Description of problem: I upgraded to systemd-239-6.git9f3aed1.fc29 from Koji. When I logged into Plasma twice after the systemd update, I saw the following denial of systemd-user-ru reading dbus-1 both times. SELinux is preventing systemd-user-ru from 'read' accesses on the directory dbus-1. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-user-ru should be allowed read access on the dbus-1 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-user-ru' --raw | audit2allow -M my-systemduserru # semodule -X 300 -i my-systemduserru.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:object_r:session_dbusd_tmp_t:s0 Target Objects dbus-1 [ dir ] Source systemd-user-ru Source Path systemd-user-ru Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-40.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.18.16-300.fc29.i686 #1 SMP Sat Oct 20 23:24:23 UTC 2018 i686 i686 Alert Count 1 First Seen 2018-10-29 19:00:20 EDT Last Seen 2018-10-29 19:00:20 EDT Local ID 0a27e642-2591-4cc8-82ed-35cc27318de0 Raw Audit Messages type=AVC msg=audit(1540854020.470:439): avc: denied { read } for pid=14237 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=155422 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0 Hash: systemd-user-ru,init_t,session_dbusd_tmp_t,dir,read Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.i686 type: libreport
Description of problem: Started system after latest update, appeared immediately without action after login. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Just logged into gnome Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Alert appears at every session log in. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Logged in after powering up my laptop, was presented with this shortly after the desktop appeared. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Through the usual steps of booting into the operating system, logging in to my user account, then into the desktop environment to be confronted with this alert of a problem. Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Thid problem only occurs on system startup Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Updated Fedora with latest updates Upgraded: CGAL-4.13-1.fc29.x86_64 NetworkManager-openvpn-1:1.8.8-1.fc29.x86_64 NetworkManager-openvpn-gnome-1:1.8.8-1.fc29.x86_64 OpenImageIO-1.8.15-1.fc29.x86_64 alsa-lib-1.1.7-2.fc29.i686 alsa-lib-1.1.7-2.fc29.x86_64 alsa-plugins-pulseaudio-1.1.7-2.fc29.i686 alsa-plugins-pulseaudio-1.1.7-2.fc29.x86_64 alsa-tools-firmware-1.1.7-2.fc29.x86_64 alsa-ucm-1.1.7-2.fc29.noarch alsa-utils-1.1.7-2.fc29.x86_64 autocorr-en-1:6.1.2.1-1.fc29.noarch cairo-1.16.0-1.fc29.i686 cairo-1.16.0-1.fc29.x86_64 cairo-gobject-1.16.0-1.fc29.i686 cairo-gobject-1.16.0-1.fc29.x86_64 clamav-0.100.2-2.fc29.x86_64 clamav-data-0.100.2-2.fc29.noarch clamav-filesystem-0.100.2-2.fc29.noarch clamav-lib-0.100.2-2.fc29.x86_64 clamav-update-0.100.2-2.fc29.x86_64 coreutils-8.30-5.fc29.x86_64 coreutils-common-8.30-5.fc29.x86_64 cpp-8.2.1-4.fc29.x86_64 curl-7.61.1-3.fc29.x86_64 dracut-049-11.git20181024.fc29.x86_64 dracut-config-rescue-049-11.git20181024.fc29.x86_64 dracut-network-049-11.git20181024.fc29.x86_64 duplicity-0.7.18.2-1.fc29.x86_64 environment-modules-4.2.0-1.fc29.x86_64 f29-backgrounds-base-29.1.3-1.fc29.noarch f29-backgrounds-gnome-29.1.3-1.fc29.noarch firefox-63.0-2.fc29.x86_64 flatpak-1.0.4-1.fc29.x86_64 flatpak-libs-1.0.4-1.fc29.x86_64 freerdp-2:2.0.0-46.20181008git00af869.fc29.x86_64 freerdp-libs-2:2.0.0-46.20181008git00af869.fc29.x86_64 freetype-2.9.1-3.fc29.i686 freetype-2.9.1-3.fc29.x86_64 fwupd-1.1.3-1.fc29.x86_64 gcc-8.2.1-4.fc29.x86_64 gcc-c++-8.2.1-4.fc29.x86_64 gcc-gdb-plugin-8.2.1-4.fc29.x86_64 gd-2.2.5-7.fc29.x86_64 gdal-libs-2.3.2-1.fc29.x86_64 geoclue2-2.4.13-1.fc29.x86_64 geoclue2-libs-2.4.13-1.fc29.x86_64 glusterfs-5.0-1.fc29.x86_64 glusterfs-api-5.0-1.fc29.x86_64 glusterfs-cli-5.0-1.fc29.x86_64 glusterfs-client-xlators-5.0-1.fc29.x86_64 glusterfs-fuse-5.0-1.fc29.x86_64 glusterfs-libs-5.0-1.fc29.x86_64 gnome-abrt-1.2.6-8.fc29.x86_64 gnome-boxes-3.30.2-1.fc29.x86_64 gnome-characters-3.30.0-1.fc29.x86_64 hplip-3.18.6-9.fc29.x86_64 hplip-common-3.18.6-9.fc29.x86_64 hplip-gui-3.18.6-9.fc29.x86_64 hplip-libs-3.18.6-9.fc29.x86_64 ibus-libpinyin-1.10.91-1.fc29.x86_64 ibus-typing-booster-2.1.3-1.fc29.noarch imsettings-1.7.3-6.fc29.x86_64 imsettings-gsettings-1.7.3-6.fc29.x86_64 imsettings-libs-1.7.3-6.fc29.x86_64 imsettings-qt-1.7.3-6.fc29.x86_64 iwl100-firmware-39.31.5.1-88.fc29.noarch iwl1000-firmware-1:39.31.5.1-88.fc29.noarch iwl105-firmware-18.168.6.1-88.fc29.noarch iwl135-firmware-18.168.6.1-88.fc29.noarch iwl2000-firmware-18.168.6.1-88.fc29.noarch iwl2030-firmware-18.168.6.1-88.fc29.noarch iwl3160-firmware-1:25.30.13.0-88.fc29.noarch iwl3945-firmware-15.32.2.9-88.fc29.noarch iwl4965-firmware-228.61.2.24-88.fc29.noarch