Description of problem: After completing initial-setup, attempts to log in fail. Selinux in permissive allows successful log in. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-304.fc28.noarch How reproducible: everytime Actual results: ausearch -ts recent -m avc type=AVC msg=audit(1512413082.177:197): avc: denied { transition } for pid=900 comm="login" path="/usr/bin/bash" dev="sda4" ino=7141 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1 ---- time->Mon Dec 4 13:44:42 2017 type=AVC msg=audit(1512413082.177:198): avc: denied { entrypoint } for pid=900 comm="login" path="/usr/bin/bash" dev="sda4" ino=7141 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Proposing as a blocker for beta, this affects both release blocking images for arm.
This is reproducible so giving it a +1 for beta blocker
Discussed during the 2017-12-11 blocker review meeting: [1] The decision to classify this bug as an AcceptedBlocker was made as it violates the following blocker criteria: "A system installed without a graphical package set must boot to a state where it is possible to log in through at least one of the default virtual consoles", for ARM disk images. [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-12-11/f28-blocker-review.2017-12-11-17.01.txt
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'.
Login still fails when booting RaspberryPi-3B after writing uSDHC card from expanded Fedora-Xfce-armhfp-Rawhide-20180301.n.0-sda.raw.xz . The anaconda graphical final configuration succeeded (timezone, network+hostname, root password, local user account). The lightdm greeter appeared on the VGA console and accepted userID and password from keyboard, but within a couple seconds went back to the original greeter screen with no login. Attempting to login via ssh from a different system failed with "Connection closed". Both the local userID and 'root' failed from both the local console and remote login via ssh. System shutdown via mouse clicks succeeded. Removing the uSDHC card and mounting it on another box allowed inspection of files. /var/log/secure is attached. Various lines of interest seem to be: ===== Mar 2 15:19:39 localhost useradd[1674]: new group: name=jreiser, GID=1000 Mar 2 15:19:39 localhost useradd[1674]: new user: name=jreiser, UID=1000, GID=1000, home=/home/jreiser, shell=/bin/bash Mar 2 15:19:40 localhost useradd[1674]: add 'jreiser' to group 'wheel' Mar 2 15:19:40 localhost useradd[1674]: add 'jreiser' to shadow group 'wheel' Mar 2 15:19:46 localhost chage[1684]: changed password expiry for jreiser Mar 2 15:19:46 localhost chage[1691]: changed password expiry for root ===== so passwords should be OK ===== Mar 2 15:19:58 localhost lightdm[1754]: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) Mar 2 15:19:59 localhost systemd[1757]: pam_unix(systemd-user:session): session opened for user lightdm by (uid=0) Mar 2 15:19:59 localhost systemd[1771]: pam_unix(systemd-user:session): session closed for user lightdm Mar 2 15:19:59 localhost lightdm[1754]: pam_systemd(lightdm-greeter:session): Failed to create session: Start job for unit user failed with 'failed' ===== That is the first failure that I see in the file. ===== Mar 2 15:20:05 localhost polkitd[948]: /usr/share/polkit-1/rules.d/lightdm.rules:3: action=[Action id='org.freedesktop.DisplayManager.AccountsService.ReadAny'] Mar 2 15:20:05 localhost polkitd[948]: /usr/share/polkit-1/rules.d/lightdm.rules:4: subject=[Subject pid=1772 user='lightdm' groups=lightdm seat='seat0' session='c1' local=true active=false] Mar 2 15:20:11 localhost polkitd[948]: /usr/share/polkit-1/rules.d/lightdm.rules:3: action=[Action id='org.freedesktop.DisplayManager.AccountsService.ReadAny'] Mar 2 15:20:11 localhost polkitd[948]: /usr/share/polkit-1/rules.d/lightdm.rules:4: