fedora Server Edition" environment group. 2. `systemctl enable cockpit.socket && systemctl start cockpit.socket` 3. `firewall-cmd --add-service=cockpit` 4. Attempt to log into cockpit Actual results: Presented with "Internal Server Error" Expected results: Presented with the Cockpit login screen. Additional info: type=AVC msg=audit(1509067465.251:246): avc: denied { map } for pid=1255 comm="cockpit-ws" path="/usr/share/cockpit/branding/default/branding.css" dev="dm-0" ino=10348 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 This may be solved with an updated SELinux policy than we currently have in the compose. I will update that and try again, but we need this bug so we can track the blocker status of it.
Stephen, This is fixed in the latest selinux-policy package.
Reopening until we import the newest SELinux policy into the platform module.
Confirmed fixed as of compose Fedora-Modular-27-20171027.n.2