iwl5000-firmware-8.83.5.1_1-88.fc29.noarch iwl5150-firmware-8.24.2.2-88.fc29.noarch iwl6000-firmware-9.221.4.1-88.fc29.noarch iwl6000g2a-firmware-18.168.6.1-88.fc29.noarch iwl6000g2b-firmware-18.168.6.1-88.fc29.noarch iwl6050-firmware-41.28.5.1-88.fc29.noarch iwl7260-firmware-1:25.30.13.0-88.fc29.noarch java-1.8.0-openjdk-1:1.8.0.181.b15-6.fc29.x86_64 java-1.8.0-openjdk-devel-1:1.8.0.181.b15-6.fc29.x86_64 java-1.8.0-openjdk-headless-1:1.8.0.181.b15-6.fc29.x86_64 jbigkit-libs-2.1-15.fc29.i686 jbigkit-libs-2.1-15.fc29.x86_64 julietaula-montserrat-fonts-1:7.200-4.fc29.noarch langtable-0.0.39-1.fc29.noarch langtable-data-0.0.39-1.fc29.noarch libSM-1.2.3-1.fc29.i686 libSM-1.2.3-1.fc29.x86_64 libX11-1.6.7-1.fc29.i686 libX11-1.6.7-1.fc29.x86_64 libX11-common-1.6.7-1.fc29.noarch libX11-xcb-1.6.7-1.fc29.i686 libX11-xcb-1.6.7-1.fc29.x86_64 libarchive-3.3.3-1.fc29.x86_64 libatomic-8.2.1-4.fc29.i686 libatomic-8.2.1-4.fc29.x86_64 libcurl-7.61.1-3.fc29.i686 libcurl-7.61.1-3.fc29.x86_64 libertas-usb8388-firmware-2:20181008-88.gitc6b6265d.fc29.noarch libgcc-8.2.1-4.fc29.i686 libgcc-8.2.1-4.fc29.x86_64 libgfortran-8.2.1-4.fc29.x86_64 libgomp-8.2.1-4.fc29.x86_64 libinput-1.12.2-1.fc29.x86_64 libipa_hbac-2.0.0-4.fc29.x86_64 liblouis-3.7.0-2.fc29.x86_64 libosinfo-1.2.0-5.fc29.x86_64 libpinyin-2.2.1-1.fc29.x86_64 libpinyin-data-2.2.1-1.fc29.x86_64 libquadmath-8.2.1-4.fc29.x86_64 libreoffice-calc-1:6.1.2.1-1.fc29.x86_64 libreoffice-core-1:6.1.2.1-1.fc29.x86_64 libreoffice-data-1:6.1.2.1-1.fc29.noarch libreoffice-draw-1:6.1.2.1-1.fc29.x86_64 libreoffice-filters-1:6.1.2.1-1.fc29.x86_64 libreoffice-graphicfilter-1:6.1.2.1-1.fc29.x86_64 libreoffice-gtk2-1:6.1.2.1-1.fc29.x86_64 libreoffice-gtk3-1:6.1.2.1-1.fc29.x86_64 libreoffice-help-en-1:6.1.2.1-1.fc29.x86_64 libreoffice-impress-1:6.1.2.1-1.fc29.x86_64 libreoffice-langpack-en-1:6.1.2.1-1.fc29.x86_64 libreoffice-math-1:6.1.2.1-1.fc29.x86_64 libreoffice-ogltrans-1:6.1.2.1-1.fc29.x86_64 libreoffice-opensymbol-fonts-1:6.1.2.1-1.fc29.noarch libreoffice-pdfimport-1:6.1.2.1-1.fc29.x86_64 libreoffice-pyuno-1:6.1.2.1-1.fc29.x86_64 libreoffice-ure-1:6.1.2.1-1.fc29.x86_64 libreoffice-ure-common-1:6.1.2.1-1.fc29.noarch libreoffice-writer-1:6.1.2.1-1.fc29.x86_64 libreoffice-x11-1:6.1.2.1-1.fc29.x86_64 libreoffice-xsltfilter-1:6.1.2.1-1.fc29.x86_64 libreofficekit-1:6.1.2.1-1.fc29.x86_64 libsane-hpaio-3.18.6-9.fc29.x86_64 libssh-0.8.4-1.fc29.i686 libssh-0.8.4-1.fc29.x86_64 libsss_autofs-2.0.0-4.fc29.x86_64 libsss_certmap-2.0.0-4.fc29.x86_64 libsss_idmap-2.0.0-4.fc29.x86_64 libsss_nss_idmap-2.0.0-4.fc29.x86_64 libsss_sudo-2.0.0-4.fc29.x86_64 libstdc++-8.2.1-4.fc29.i686 libstdc++-8.2.1-4.fc29.x86_64 libstdc++-devel-8.2.1-4.fc29.x86_64 libtasn1-4.13-5.fc29.i686 libtasn1-4.13-5.fc29.x86_64 libtiff-4.0.9-13.fc29.i686 libtiff-4.0.9-13.fc29.x86_64 libwinpr-2:2.0.0-46.20181008git00af869.fc29.x86_64 libxcrypt-4.2.2-1.fc29.i686 libxcrypt-4.2.2-1.fc29.x86_64 libxcrypt-common-4.2.2-1.fc29.noarch libxcrypt-devel-4.2.2-1.fc29.x86_64 libzhuyin-2.2.1-1.fc29.x86_64 linux-firmware-20181008-88.gitc6b6265d.fc29.noarch lirc-core-0.10.0-14.fc29.x86_64 lirc-libs-0.10.0-14.fc29.x86_64 lorax-29.18-1.fc29.x86_64 lorax-templates-generic-29.18-1.fc29.x86_64 mariadb-3:10.3.10-1.fc29.x86_64 mariadb-backup-3:10.3.10-1.fc29.x86_64 mariadb-common-3:10.3.10-1.fc29.x86_64 mariadb-cracklib-password-check-3:10.3.10-1.fc29.x86_64 mariadb-errmsg-3:10.3.10-1.fc29.x86_64 mariadb-gssapi-server-3:10.3.10-1.fc29.x86_64 mariadb-rocksdb-engine-3:10.3.10-1.fc29.x86_64 mariadb-server-3:10.3.10-1.fc29.x86_64 mariadb-server-utils-3:10.3.10-1.fc29.x86_64 mariadb-tokudb-engine-3:10.3.10-1.fc29.x86_64 mkvtoolnix-27.0.0-2.fc29.x86_64 mkvtoolnix-gui-27.0.0-2.fc29.x86_64 mod_http2-1.11.1-1.fc29.x86_64 opencc-1.0.5-3.fc29.x86_64 openldap-2.4.46-9.fc29.i686 openldap-2.4.46-9.fc29.x86_64 opensc-0.19.0-2.fc29.x86_64 opus-1.3-1.fc29.x86_64 osinfo-db-20181011-1.fc29.noarch patch-2.7.6-7.fc29.x86_64 perl-Glib-1.328-1.fc29.x86_64 perl-Module-CoreList-1:5.20181020-1.fc29.noarch perl-XML-XPath-1.43-1.fc29.noarch php-7.2.11-1.fc29.x86_64 php-cli-7.2.11-1.fc29.x86_64 php-common-7.2.11-1.fc29.x86_64 php-fpm-7.2.11-1.fc29.x86_64 php-gd-7.2.11-1.fc29.x86_64 php-gmp-7.2.11-1.fc29.x86_64 php-intl-7.2.11-1.fc29.x86_64 php-json-7.2.11-1.fc29.x86_64 php-mbstring-7.2.11-1.fc29.x86_64 php-mysqlnd-7.2.11-1.fc29.x86_64 php-pdo-7.2.11-1.fc29.x86_64 php-pecl-igbinary-2.0.8-1.fc29.x86_64 php-pecl-zip-1.15.4-1.fc29.x86_64 php-pgsql-7.2.11-1.fc29.x86_64 php-process-7.2.11-1.fc29.x86_64 php-symfony-browser-kit-2.8.46-1.fc29.noarch php-symfony-class-loader-2.8.46-1.fc29.noarch php-symfony-common-2.8.46-1.fc29.noarch php-symfony-config-2.8.46-1.fc29.noarch php-symfony-console-2.8.46-1.fc29.noarch php-symfony-css-selector-2.8.46-1.fc29.noarch php-symfony-debug-2.8.46-1.fc29.noarch php-symfony-dependency-injection-2.8.46-1.fc29.noarch