do we know for sure this is only an issue on Atomic Workstation and doesn't affect normal Workstation?

If it's normal Workstation then it's a blocker. If only Atomic Workstation then probably not a blocker but worth an FE. I'll propose as FE for now.

Proposed as a Freeze Exception for 28-beta by Fedora user dustymabe using the blocker tracking app because:

 SELinux issue blocking gdm from starting on Atomic Workstation

Yes, it's only Atomic Workstation.

openQA has been catching this for days - e.g. https://openqa.stg.fedoraproject.org/tests/262649 - but I haven't had time to file it; thanks for doing it, Jonathan.

+1 FE.

I'm wondering if the issue here may in fact be that we don't have correct SELinux labels in the AW ostree, rather than a policy problem? The fact that regular Workstation works fine rather suggests this may be the case, to me.

At least for the few denials that have target names I recognize, looks like default_t is indeed declared as the correct label:

[root@localhost ~]# matchpathcon /tmp/.ICE-unix
/tmp/.ICE-unix  system_u:object_r:default_t:s0
[root@localhost ~]# matchpathcon /tmp/.X11-unix
/tmp/.X11-unix  system_u:object_r:default_t:s0

default_t looks like a major labeling issue.  default_t is the label of any directories in / that the kernel does not know about.

We might have a new directory in atomic workstation that needs a label, or everything is screwed up.  I would figure these files should be labeled user_tmp_t.

ls -lZd /tmp

Hmm, I wonder if this is due to /tmp being a symlink to /sysroot/tmp. Though I'm not sure how since it's been that way for a while now. E.g. even on my current FAW 27:

$ ls -ldZ /tmp
lrwxrwxrwx. 3 root root system_u:object_r:tmp_t:s0 11 Sep 10  2017 /tmp -> sysroot/tmp
$ ls -ldZ /tmp/.X11-unix
drwxrwxrwt. 2 root root system_u:object_r:user_tmp_t:s0 4096 Mar 20 17:16 /tmp/.X11-unix

Hmmm:

$ matchpathcon $(realpath /tmp/.X11-unix)
/sysroot/tmp/.X11-unix  system_u:object_r:default_t:s0

Did file context lookups change to using the realpath maybe?

ok a bit of interesting informtion. On F27AH (i know this bug report is against FAW, but I don't have one of those running right now, this data should be the same either way): 

```
# semanage fcontext --list | grep '^\/tmp' | grep X11
/tmp/\.X11-unix(/.*)?                              all files          system_u:object_r:user_tmp_t:s0
# ls -ldZ /tmp/.X11-unix
drwxrwxrwt. 2 root root system_u:object_r:user_tmp_t:s0 6 Mar 23 17:54 /tmp/.X11-unix                   
# matchpathcon -V /tmp/.X11-unix                                              
/tmp/.X11-unix has context system_u:object_r:user_tmp_t:s0, should be system_u:object_r:default_t:s0    
#                         
# rpm -q selinux-policy   
selinux-policy-3.13.1-283.17.fc27.noarch
```

on F28AH

```
# semanage fcontext --list | grep '^\/tmp' | grep X11
/tmp/\.X11-unix(/.*)?                              all files          system_u:object_r:user_tmp_t:s0
# ls -ldZ /tmp/.X11-unix                                                     
drwxrwxrwt. 2 root root system_u:object_r:default_t:s0 6 Mar 23 17:47 /tmp/.X11-unix                    
# matchpathcon -V /tmp/.X11-unix                                             
/tmp/.X11-unix verified.  
# rpm -q selinux-policy  
selinux-policy-3.14.1-14.fc28.noarch
```


So on F27 and F28 the policy is the same.

On F27 the file context is `user_tmp_t` but matchpathcon thinks it should be `default_t`.

On F28 the file context is `default_t` and the file *is* `default_t`.

on this rawhide atomic ws, I have /tmp -> /sysroot/tmp, but no sign of a tmpfs mounted there

So, dropping the `/tmp --> /sysroot/tmp` symlink and letting tmp.mount do its thing, we do get the proper labeling, and gdm comes up.

rpm-ostree has a `tmp-is-dir` option which today defaults to `false`. See:

https://rpm-ostree.readthedocs.io/en/latest/manual/treefile/
https://github.com/projectatomic/rpm-ostree/pull/778
https://github.com/projectatomic/rpm-ostree/issues/820

So one thing we could do to work around this is turn it on for FAW28?

I suspect this is because we aren't using tmpfs-on-tmp by default; https://github.com/projectatomic/rpm-ostree/pull/778

I think we should unconditionally enable tmp-is-dir for FAW.  Looking into that now.

(In reply to Colin Walters from comment #11)
> I suspect this is because we aren't using tmpfs-on-tmp by default;
> https://github.com/projectatomic/rpm-ostree/pull/778

We've been doing that for a while now, though. 

> 
> I think we should unconditionally enable tmp-is-dir for FAW.  Looking into
> that now.

That is fine for a workaround, but I'd definitely be interested in the root cause. i.e. What changed? Was it by-design? Is it desired behavior?

Lukas did a new build.

https://koji.fedoraproject.org/koji/buildinfo?buildID=1062582

Still the question in my last comment remains

https://pagure.io/workstation-ostree-config/pull-request/80

Confirmed fixed in latest build.

selinux-policy-3.14.1-18.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-7821b2e7c4

Discussed during the 2018-03-26 blocker review meeting: [1]

The decision to classify this bug as an AcceptedFreezeException was made as this is preventing Atomic Workstation installs from booting, and we would like these fixed for Beta.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2018-03-26/f28-blocker-review.2018-03-26-16.01.txt

selinux-policy-3.14.1-18.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-7821b2e7c4

selinux-policy-3.14.1-18.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

I am getting selinux denials and GDM gets locked up after showing just the mouse cursor. My machine was recently updated from FC27 to FC28 and does not use Atomic (as far as I know):

may 04 21:44:46 karlalex-acer.palosanto.com systemd[662]: selinux: avc:  denied  { status } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
may 04 21:44:47 karlalex-acer.palosanto.com systemd[662]: selinux: avc:  denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
may 04 21:44:47 karlalex-acer.palosanto.com systemd[662]: selinux: avc:  denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
may 04 21:44:47 karlalex-acer.palosanto.com systemd[662]: selinux: avc:  denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0

Full case and log in https://bugzilla.redhat.com/show_bug.cgi?id=1575194 .