subject=[Subject pid=1772 user='lightdm' groups=lightdm seat='seat0' session='c1' local=true active=false] Mar 2 15:20:11 localhost polkitd[948]: /usr/share/polkit-1/rules.d/lightdm.rules:3: action=[Action id='org.freedesktop.DisplayManager.AccountsService.ReadAny'] Mar 2 15:20:11 localhost polkitd[948]: /usr/share/polkit-1/rules.d/lightdm.rules:4: subject=[Subject pid=1772 user='lightdm' groups=lightdm seat='seat0' session='c1' local=true active=false] Mar 2 15:20:11 localhost lightdm[1754]: pam_unix(lightdm-greeter:session): session closed for user lightdm Mar 2 15:20:12 localhost lightdm[1814]: gkr-pam: couldn't run gnome-keyring-daemon: Permission denied Mar 2 15:20:12 localhost lightdm[1802]: gkr-pam: gnome-keyring-daemon didn't start properly ===== That is the second failure. ===== Mar 2 15:20:13 localhost systemd[1815]: pam_unix(systemd-user:session): session opened for user jreiser by (uid=0) Mar 2 15:20:13 localhost systemd[1829]: pam_unix(systemd-user:session): session closed for user jreiser Mar 2 15:20:13 localhost lightdm[1802]: pam_systemd(lightdm:session): Failed to create session: Start job for unit user failed with 'failed' Mar 2 15:20:13 localhost lightdm[1802]: pam_unix(lightdm:session): session opened for user jreiser by (uid=0) Mar 2 15:20:13 localhost lightdm[1802]: pam_unix(lightdm:session): session closed for user jreiser Mar 2 15:20:15 localhost lightdm[1836]: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) Mar 2 15:20:21 localhost polkitd[948]: /usr/share/polkit-1/rules.d/lightdm.rules:3: action=[Action id='org.freedesktop.DisplayManager.AccountsService.ReadAny'] Mar 2 15:20:21 localhost polkitd[948]: /usr/share/polkit-1/rules.d/lightdm.rules:4: subject=[Subject pid=1839 user='lightdm' groups=lightdm seat='seat0' session='c2' local=true active=true] Mar 2 15:20:33 localhost lightdm[1836]: pam_unix(lightdm-greeter:session): session closed for user lightdm Mar 2 15:20:34 localhost lightdm[1877]: gkr-pam: couldn't run gnome-keyring-daemon: Permission denied Mar 2 15:20:34 localhost lightdm[1869]: gkr-pam: gnome-keyring-daemon didn't start properly Mar 2 15:20:34 localhost systemd[1878]: pam_unix(systemd-user:session): session opened for user jreiser by (uid=0) Mar 2 15:20:34 localhost systemd[1892]: pam_unix(systemd-user:session): session closed for user jreiser Mar 2 15:20:34 localhost lightdm[1869]: pam_systemd(lightdm:session): Failed to create session: Start job for unit user failed with 'failed' Mar 2 15:20:34 localhost lightdm[1869]: pam_unix(lightdm:session): session opened for user jreiser by (uid=0) Mar 2 15:20:34 localhost lightdm[1869]: pam_unix(lightdm:session): session closed for user jreiser ===== a couple more failures, this time for my attempts to log in. ===== Mar 2 15:21:04 localhost lightdm[1899]: pam_unix(lightdm-greeter:session): session closed for user lightdm Mar 2 15:21:05 localhost lightdm[1962]: gkr-pam: couldn't run gnome-keyring-daemon: Permission denied Mar 2 15:21:05 localhost lightdm[1954]: gkr-pam: gnome-keyring-daemon didn't start properly Mar 2 15:21:05 localhost systemd[1963]: pam_unix(systemd-user:session): session opened for user root by (uid=0) Mar 2 15:21:05 localhost lightdm[1954]: pam_systemd(lightdm:session): Failed to create session: Start job for unit user failed with 'failed' Mar 2 15:21:05 localhost lightdm[1954]: pam_unix(lightdm:session): session opened for user root by (uid=0) Mar 2 15:21:05 localhost lightdm[1954]: pam_unix(lightdm:session): session closed for user root ===== this time for 'root'.
3 attempts to Attach /var/log/secure each failed after more than one minute, displaying a page that said: ===== Bad Request Your browser sent a request that this server could not understand. ===== Browser is firefox-57.0.1-1.fc25.x86_64 .