php-symfony-dom-crawler-2.8.46-1.fc29.noarch php-symfony-event-dispatcher-2.8.46-1.fc29.noarch php-symfony-expression-language-2.8.46-1.fc29.noarch php-symfony-filesystem-2.8.46-1.fc29.noarch php-symfony-finder-2.8.46-1.fc29.noarch php-symfony-http-foundation-2.8.46-1.fc29.noarch php-symfony-http-kernel-2.8.46-1.fc29.noarch php-symfony-process-2.8.46-1.fc29.noarch php-symfony-var-dumper-2.8.46-1.fc29.noarch php-symfony-yaml-2.8.46-1.fc29.noarch php-symfony3-common-3.4.17-1.fc29.noarch php-symfony3-console-3.4.17-1.fc29.noarch php-symfony3-debug-3.4.17-1.fc29.noarch php-symfony3-filesystem-3.4.17-1.fc29.noarch php-symfony3-finder-3.4.17-1.fc29.noarch php-symfony3-process-3.4.17-1.fc29.noarch php-xml-7.2.11-1.fc29.x86_64 pipewire-0.2.3-2.fc29.x86_64 pipewire-libs-0.2.3-2.fc29.x86_64 poppler-0.67.0-2.fc29.x86_64 poppler-glib-0.67.0-2.fc29.x86_64 poppler-utils-0.67.0-2.fc29.x86_64 python-unversioned-command-2.7.15-11.fc29.noarch python2-2.7.15-11.fc29.x86_64 python2-langtable-0.0.39-1.fc29.noarch python2-libs-2.7.15-11.fc29.x86_64 python2-paramiko-2.4.2-1.fc29.noarch python2-pygame-1.9.4-4.fc29.x86_64 python2-pygithub-1.39-4.fc29.noarch python2-rpm-4.14.2.1-1.fc29.x86_64 python2-sssdconfig-2.0.0-4.fc29.noarch python2-tkinter-2.7.15-11.fc29.x86_64 python3-3.7.1-1.fc29.x86_64 python3-langtable-0.0.39-1.fc29.noarch python3-libs-3.7.1-1.fc29.x86_64 python3-louis-3.7.0-2.fc29.noarch python3-pygithub-1.39-4.fc29.noarch python3-rpm-4.14.2.1-1.fc29.x86_64 python3-sssdconfig-2.0.0-4.fc29.noarch python3-tkinter-3.7.1-1.fc29.x86_64 qt-1:4.8.7-44.fc29.x86_64 qt-assistant-1:4.8.7-44.fc29.x86_64 qt-common-1:4.8.7-44.fc29.noarch qt-x11-1:4.8.7-44.fc29.x86_64 rng-tools-6.3.1-2.fc29.x86_64 rpm-4.14.2.1-1.fc29.x86_64 rpm-build-4.14.2.1-1.fc29.x86_64 rpm-build-libs-4.14.2.1-1.fc29.x86_64 rpm-libs-4.14.2.1-1.fc29.x86_64 rpm-plugin-selinux-4.14.2.1-1.fc29.x86_64 rpm-plugin-systemd-inhibit-4.14.2.1-1.fc29.x86_64 rpm-sign-libs-4.14.2.1-1.fc29.x86_64 rsyslog-8.38.0-1.fc29.x86_64 rubberband-1.8.2-1.fc29.x86_64 skkdic-20181016-1.T1609.fc29.noarch sssd-2.0.0-4.fc29.x86_64 sssd-ad-2.0.0-4.fc29.x86_64 sssd-client-2.0.0-4.fc29.x86_64 sssd-common-2.0.0-4.fc29.x86_64 sssd-common-pac-2.0.0-4.fc29.x86_64 sssd-ipa-2.0.0-4.fc29.x86_64 sssd-kcm-2.0.0-4.fc29.x86_64 sssd-krb5-2.0.0-4.fc29.x86_64 sssd-krb5-common-2.0.0-4.fc29.x86_64 sssd-ldap-2.0.0-4.fc29.x86_64 sssd-nfs-idmap-2.0.0-4.fc29.x86_64 sssd-proxy-2.0.0-4.fc29.x86_64 sugar-0.112-5.fc29.noarch sugar-cp-all-0.112-5.fc29.noarch sugar-cp-background-0.112-5.fc29.noarch sugar-cp-backup-0.112-5.fc29.noarch sugar-cp-datetime-0.112-5.fc29.noarch sugar-cp-frame-0.112-5.fc29.noarch sugar-cp-keyboard-0.112-5.fc29.noarch sugar-cp-language-0.112-5.fc29.noarch sugar-cp-modemconfiguration-0.112-5.fc29.noarch sugar-cp-network-0.112-5.fc29.noarch sugar-cp-updater-0.112-5.fc29.noarch sugar-cp-webaccount-0.112-5.fc29.noarch system-config-printer-libs-1.5.11-13.fc29.noarch system-config-printer-udev-1.5.11-13.fc29.x86_64 systemd-239-6.git9f3aed1.fc29.x86_64 systemd-container-239-6.git9f3aed1.fc29.x86_64 systemd-libs-239-6.git9f3aed1.fc29.i686 systemd-libs-239-6.git9f3aed1.fc29.x86_64 systemd-pam-239-6.git9f3aed1.fc29.x86_64 systemd-udev-239-6.git9f3aed1.fc29.x86_64 systemtap-sdt-devel-4.0-1.fc29.x86_64 telnet-1:0.17-75.fc29.x86_64 vamp-plugin-sdk-2.7.1-1.fc29.x86_64 vim-minimal-2:8.1.483-1.fc29.x86_64 vinagre-3.22.0-11.fc29.x86_64 webkit2gtk3-2.22.2-2.fc29.x86_64 webkit2gtk3-jsc-2.22.2-2.fc29.x86_64 webkit2gtk3-plugin-process-gtk2-2.22.2-2.fc29.x86_64 xdg-desktop-portal-1.0.3-1.fc29.x86_64 xorg-x11-drv-libinput-0.28.1-1.fc29.x86_64 xorg-x11-server-Xorg-1.20.2-1.fc29.x86_64 xorg-x11-server-Xwayland-1.20.2-1.fc29.x86_64 xorg-x11-server-common-1.20.2-1.fc29.x86_64 yum-utils-1.1.31-518.fc29.noarch rpmfusion-free-appstream-data-29-4.20181021.fc29.noarch faac-1.29.9.2-4.fc29.x86_64 rpmfusion-nonfree-appstream-data-29-3.20181021.fc29.noarch Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: updated to latest sepolicy in f29 (from f28 upgrade) Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: When I start up my computer, the SELinux system give me this message. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: This occurred on boot up 15 seconds after the desktop loads. It occurs each time Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-200.fc28.x86_64 type: libreport
Description of problem: Just logged in after a dnf update. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: happens every time after login on gnome desktop Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Same happened to me after upgrading from 28 to 29. With so many confirmed reports it would be nice to have someone set the severity and priority and start looking at a fix. Sounds like pretty much all upgrades will encounter this issue (at least my fedora 28 installation was very standard).
