Description of problem: right after login on desktop SELinux is preventing (ostnamed) from 'remount' accesses on the souborový systém . ***** Plugin catchall (100. confidence) suggests ************************** Pokud jste přesvědčeni, že má (ostnamed) mít ve výchozím stavu přístup remount na filesystem. Then toto byste měli nahlásit jako chybu. Abyste přístup povolili, můžete vygenerovat lokální modul pravidel. Do prozatím tento přístup povolíte příkazy: # ausearch -c '(ostnamed)' --raw | audit2allow -M my-ostnamed # semodule -X 300 -i my-ostnamed.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects [ filesystem ] Source (ostnamed) Source Path (ostnamed) Port <Neznámé> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.1-11.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.16.0-0.rc4.git0.1.fc28.x86_64 #1 SMP Mon Mar 5 04:54:32 UTC 2018 x86_64 x86_64 Alert Count 20 First Seen 2018-03-13 11:34:35 CET Last Seen 2018-03-13 11:51:12 CET Local ID 08d59971-90df-4097-a9ce-e5929809f238 Raw Audit Messages type=AVC msg=audit(1520938272.489:206): avc: denied { remount } for pid=1787 comm="(fprintd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=0 Hash: (ostnamed),init_t,unlabeled_t,filesystem,remount Version-Release number of selected component: selinux-policy-3.14.1-11.fc28.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.15.6-300.fc27.x86_64 type: libreport
Description of problem: I was downloading packages with firefox from koji. Version-Release number of selected component: selinux-policy-3.14.1-13.fc28.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.16.0-0.rc4.git0.1.fc28.x86_64 type: libreport
Description of problem: Just logged into a new gnome session Version-Release number of selected component: selinux-policy-3.14.1-13.fc28.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.16.0-0.rc5.git0.1.fc28.x86_64 type: libreport
This is hitting almost all openQA tests lately. Nominating as an F28 Final blocker: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."
selinux-policy-3.14.1-14.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc
selinux-policy-3.14.1-14.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc
*** Bug 1555328 has been marked as a duplicate of this bug. ***
I am +1 Beta FE on this, it's clearly good to avoid AVCs out of the box (and it avoids an ocean of soft failures in openQA, and failures in some tests of Dusty's).
+1 final blocker and +1 beta FE.
+1 Beta FE and +1 Final Blocker
+1 Beta FE
Update selinux-policy-3.14.1-14.fc28 fixed this issue. I didn't get any error so far.
That's +4 FE, setting accepted.
selinux-policy-3.14.1-14.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.