I see the same problem using Fedora-Minimal-armhfp-28-20180301.n.1-sda.raw.xz. After final configuration in text mode, neither the local user nor root can log in using keyboard and VGA console. After accepting username and password, then there is a very brief message that seems to contain something like "no shell", then that line is erased and "login: " reappears. After shutdown by power-off, and mounting the uSDHC card on another system, then "journalctl --file=/var/log/journal/<SHA1>/user-1000.journal" says: ===== -- Logs begin at Sun 2018-03-04 15:01:15 PST, end at Sun 2018-03-04 15:02:03 PST. -- Mar 04 15:01:15 host.domain systemd[1611]: user: Failed to execute command: Permission denied Mar 04 15:01:15 host.domain systemd[1611]: user: Failed at step EXEC spawning /usr/lib/systemd/systemd: Permission denied Mar 04 15:01:15 host.domain systemd[1625]: pam_unix(systemd-user:session): session closed for user jreiser Mar 04 15:01:23 host.domain systemd[1631]: user: Failed to execute command: Permission denied Mar 04 15:01:23 host.domain systemd[1631]: user: Failed at step EXEC spawning /usr/lib/systemd/systemd: Permission denied Mar 04 15:01:23 host.domain systemd[1645]: pam_unix(systemd-user:session): session closed for user jreiser Mar 04 15:01:38 host.domain systemd[1671]: user: Failed to execute command: Permission denied Mar 04 15:01:38 nost.domain systemd[1671]: user: Failed at step EXEC spawning /usr/lib/systemd/systemd: Permission denied Mar 04 15:01:38 host.domain systemd[1685]: pam_unix(systemd-user:session): session closed for user jreiser Mar 04 15:02:03 host.domain systemd[1694]: user: Failed to execute command: Permission denied Mar 04 15:02:03 host.domain systemd[1694]: user: Failed at step EXEC spawning /usr/lib/systemd/systemd: Permission denied Mar 04 15:02:03 nost.domain systemd[1708]: pam_unix(systemd-user:session): session closed for user jreiser ===== and "journalctl --file=.../system.journal" says [excerpt]: ===== Mar 04 15:01:05 host.domain audit[1599]: USER_AUTH pid=1599 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:authentication grantors=pam_unix acct="jreiser" exe="/usr/bin/login" hostname=host.domain addr=? terminal=tty1 res=success' Mar 04 15:01:05 host.domain audit[1599]: USER_ACCT pid=1599 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="jreiser" exe="/usr/bin/login" hostname=host.domain addr=? terminal=tty1 res=success' Mar 04 15:01:07 host.domain audit[1599]: CRED_ACQ pid=1599 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:setcred grantors=pam_unix acct="jreiser" exe="/usr/bin/login" hostname=host.domain addr=? terminal=tty1 res=success' Mar 04 15:01:14 host.domain audit[1599]: USER_ROLE_CHANGE pid=1599 uid=0 auid=1000 ses=1 subj=system_u:system_r:kernel_t:s0 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0 selected-context=unconfined_u:unconfined_r:unconfined_t:s0 exe="/usr/bin/login" hostname=host.domain addr=? terminal=tty1 res=success' Mar 04 15:01:14 host.domain systemd[1]: Created slice User Slice of jreiser. Mar 04 15:01:14 host.domain systemd[1]: Starting User Manager for UID 1000... Mar 04 15:01:14 host.domain systemd-logind[876]: New session 1 of user jreiser. Mar 04 15:01:15 host.domain systemd[1]: Started Session 1 of user jreiser. Mar 04 15:01:15 host.domain audit[1611]: USER_ACCT pid=1611 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="jreiser" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Mar 04 15:01:15 host.domain audit[1611]: USER_ROLE_CHANGE pid=1611 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0 selected-context=unconfined_u:unconfined_r:unconfined_t:s0 exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Mar 04 15:01:15 host.domain systemd[1611]: pam_unix(systemd-user:session): session opened for user jreiser by (uid=0) Mar 04 15:01:15 host.domain audit[1611]: USER_START pid=1611 uid=0 auid=1000 ses=2 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="jreiser" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Mar 04 15:01:15 host.domain audit[1611]: AVC avc: denied { transition } for pid=1611 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="mmcblk0p4" ino=19360 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 Mar 04 15:01:15 host.domain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=user@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Mar 04 15:01:15 host.domain audit[1599]: USER_START pid=1599 uid=0 auid=1000 ses=1 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_unix,pam_lastlog acct="jreiser" exe="/usr/bin/login" hostname=host.domain addr=? terminal=tty1 res=success' Mar 04 15:01:15 host.domain audit[1599]: CRED_REFR pid=1599 uid=0 auid=1000 ses=1 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:setcred grantors=pam_unix acct="jreiser" exe="/usr/bin/login" hostname=host.domain