Description of problem: Received SElinux alert after systemd update. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Happened after booting and logging in. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
*** Bug 1645498 has been marked as a duplicate of this bug. ***
Description of problem: Alert displayed after login Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: I upgraded F28 to F29 and logged in. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
The denial of systemd-user-ru reading the directory dbus-1 occurred after "Stopping User Runtime Directory /run/user/955..." in my journal messages. user 955 is lightdm which is the display manager I'm using. I ran the following 1. sudo ausearch -c 'systemd-user-ru' --raw | audit2allow -M my-systemduserru 2. sudo semodule -X 300 -i my-systemduserru.pp 3. Log out of Plasma 4. Log into Plasma I got the following denials of write and rmdir between systemd-user-ru and dbus-1 in the audit logs type=AVC msg=audit(1541156610.808:303): avc: denied { write } for pid=2079 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=34729 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1541156610.816:304): avc: denied { rmdir } for pid=2079 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=34729 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0 After running those four steps again, I got the denial of remove_name between systemd-user-ru and dbus-1 type=AVC msg=audit(1541157206.303:367): avc: denied { remove_name } for pid=2845 comm="systemd-user-ru" name="services" dev="tmpfs" ino=43444 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0 I saw no further denials when logging out and back in to Plasma and GNOME. Adding the following line to the policy might resolve these denials allow init_t session_dbusd_tmp_t:dir { read remove_name rmdir write }; When I logged out of Plasma and ran sudo systemctl stop lightdm then sudo systemctl start gdm from VT2, the gdm service started but gdm didn't appear. The journal messages showed the same denial of systemd-user-ru reading the directory dbus-1. The following change in systemd-239-6.git9f3aed1.fc29 might be related to these denials. "Creation of user runtime directories is improved, and the user manager is only stopped after 10 s after the user logs out (#1642460 and other bugs)" https://bodhi.fedoraproject.org/updates/FEDORA-2018-c402eea18b
Description of problem: I opened the skype flatpak for the first time when the selinux error appeared. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: I've no idea how this happened. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
*** Bug 1645569 has been marked as a duplicate of this bug. ***
Ok... since that bug is secret but seems resolved (based on the strikethrough style) maybe you can share the workaround or ETA for a yum fix?
*** Bug 1645592 has been marked as a duplicate of this bug. ***
Description of problem: après le démarrage une fois l'écran avec l'arrière plan ouvert Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: reboot after upgrade from Fedora 28 to Fedora 29 Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
*** Bug 1645364 has been marked as a duplicate of this bug. ***
eriklovlie, I'm not a Fedora maintainer/developer so I don't have access to #1642460 I'm just guessing from reading through the list of changes at https://bodhi.fedoraproject.org/updates/FEDORA-2018-c402eea18b based on what I wrote above and the journal message "systemd[1]: Stopped User Manager for UID 955." also occurred right before the denial of systemd-user-ru. Adding the line allow init_t session_dbusd_tmp_t:dir { read remove_name rmdir write }; with semodule as a local policy rule should be a workaround until an official fix is available. A line I wrote above should have been After running those four steps again, I got the denial of remove_name between systemd-user-ru and the directory services (maybe /run/user/955/services). I ran the part about gdm before I ran the steps involving ausearch and semodule. The journal message "at-spi-bus-launcher[1751]: Failed to launch bus: Failed to execute child process ?/usr/bin/dbus-broker-launch? (No such file or directory)" happened when I tried to start gdm. I installed dbus-broker based on that and that error no longer showed up, but gdm still didn't start the X server properly. The issue with gdm wasn't just the denials related to systemd.
*** Bug 1644783 has been marked as a duplicate of this bug. ***
Description of problem: ELinux is preventing systemd-user-ru from read access on the directory dbus-1. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-user-ru should be allowed read access on the dbus-1 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-user-ru' --raw | audit2allow -M my-systemduserru # semodule -X 300 -i my-systemduserru.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:object_r:session_dbusd_tmp_t:s0 Target Objects dbus-1 [ dir ] Source systemd-user-ru Source Path systemd-user-ru Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-40.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux wealthseeker 4.18.16-300.fc29.x86_64 #1 SMP Sat Oct 20 23:24:08 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-11-02 23:24:31 IST Last Seen 2018-11-02 23:24:31 IST Local ID 829fa64f-1c1d-4ff9-9322-e6797371c97f Raw Audit Messages type=AVC msg=audit(1541181271.603:223): avc: denied { read } for pid=1545 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=31623 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0 Hash: systemd-user-ru,init_t,session_dbusd_tmp_t,dir,read Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: I've just upgraded from Fedora 28 to Fedora 29 and every time I boot and then login into my account I receive this SELinux error message. I have done nothing if not upgrade the distro. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Installed all updates on F29 (updates-testing was enabled) and this error popped up Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Rendering video in blender Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Came after upgrading to Fedora 29 and first boot into Fedora 29. I have no idea why. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
*** Bug 1645685 has been marked as a duplicate of this bug. ***
Description of problem: After a clean upgrade to F29, at first login SELinux Alert browser show this problem. Version-Release number of selected component: selinux-policy-(none):3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
I just did a reinstall using the new "UNOFFICIAL" image and after updating and rebooting the selinux warning never appeared. The re-installation also fixed bug 1399811.
*** Bug 1645721 has been marked as a duplicate of this bug. ***
Description of problem: Logged in to mate desktop when error appeared Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: I had a Fedora Mate Workstation 28 in a VM. After upgrading to Fedora 29 this selinux bug appears after logging in. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Just upgraded from Fedora 28 to Fedora 29. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
I had been running an F29 system that was upgraded to F28 just fine, until today. I now have this issue after Upgrade systemd-239-6.git9f3aed1.fc29.x86_64 @updates Upgrade systemd-container-239-6.git9f3aed1.fc29.x86_64 @updates Upgrade systemd-libs-239-6.git9f3aed1.fc29.x86_64 @updates Upgrade systemd-pam-239-6.git9f3aed1.fc29.x86_64 @updates Upgrade systemd-udev-239-6.git9f3aed1.fc29.x86_64 @updates If I downgrade those packages, it is back to no AVC being generated.
Description of problem: This problem has ocurred after dnf -y upgrade on Fedora 29. SELinux is preventing systemd-user-ru from read access on the directory dbus-1. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-user-ru should be allowed read access on the dbus-1 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-user-ru' --raw | audit2allow -M my-systemduserru # semodule -X 300 -i my-systemduserru.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:object_r:session_dbusd_tmp_t:s0 Target Objects dbus-1 [ dir ] Source systemd-user-ru Source Path systemd-user-ru Port <Unknown> Host wealthseeker Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-40.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name wealthseeker Platform Linux wealthseeker 4.18.16-300.fc29.x86_64 #1 SMP Sat Oct 20 23:24:08 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-11-02 23:24:31 IST Last Seen 2018-11-03 08:46:24 IST Local ID 829fa64f-1c1d-4ff9-9322-e6797371c97f Raw Audit Messages type=AVC msg=audit(1541214984.368:224): avc: denied { read } for pid=1486 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=29468 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0 Hash: systemd-user-ru,init_t,session_dbusd_tmp_t,dir,read Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: I was starting my hp laptop Fedora 29 with xfce4 and this error keeps popping up Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: have fun Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Alert appeared after upgrading to Fedora Workstation 29. Repeats upon reboot after ignoring. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: First boot after upgrading f28 -> f29. F28 was freshly relabeled using touch /.autorelabel 1 day before upgrading. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.i686 type: libreport
Description of problem: login after upgrade to fedora 29 Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: I upgraded to Fedora 28 and saw this error message after I rebooted the system for the first time. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: SELinux is preventing systemd-user-ru from read access on the directory dbus-1. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-user-ru should be allowed read access on the dbus-1 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-user-ru' --raw | audit2allow -M my-systemduserru # semodule -X 300 -i my-systemduserru.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:object_r:session_dbusd_tmp_t:s0 Target Objects dbus-1 [ dir ] Source systemd-user-ru Source Path systemd-user-ru Port <Unknown> Host WealthSeeker Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-40.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name WealthSeeker Platform Linux WealthSeeker 4.18.16-300.fc29.x86_64 #1 SMP Sat Oct 20 23:24:08 UTC 2018 x86_64 x86_64 Alert Count 6 First Seen 2018-11-03 21:06:47 IST Last Seen 2018-11-03 22:44:06 IST Local ID dde8ef55-638b-45d3-a661-5283edeb7bce Raw Audit Messages type=AVC msg=audit(1541265246.660:350): avc: denied { read } for pid=6277 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=81080 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0 Hash: systemd-user-ru,init_t,session_dbusd_tmp_t,dir,read Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Defaulth Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: At first boot after using dnf system-upgrade from fc28 to fc29. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: This poblem occured simply just but uading from 28 to 29 Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
*** Bug 1645774 has been marked as a duplicate of this bug. ***
Hi All, It looks like I found workaround here, it works for me but could you please test it? # semanage fcontext -a -t systemd_logind_exec_t /usr/lib/systemd/systemd-user-runtime-dir # restorecon -v /usr/lib/systemd/systemd-user-runtime-dir It fixed my rawhide, if somebody confirm that it fixing your systems, I'll create selinux-policy updates ASAP.
(In reply to Lukas Vrabec from comment #55) I've just tested in an F29 VM and it has fixed the issue for me.
(In reply to Lukas Vrabec from comment #55) The change indeed fixed the issue in my F29 Thanks.
(In reply to Lukas Vrabec from comment #55) Same for Me. The change indeed fixed the issue in my F29 Thanks.
Description of problem: This happened at login (KDE) Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Logged in, then opened the Terminal application. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: After upgrading from F28 to F29, this alert is displayed right after logging in to Gnome. Example from the boot log: # sealert -l 06716cca-0d0b-4668-b50e-1804c85081f1 /usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use the GLib main loop with dbus-python is deprecated. Instead, use this sequence: from dbus.mainloop.glib import DBusGMainLoop DBusGMainLoop(set_as_default=True) import dbus.glib SELinux is preventing systemd-user-ru from read access on the directory dbus-1. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-user-ru should be allowed read access on the dbus-1 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-user-ru' --raw | audit2allow -M my-systemduserru # semodule -X 300 -i my-systemduserru.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:object_r:session_dbusd_tmp_t:s0 Target Objects dbus-1 [ dir ] Source systemd-user-ru Source Path systemd-user-ru Port <Unknown> Host horus Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-40.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name horus Platform Linux horus 4.18.16-300.fc29.x86_64 #1 SMP Sat Oct 20 23:24:08 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-11-03 20:06:35 PDT Last Seen 2018-11-03 20:06:35 PDT Local ID 06716cca-0d0b-4668-b50e-1804c85081f1 Raw Audit Messages type=AVC msg=audit(1541300795.811:331): avc: denied { read } for pid=2860 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=43189 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0 Hash: systemd-user-ru,init_t,session_dbusd_tmp_t,dir,read Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Happens every boot Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: in opening my user environnement Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: At boot. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: i have no idea what coused the problem, i am not very skilled linux user, i even do not know if it is a bug or what is it, hope it helps. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
commit 004021c7803c138cada8d7f97d96fcd03d7650e3 (HEAD -> f29, origin/f29) Author: Lukas Vrabec <lvrabec> Date: Sun Nov 4 01:41:29 2018 +0100 Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313)
selinux-policy-3.14.2-41.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-506e97bb9b
*** Bug 1645838 has been marked as a duplicate of this bug. ***
*** Bug 1645819 has been marked as a duplicate of this bug. ***
*** Bug 1613635 has been marked as a duplicate of this bug. ***
*** Bug 1645858 has been marked as a duplicate of this bug. ***
Description of problem: this SELinux alert opens everytime I log into my desktop, Gnome/Plasma/MATE/Cinnamon 100% reproducible Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-200.fc28.x86_64 type: libreport
Description of problem: just logged in Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
*** Bug 1645914 has been marked as a duplicate of this bug. ***
Description of problem: At system startup Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
(In reply to Lukas Vrabec from comment #55) > Hi All, > > It looks like I found workaround here, it works for me but could you please > test it? > > # semanage fcontext -a -t systemd_logind_exec_t > /usr/lib/systemd/systemd-user-runtime-dir > # restorecon -v /usr/lib/systemd/systemd-user-runtime-dir > > It fixed my rawhide, if somebody confirm that it fixing your systems, I'll > create selinux-policy updates ASAP. Lukas, that fixed my upgraded F26>F27>F28>F29 workstation. As well as my various QA F29 environments. That is a good fix Sir.
selinux-policy-3.14.2-41.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-506e97bb9b
Description of problem: I just updated the system (dnf update --exclude dstat) and rebooted. After logging in to KDE I got this message. It appeared on my PC and my Laptop also. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: This happens when I log into gnome desktop. Upgraded from F28 to F29. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
selinux-policy-3.14.2-41.fc29.noarch fixes the problem, sorry for the noise.
Description of problem: Updated from Fedora 28 to Fedora 29. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Review of journal after reboot showed this error. It seems to occur after dbus-daemon[987]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.27' Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: defaulth Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: used dnf to upgrade from 28 to 29, then installed kernel update, then selinux alert occurred on reboot. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.16.12-300.fc28.x86_64+debug type: libreport
Description of problem: I rebooted, logged in, and then saw this alert. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
*** Bug 1646725 has been marked as a duplicate of this bug. ***
Description of problem: Added a largish set of updates via dnfdragora and this error occured after a reboot. Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Installed Packages selinux-policy.noarch 3.14.2-42.fc29 @@commandline selinux-policy-devel.noarch 3.14.2-42.fc29 @@commandline selinux-policy-targeted.noarch 3.14.2-42.fc29 @@commandline These packages from koji fixed this for me. Gene
selinux-policy-3.14.2-41.fc29 resolves the issue for me.
Description of problem: This problem happen immidiately after booting to Fedora 29. Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
*** Bug 1646939 has been marked as a duplicate of this bug. ***
Description of problem: This problem happens every time a login to my GNOME session in Fedora 29. Fedora 28 was fine. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Started happening after upgrade fedora 28->29 using default "Software" app online upgrade. Alert on each login. Tried `fixfiles reboot`, still occurs. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Since update to Fedora 29 Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
*** Bug 1647121 has been marked as a duplicate of this bug. ***
*** Bug 1647138 has been marked as a duplicate of this bug. ***
Description of problem: Log into Gnome desktop after upgrading Fedora 28 to 29. Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: During a OS upgrade to 29 from 28 Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Booted on Fedora KDE Spin 29 Bug occured imediantly. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
selinux-policy-3.14.2-41.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Description of problem: it happens during system startup Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: This happens after every boot. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Reboot Login to KDE Error Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
I'm getting: dnf search -v selinux-policy |grep 3.14 Provide : selinux-policy = 3.14.2-40.fc29 And not selinux-policy-3.14.2-41.fc29 Maybe we have to wait. (In reply to Fedora Update System from comment #100) > selinux-policy-3.14.2-41.fc29 has been pushed to the Fedora 29 stable > repository. If problems still persist, please make note of it in this bug > report.
dnf --enablerepo=updates-testing update selinux-policy That should do the trick. Otherwise wait for it to hit the updates repository.