addr=? terminal=tty1 res=success' Mar 04 15:01:15 host.domain audit[1599]: USER_LOGIN pid=1599 uid=0 auid=1000 ses=1 subj=system_u:system_r:kernel_t:s0 msg='op=login id=1000 exe="/usr/bin/login" hostname=host.domain addr=? terminal=tty1 res=success' Mar 04 15:01:15 host.domain audit[1626]: AVC avc: denied { transition } for pid=1626 comm="login" path="/usr/bin/bash" dev="mmcblk0p4" ino=7216 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 Mar 04 15:01:16 host.domain audit[1599]: CRED_DISP pid=1599 uid=0 auid=1000 ses=1 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:setcred grantors=pam_unix acct="jreiser" exe="/usr/bin/login" hostname=host.domain addr=? terminal=tty1 res=success' Mar 04 15:01:16 host.domain audit[1599]: USER_END pid=1599 uid=0 auid=1000 ses=1 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_unix,pam_lastlog acct="jreiser" exe="/usr/bin/login" hostname=host.domain addr=? terminal=tty1 res=success' Mar 04 15:01:15 host.domain systemd[1]: user: Failed with result 'protocol'. Mar 04 15:01:15 host.domain login[1599]: pam_systemd(login:session): Failed to create session: Start job for unit user failed with 'failed' Mar 04 15:01:15 host.domain systemd[1]: Failed to start User Manager for UID 1000. =====
Using the latest nominated nightly (Fedora-28-20180314.n.2), it still doesnt allow login but the avcs have changed: time->Fri Mar 16 18:32:47 2018 type=AVC msg=audit(1521239567.589:170): avc: denied { transition } for pid=1184 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="sda4" ino=19350 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1 ---- time->Fri Mar 16 18:32:47 2018 type=AVC msg=audit(1521239567.590:171): avc: denied { entrypoint } for pid=1184 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="sda4" ino=19350 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 [root@localhost ~]# rpm -q selinux-policy selinux-policy-3.14.1-11.fc28.noarch
gnome-initial-setup fails on the Workstation image (Fedora-28-20180314.n.2): [root@localhost ~]# ausearch -ts recent -m avc,user_avc ---- time->Fri Mar 16 14:53:46 2018 type=AVC msg=audit(1521226426.489:139): avc: denied { transition } for pid=1007 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="sda4" ino=24906 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1 ---- time->Fri Mar 16 14:53:46 2018 type=AVC msg=audit(1521226426.489:140): avc: denied { entrypoint } for pid=1007 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="sda4" ino=24906 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 ---- time->Fri Mar 16 14:55:08 2018 type=AVC msg=audit(1521226508.267:219): avc: denied { transition } for pid=1626 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="sda4" ino=24906 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1 ---- time->Fri Mar 16 14:55:08 2018 type=AVC msg=audit(1521226508.267:220): avc: denied { entrypoint } for pid=1626 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="sda4" ino=24906 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 ---- time->Fri Mar 16 14:55:09 2018 type=AVC msg=audit(1521226509.681:231): avc: denied { transition } for pid=1671 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="sda4" ino=24906 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1 ---- time->Fri Mar 16 14:55:09 2018 type=AVC msg=audit(1521226509.681:232): avc: denied { entrypoint } for pid=1671 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="sda4" ino=24906 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 ---- time->Fri Mar 16 14:55:57 2018 type=AVC msg=audit(1521226557.731:250): avc: denied { transition } for pid=1931 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev="sda4" ino=39169 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1 ---- time->Fri Mar 16 14:55:57 2018 type=AVC msg=audit(1521226557.732:251): avc: denied { entrypoint } for pid=1931 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev="sda4" ino=39169 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 ---- time->Fri Mar 16 14:58:12 2018 type=AVC msg=audit(1521226692.864:274): avc: denied { transition } for pid=2839 comm="login" path="/usr/bin/bash" dev="sda4" ino=18214 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1 ---- time->Fri Mar 16 14:58:12 2018 type=AVC msg=audit(1521226692.864:275): avc: denied { entrypoint } for pid=2839 comm="login" path="/usr/bin/bash" dev="sda4" ino=18214 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 ---- time->Fri Mar 16 14:59:09 2018 type=AVC msg=audit(1521226749.962:294): avc: denied { dyntransition } for pid=3085 comm="sshd" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:sshd_net_t:s0 tclass=process permissive=1 ---- time->Fri Mar 16 14:59:09 2018 type=AVC msg=audit(1521226749.963:295): avc: denied { search } for pid=3085 