Description of problem: Running my XFCE desktop. No idea what triggers it. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
(In reply to raynaud from comment #64) > Description of problem: > At boot. > > Version-Release number of selected component: > selinux-policy-3.14.2-40.fc29.noarch > > Additional info: > reporter: libreport-2.9.6 > hashmarkername: setroubleshoot > kernel: 4.18.16-300.fc29.x86_64 > type: libreport Solved after the update to 3.14.2-41.fc29
Same here +1
Description of problem: xfce click on "activities" Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Just opened my laptop from being in sleep for a couple of days and got this error Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: just started my computer Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.17-300.fc29.x86_64 type: libreport
Description of problem: * Not 100% sure which packages were installed but this is a fresh installation of Fedora 29 Cinnamon spin * AVC denial message pops up as soon as I log in and the window manager starts. I assume that some package which was installed does not play nice with SELinux even in its default configuration. Version-Release number of selected component: selinux-policy-3.14.2-41.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Error appeared after an OS upgrade. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Not sure how this happened Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.19.2-301.fc29.x86_64 type: libreport
Description of problem: Steps to Reproduce: 1)Boot up Fedora KDE spin 2)See this Selinux problem everytime. Frequency of occurance: Everytime on boot. Version-Release number of selected component: selinux-policy-3.14.2-42.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.19.3-300.fc29.x86_64 type: libreport
Description of problem: Problem se vyskytl hned po startu systemu. Zadna aplikace jeste nebezi. Version-Release number of selected component: selinux-policy-3.14.2-42.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.19.2-301.fc29.x86_64 type: libreport
This is still occurring with a fresh install of FC29, with (the latest) selinux-policy-3.14.2-42.fc29 installed. Why has this been closed? Is there some manual step that needs to be taken to clear it up?
(In reply to Jeremy Petersen from comment #117) > This is still occurring with a fresh install of FC29, with (the latest) > selinux-policy-3.14.2-42.fc29 installed. Why has this been closed? > > Is there some manual step that needs to be taken to clear it up? This entry was closed because selinux-policy-3.14.2-41.fc29 was pushed to stable as shown in comment 100 above. If systemd-239-6.git9f3aed1 were upgraded after selinux-policy-3.14.2-42 on a system, then /usr/lib/systemd/systemd-user-runtime-dir might have been mislabelled init_t instead of systemd_logind_exec_t. Running the following lines as root suggested by Lukas Vrabec in comment 55 should resolve the denial. # semanage fcontext -a -t systemd_logind_exec_t /usr/lib/systemd/systemd-user-runtime-dir # restorecon -v /usr/lib/systemd/systemd-user-runtime-dir
Description of problem: This is clean installation. I got this error after first login ... Version-Release number of selected component: selinux-policy-3.14.2-42.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.19.6-300.fc29.x86_64 type: libreport
(In reply to Jeremy Petersen from comment #117) > This is still occurring with a fresh install of FC29, with (the latest) > selinux-policy-3.14.2-42.fc29 installed. Why has this been closed? I second the question this happened to me on clean netinstall = with updates already pulled in so this obviously is NOT fixed in those packages (selinux-policy-3.14.2-42.fc29.noarch, systemd-239-6.git9f3aed1.fc29.x86_64)
FYI... running the commands included by Matt above in comment 118 (originally by Lukas Vrabec in comment 55) as root corrected the issue for me on the latest packages. Why this is still necessary to do on a fresh netinstall image is the remaining question though. This was the case for me as well. Running these commands manually following a fresh netinstall should obviously not be necessary. Thanks for the information on the commands. Please correct this permanently for the netinstall image.
Karel and Jeremy, if the netinstall image contained systemd-239-3 and selinux-policy-3.14.2-40 from the time F29 was released, and then during the installation or upgrade dnf upgraded systemd-239-6.git9f3aed1 after selinux-policy-3.14.2-42, then /usr/lib/systemd/systemd-user-runtime-dir might have been mislabelled init_t instead of systemd_logind_exec_t. I'm guessing that systemd might need to be updated so that /usr/lib/systemd/systemd-user-runtime-dir has the systemd_logind_exec_t label, so I'm reassigning this entry to systemd. Could the systemd maintainers set the /usr/lib/systemd/systemd-user-runtime-dir label to system_u:object_r:systemd_logind_exec_t:s0 if it isn't already and they think that would be appropriate? Thanks.
Hi, /usr/lib/systemd/systemd-user-runtime-dir is already labeled as systemd_logind_exec_t and this bugs should be fixed. So I'm not sure that is the problem here.
(In reply to Lukas Vrabec from comment #123) > Hi, > > /usr/lib/systemd/systemd-user-runtime-dir is already labeled as > systemd_logind_exec_t and this bugs should be fixed. So I'm not sure that is > the problem here. Lukas, is it possible that the part of selinux-policy-3.14.2-42 that labels /usr/lib/systemd/systemd-user-runtime-dir as systemd_logind_exec_t wasn't run during the netinstalls that Karel and Jeremy did? If that happened, then the label of /usr/lib/systemd/systemd-user-runtime-dir might have remained init_t. I'm guessing that /usr/lib/systemd/systemd-user-runtime-dir was labelled init_t in Karel and Jeremy's cases since they said the same denial happened for them and Karel's report in comment 119 appeared to match this report using setroubleshooter. Could Karel and Jeremy check what the audit messages for the denials they reported were and the journal messages using journalctl and /var/log/dnf.log from when they did the netinstalls to see if dnf upgraded systemd-239-6.git9f3aed1 after selinux-policy-3.14.2-42 or not? If the systemd packages were updated to run the semanage and restorecon commands that Lukas wrote in comment 55 on /usr/lib/systemd/systemd-user-runtime-dir before the package was created or in an appropriate scriptlet, it might make sure that systemd-user-runtime-dir is labelled systemd_logind_exec_t in the cases that the systemd update reverted the label to init_t or the selinux-policy package part that labels systemd-user-runtime-dir as systemd_logind_exec_t wasn't run properly. A selinux-policy package update might be a more direct way to address this issue if the part that labels systemd-user-runtime-dir as systemd_logind_exec_t wasn't run properly during the netinstall process.
Description of problem: Everytime I turn on the PC, this is the message I have. My graphic video card is RTX2080 Version-Release number of selected component: selinux-policy-3.14.2-44.fc29.noarch Additional info: reporter: libreport-2.9.7 hashmarkername: setroubleshoot kernel: 4.19.13-300.fc29.x86_64 type: libreport
Description of problem: After updating Selinux with full update dnf update Version-Release number of selected component: selinux-policy-3.14.2-46.fc29.noarch Additional info: reporter: libreport-2.9.7 hashmarkername: setroubleshoot kernel: 4.19.15-300.fc29.x86_64 type: libreport
Description of problem: Every time on reboot Version-Release number of selected component: selinux-policy-3.14.2-47.fc29.noarch Additional info: reporter: libreport-2.9.7 hashmarkername: setroubleshoot kernel: 4.19.15-300.fc29.x86_64 type: libreport
Description of problem: Today made SElinux policies update dnf update, however the error still occures Version-Release number of selected component: selinux-policy-3.14.2-47.fc29.noarch Additional info: reporter: libreport-2.9.7 hashmarkername: setroubleshoot kernel: 4.20.3-200.fc29.x86_64 type: libreport
(In reply to Matt Fagnani from comment #124) > Could Karel and Jeremy check what the audit > messages for the denials they reported were and the journal messages using > journalctl and /var/log/dnf.log from when they did the netinstalls to see if > dnf upgraded systemd-239-6.git9f3aed1 after selinux-policy-3.14.2-42 or not? unfortunately, I don't have that system available any longer to inspect the logs what I can say is that I've installed another machine recently and I'm not getting any such errors - has anything changed over the Christmas? but according #c125 and #c126 some people still see that ... strange
Description of problem: Computer booted up, logged in from GDM Version-Release number of selected component: selinux-policy-3.14.2-47.fc29.noarch Additional info: reporter: libreport-2.9.7 hashmarkername: setroubleshoot kernel: 4.20.3-200.fc29.x86_64 type: libreport
(In reply to Karel Volný from comment #129) > unfortunately, I don't have that system available any longer to inspect the > logs > > what I can say is that I've installed another machine recently and I'm not > getting any such errors - has anything changed over the Christmas? > > but according #c125 and #c126 some people still see that ... strange Karel, there were selinux-policy-3.14.2-44 through 3.14.2-47 and systemd-239-7.git9f3aed1 to 239-9.gite339eae updates submitted though I don't see anything related to systemd-user-runtime-dir in their changelogs at https://koji.fedoraproject.org/koji/buildinfo?buildID=1179987 https://koji.fedoraproject.org/koji/buildinfo?buildID=1182110 I guess that the continued reports of this error are due to systemd-user-runtime-dir being mislabelled init_t for some reason such as those I previously mentioned in comment 122 and comment 124. If anyone who still sees this denial could check their audit, journal, and dnf logs to see if there were errors when selinux-policy or systemd packages were upgraded or if systemd was upgraded after selinux-policy, that information might help to find the reason for the continuing denials.
Description of problem: Just after my session loggin. At every time my system ask my to type the password for Nextcloud (possible little issue with the polkit ?) I suppose it is linked... I do anything in same time. The issue coming just after the boot when I type my password for Nextcloud... Version-Release number of selected component: selinux-policy-3.14.2-47.fc29.noarch Additional info: reporter: libreport-2.9.7 hashmarkername: setroubleshoot kernel: 4.20.3-200.fc29.x86_64 type: libreport
Description of problem: Fedora Server 29 Netinstall was installed as KDE Workspace + KDE Applications Version-Release number of selected component: selinux-policy-3.14.2-48.fc29.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 4.20.8-200.fc29.x86_64 type: libreport
(In reply to Lukas Vrabec from comment #55) > It looks like I found workaround here, it works for me but could you please > test it? > > # semanage fcontext -a -t systemd_logind_exec_t > /usr/lib/systemd/systemd-user-runtime-dir > # restorecon -v /usr/lib/systemd/systemd-user-runtime-dir > > It fixed my rawhide, if somebody confirm that it fixing your systems, I'll > create selinux-policy updates ASAP. I can confirm this fixes the SELinux denial and the following popup. However, it looks like systemd-user-runtime-dir is broken somehow. After allowing it to write to my home directory, I have directories with random names being created in my home directory every time I log in. And it doesn't look like an encoding problem, since those random directory names contain latin characters and digits. I'm not sure if I should open a new bugreport, or this can be fixed right here. My system-wide language setting is Russian and encoding is UTF-8. P.S. Same happened after I "fixed" systemd-user-runtime-dir as the error popup suggests it (e.g. creating a custom .pp file and installing it).
Description of problem: Just after install Fedora 29 Server Netinstall with KDE Workspace + KDE Applications. After login Version-Release number of selected component: selinux-policy-3.14.2-48.fc29.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 4.20.8-200.fc29.x86_64 type: libreport
Description of problem: After login to the fresh installation of Fedora 29 Server Netinstall with KDE Workspace Version-Release number of selected component: selinux-policy-3.14.2-48.fc29.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 4.20.8-200.fc29.x86_64 type: libreport
Andrew, the directories with random names being created might be due to an issue with abrt 2.11.1-2 as described at https://bugzilla.redhat.com/show_bug.cgi?id=1665740 https://bodhi.fedoraproject.org/updates/FEDORA-2019-b5c308118f Updating to the latest abrt-2.12.0-2.fc29 packages should stop those random directories from being created. The random directories can be removed. Anton, since you used a F29 netinstall image as did Karel in comment 120 and Jeremy in comment 121, these continued denials might be related to the F29 netinstall images and/or upgrading from them. Could anyone who still sees these denials mention if they used a F29 netinstall image? The output of ls -lZ /usr/lib/systemd/systemd-user-runtime-dir and the full audit message of the denial might also be informative. Running the commands suggested by Lukas in comment 55 relabels /usr/lib/systemd/systemd-user-runtime-dir to systemd_logind_exec_t and should stop these denials.
Description of problem: SELinux error on bootup after update. Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
(In reply to Matt Fagnani from comment #137) > Andrew, the directories with random names being created might be due to an > issue with abrt 2.11.1-2 as described at > https://bugzilla.redhat.com/show_bug.cgi?id=1665740 > https://bodhi.fedoraproject.org/updates/FEDORA-2019-b5c308118f > Updating to the latest abrt-2.12.0-2.fc29 packages should stop those random > directories from being created. The random directories can be removed. > > Anton, since you used a F29 netinstall image as did Karel in comment 120 and > Jeremy in comment 121, these continued denials might be related to the F29 > netinstall images and/or upgrading from them. Could anyone who still sees > these denials mention if they used a F29 netinstall image? The output of ls > -lZ /usr/lib/systemd/systemd-user-runtime-dir and the full audit message of > the denial might also be informative. Running the commands suggested by > Lukas in comment 55 relabels /usr/lib/systemd/systemd-user-runtime-dir to > systemd_logind_exec_t and should stop these denials. I just recently did a Netinstall (Cinnamon) and getting these errors. # ls -lZ /usr/lib/systemd/systemd-user-runtime-dir -rwxr-xr-x. 1 root root system_u:object_r:systemd_logind_exec_t:s0 20200 Feb 8 02:09 /usr/lib/systemd/systemd-user-runtime-dir Though I have already ran the fix commands. SELinux is preventing systemd-user-ru from remove_name access on the directory services. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-user-ru should be allowed remove_name access on the services directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-user-ru' --raw | audit2allow -M my-systemduserru # semodule -X 300 -i my-systemduserru.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:object_r:session_dbusd_tmp_t:s0 Target Objects services [ dir ] Source systemd-user-ru Source Path systemd-user-ru Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-48.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 4.20.8-200.fc29.x86_64 #1 SMP Wed Feb 13 13:08:05 UTC 2019 x86_64 x86_64 Alert Count 2 First Seen 2019-02-16 21:23:11 CST Last Seen 2019-02-19 18:15:08 CST Local ID b6e1c91d-f1d5-4b57-94e9-81d1bd97f0b1 Raw Audit Messages type=AVC msg=audit(1550621708.581:238): avc: denied { remove_name } for pid=2339 comm="systemd-user-ru" name="services" dev="tmpfs" ino=31871 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0 Hash: systemd-user-ru,init_t,session_dbusd_tmp_t,dir,remove_name
*** Bug 1683505 has been marked as a duplicate of this bug. ***
I know I'm late to the game. I fell into this same problem while I was assessing the rolling out of a F29 deployment. My testing environment consists of a VM with https://download.fedoraproject.org/pub/fedora/linux/releases/29/Everything/x86_64/iso/Fedora-Everything-netinst-x86_64-29-1.2.iso and a kickstart configuration to download and install the latest packages from the "updates" repo. For reference, installed relevant packages: selinux-policy.noarch 3.14.2-49.fc29 @updates selinux-policy-targeted.noarch 3.14.2-49.fc29 @updates systemd.x86_64 239-12.git8bca462.fc29 @updates # ls -lZ /usr/lib/systemd/systemd-user-runtime-dir -rwxr-xr-x. 1 root root system_u:object_r:init_exec_t:s0 20200 Feb 21 00:51 /usr/lib/systemd/systemd-user-runtime-dir # ausearch -c 'systemd-user-ru' ---- time->Sun Mar 3 19:21:56 2019 type=AVC msg=audit(1551612116.185:419): avc: denied { read } for pid=28198 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=27007 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0 ---- time->Sun Mar 3 19:44:06 2019 type=AVC msg=audit(1551613446.361:728): avc: denied { read } for pid=3009 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=25001 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0 ---- time->Sun Mar 3 19:44:39 2019 type=AVC msg=audit(1551613479.577:767): avc: denied { read } for pid=3094 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=32482 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0 ---- time->Sun Mar 3 19:45:00 2019 type=AVC msg=audit(1551613500.982:786): avc: denied { read } for pid=3700 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=30764 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0 If there is any more info I can provide to help pinpoint the nature of the problem then do reach out.