comm="sshd" name="empty" dev="sda4" ino=130320 scontext=system_u:system_r:sshd_net_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 ---- time->Fri Mar 16 14:59:17 2018 type=AVC msg=audit(1521226757.301:309): avc: denied { transition } for pid=3089 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="sda4" ino=24906 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1 ---- time->Fri Mar 16 14:59:17 2018 type=AVC msg=audit(1521226757.301:310): avc: denied { entrypoint } for pid=3089 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="sda4" ino=24906 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 ---- time->Fri Mar 16 14:59:17 2018 type=AVC msg=audit(1521226757.538:317): avc: denied { dyntransition } for pid=3125 comm="sshd" scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
Xfce(Fedora-28-20180314.n.2), fails on login: ---- time->Fri Mar 16 15:07:44 2018 type=AVC msg=audit(1521227264.943:218): avc: denied { transition } for pid=1852 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="sda4" ino=30228 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 ---- time->Fri Mar 16 15:07:55 2018 type=AVC msg=audit(1521227275.808:228): avc: denied { transition } for pid=1910 comm="lightdm" path="/usr/bin/gnome-keyring-daemon" dev="sda4" ino=53551 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 ---- time->Fri Mar 16 15:07:56 2018 type=AVC msg=audit(1521227276.145:233): avc: denied { transition } for pid=1911 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="sda4" ino=30228 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 ---- time->Fri Mar 16 15:07:56 2018 type=AVC msg=audit(1521227276.178:237): avc: denied { transition } for pid=1926 comm="lightdm" path="/etc/X11/xinit/Xsession" dev="sda4" ino=151809 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 ---- time->Fri Mar 16 19:08:56 2018 type=AVC msg=audit(1521241736.484:143): avc: denied { transition } for pid=1072 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="sda4" ino=30228 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1 ---- time->Fri Mar 16 19:08:56 2018 type=AVC msg=audit(1521241736.484:144): avc: denied { entrypoint } for pid=1072 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="sda4" ino=30228 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 ---- time->Fri Mar 16 15:09:11 2018 type=AVC msg=audit(1521227351.920:199): avc: denied { transition } for pid=1359 comm="lightdm" path="/usr/bin/gnome-keyring-daemon" dev="sda4" ino=53551 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1 ---- time->Fri Mar 16 15:09:11 2018 type=AVC msg=audit(1521227351.920:200): avc: denied { entrypoint } for pid=1359 comm="lightdm" path="/usr/bin/gnome-keyring-daemon" dev="sda4" ino=53551 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 ---- time->Fri Mar 16 15:09:12 2018 type=AVC msg=audit(1521227352.557:205): avc: denied { transition } for pid=1364 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="sda4" ino=30228 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1 ---- time->Fri Mar 16 15:09:12 2018 type=AVC msg=audit(1521227352.557:206): avc: denied { entrypoint } for pid=1364 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="sda4" ino=30228 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 ---- time->Fri Mar 16 15:10:43 2018 type=AVC msg=audit(1521227443.545:217): avc: denied { dyntransition } for pid=1852 comm="sshd" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:sshd_net_t:s0 tclass=process permissive=1 ---- time->Fri Mar 16 15:10:43 2018 type=AVC msg=audit(1521227443.546:218): avc: denied { search } for pid=1852 comm="sshd" name="empty" dev="sda4" ino=132530 scontext=system_u:system_r:sshd_net_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 ---- time->Fri Mar 16 15:10:48 2018 type=AVC msg=audit(1521227448.640:232): avc: denied { transition } for pid=1857 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="sda4" ino=30228 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1 ---- time->Fri Mar 16 15:10:48 2018 type=AVC msg=audit(1521227448.640:233): avc: denied { entrypoint } for pid=1857 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="sda4" ino=30228 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 ---- time->Fri Mar 16 15:10:49 2018 type=AVC msg=audit(1521227449.059:240): avc: denied { dyntransition } for pid=1883 comm="sshd" scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
Why is this specific to ARM-32 (armhfp)? What is it about armhfp that causes failure while x86_64 succeeds?
(In reply to John Reiser from comment #11) > Why is this specific to ARM-32 (armhfp)? What is it about armhfp that > causes failure while x86_64 succeeds? We don't generate disk images (yet) for x86 as they're generally not consumed like that, x86 tends to use Live images instead.