Shad and C L, since your audit messages have /usr/lib/systemd/systemd-user-runtime-dir originally labelled as init_t as I and others saw with selinux-policy-3.14.2-40, and https://download.fedoraproject.org/pub/fedora/linux/releases/29/Everything/x86_64/iso/Fedora-Everything-netinst-x86_64-29-1.2.iso was last modified 2018-10-24, I guess that the F29 netinstall images haven't been updated from the time of the F29 release around the end of October. I suppose that /usr/lib/systemd/systemd-user-runtime-dir might not be relabelled from init_t to systemd_logind_exec_t when updating selinux-policy from the netinstall images for some unknown reason. Searching the output of commands like the following for errors involving the selinux-policy or systemd images being updated for the date when the netinstall and the first update were done might help to identify the reason: journalctl --since 2019-02-01 sudo ausearch -ts 2019-02-01 | less sudo less /var/log/dnf.log C L, running the commands suggested by Lukas in comment 55 relabels /usr/lib/systemd/systemd-user-runtime-dir to systemd_logind_exec_t and should stop these denials. Those commands could be run in a script when you do each installation. If the F29 netinstall images were rebuilt to have selinux-policy-3.14.2-49 at least if not the other latest stable rpms, then these denials might not occur for those using them for new installations. I don't know if the release netinstall images are allowed to be rebuilt. If the release engineering maintainers were contacted, they might be able to assess this issue and whether rebuilding the F29 netinstall images would be appropriate. I'm not sure who to contact in release engineering. If anyone knows who to contact, please let me know or cc them. Thanks.
Release images are never rebuilt. There are unofficial respins of some (one?) live images, but that's all. However, since the netinstall is installing from updates, I don't understand why there's a problem. It should be using the fixed packages.
Samuel, thanks for clarifying that issue for me. If the commands suggested by Lukas in comment 55 were added to an appropriate selinux-policy (or systemd) scriptlet, then they might relabel /usr/lib/systemd/systemd-user-runtime-dir to systemd_logind_exec_t for the netinstalls once the update gets to the updates repo. I suggested something like that in comment 124, but I didn't see such a change tried.
Description of problem: so i just installed Fedora 29 and this pops up and when you allow a local policy more setroubleshoot alerts Version-Release number of selected component: selinux-policy-3.14.2-49.fc29.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 4.20.13-200.fc29.x86_64 type: libreport
Description of problem: Booting Fedora under the Parallels hypervisor. Version-Release number of selected component: selinux-policy-3.14.2-49.fc29.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 4.20.13-200.fc29.x86_64 type: libreport
Description of problem: OS has just been installed using original network installation media then started. Version-Release number of selected component: selinux-policy-3.14.2-51.fc29.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.0.3-200.fc29.x86_64 type: libreport
Description of problem: It verifies everytime at the boot. Version-Release number of selected component: selinux-policy-3.14.2-51.fc29.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.0.4-200.fc29.x86_64 type: libreport
*** Bug 1695487 has been marked as a duplicate of this bug. ***
Description of problem: Fresh install with KDE Plasma + Extras. Problem repeats on every startup. Accompanied by this message: "We're sorry, it looks like BOOT_IMAGE=/vmlinuz-5.0.5-200.fc29.x86_64 crashed. Please contact the developer if you want to report the issue. We're sorry, it looks like /usr/bin/python3 crashed. Please contact the developer if you want to report the issue." Version-Release number of selected component: selinux-policy-3.14.2-51.fc29.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.0.5-200.fc29.x86_64 type: libreport
Description of problem: Fresh Fedora 29 install (Xfce), system is up-to-date Version-Release number of selected component: selinux-policy-3.14.2-53.fc29.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.0.7-200.fc29.x86_64 type: libreport
Description of problem: Started the computer. Logged in at GUI. Connected BroadBand Cellular Modem to AirTel. Version-Release number of selected component: selinux-policy-3.14.2-54.fc29.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.0.7-200.fc29.x86_64 type: libreport
Fedora 29, I got this error as well, identified through running. grep "denied" /var/log/audit/audit.log type=AVC msg=audit(1556820258.900:231): avc: denied { read } for pid=1877 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=35162 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0 selinux-policy.noarch 3.14.2-54.fc29 selinux-policy-targeted.noarch 3.14.2-54.fc29 Kernel : 5.0.9-200.fc29.x86_64
(In reply to jeffj1101 from comment #153) > Fedora 29, I got this error as well, identified through running. grep > "denied" /var/log/audit/audit.log > > type=AVC msg=audit(1556820258.900:231): avc: denied { read } for pid=1877 > comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=35162 > scontext=system_u:system_r:init_t:s0 > tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0 > > selinux-policy.noarch 3.14.2-57.fc29 > > selinux-policy-targeted.noarch 3.14.2-57.fc29 > > Kernel : 5.0.9-200.fc29.x86_64 The following commands did not help: semanage fcontext -a -t systemd_logind_exec_t /usr/lib/systemd/systemd-user-runtime-dir restorecon -v /usr/lib/systemd/systemd-user-runtime-dir
Description of problem: Machine boot after update Version-Release number of selected component: selinux-policy-3.14.2-59.fc29.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.1.6-200.fc29.x86_64 type: libreport
Fixes backported also to F29: commit 5ab72356a64a4da93c3b95f8f75f51c8ce1398d6 (HEAD -> f29, origin/f29) Author: Lukas Vrabec <lvrabec> Date: Fri May 17 23:16:50 2019 +0200 Allow init_t to manage session_dbusd_tmp_t dirs https://github.com/fedora-selinux/selinux-policy/commit/5ab72356a64a4da93c3b95f8f75f51c8ce1398d6
FEDORA-2019-b51794f502 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-b51794f502
selinux-policy-3.14.2-64.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b51794f502
selinux-policy-3.14.2-64.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.