The problem is the init program did not transition out of kernel_t. When systemd runs it is supposed to transition to init_t. Figuring out why this is happening should fix the rest of the issues. Does restorecon -R -v / Change lots of labels?
Y(In reply to Daniel Walsh from comment #13) > The problem is the init program did not transition out of kernel_t. When > systemd runs it is supposed to transition to init_t. Figuring out why this > is happening should fix the rest of the issues. > > Does > restorecon -R -v / > > Change lots of labels? Yes, looks like just about everything.
peter: well, we do generate disk images for x86_64, don't we? The cloud images. They're not exactly the same, but we do build them. Do we know if those are hitting this too?
Ping? We are two days from Go/No-Go for Beta, and this is the only accepted blocker not showing obvious progress. I'll try and look into this myself, though it's not my area of expertise. I can at least see this, in mock_output.log from a recent F28 compose task - https://koji.fedoraproject.org/koji/taskinfo?taskID=25835616 : mount: /var/tmp/imgcreate-ScvDnf/install_root/sys/fs/selinux/load: mount point does not exist. /etc/selinux/targeted/contexts/files/file_contexts: No such file or directory I think this is coming from python-imgcreate (which is part of https://github.com/livecd-tools/livecd-tools ), imgcreate/creator.py , __create_selinuxfs() . No idea if it's actually related to the problem yet, though. Unfortunately I don't have any 'success case' logs to compare against; all f27 createAppliance tests are too old and have had their logs garbage collected.
Dan identified issue correctly, that's the reason why I asked about some changes on armhfp. There is a transition when kernel is executing systemd: #sesearch -T -s kernel_t -t init_exec_t -c process type_transition kernel_t init_exec_t:process init_t; I don't see this bug on x86_64, but here for some reason systemd is running under kernel_t which means there is no SELinux transition. Did anybody testes disk iamages for x86_64 from comment#15? Lukas.
Lukas: I'm trying to establish if someone's actually taken responsibility for figuring out *why* the labels seem to be wrong in the ARM disk images. Re #c15, the disk images we do build for x86_64 are actually built with a different toolchain (ImageFactory on x86_64, appliance-creator on armhfp), so they're not really comparable. I don't believe there are known SELinux issues with the x86_64 disk images, the Cloud ones are reported to be passing most tests.
Okay, I think I've just fixed this: there was not selinux-policy-targeted dragged into the mock, which meant livecd-tools did not have an selinux policy to tag things with (resulting in the "/etc/selinux/targeted/contexts/files/file_contexts: No such file or directory " error). I have added selinux-policy-targeted to the appliance-build group in koji, and am building a new livecd-tools that adds a dep on it, which would hopefully resolve this.
livecd-tools-25.0-5.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-58502a629f
> I have added selinux-policy-targeted to the appliance-build group in koji, > and am building a new livecd-tools that adds a dep on it, which would > hopefully resolve this. This seems sane, except that appliance-tools is used for the armv7 image creation so it makes sense to do the same with that package too.
appliance-tools depends on livecd-tools, so it will drag it in recursively. But as said, it's also added to the koji package group, so it's already dragged in without package updates. I am now building a test image, when that finishes I'll post the link for people to test.
Hi Patrick, Thank you for help on this. I'll change component for this ticket to livecd-tools. Lukas.
I'm currently looking into this (it looks like my initial fix wasn't enough), so will take this bug.
Okay, I've found the real problem and have a build now that fixes it. Basically, in 25.0, livecd-tools switched from a setfiles to a restorecon, but there is no selinux policy loaded in the chroot yet at this point (https://pagure.io/livecd-tools/c/1c2307ce8b5150265f60afd7cf8a5749a1d26f9e?branch=master). I am waiting for my fork to get created to submit the patch upstream, but I have made livecd-tools builds for rawhide and f28 that revert this patch, and my dry testing does confirm that it breaks with restorecon and works with the setfiles revert patch. livecd-tools-25.0-6.fc28 should fix this problem.
livecd-tools-25.0-5.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-58502a629f
livecd-tools-25.0-6.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-58502a629f
livecd-tools-25.0-6.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-58502a629f
Today compose (Fedora-Minimal-armhfp-28-20180323.n.0) on the Raspberry Pi 3 works like a charm.
Works fine on a Rpi 3
livecd-tools-25.0-6.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.