Bug 1735481 - selinux AVC denied create for modprobe and d-logind, results in startup hang before gdm/shell
Summary: selinux AVC denied create for modprobe and d-logind, results in startup hang ...
Keywords:
Status: CLOSED DUPLICATE of bug 1734831
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: F31BetaBlocker
TreeView+ depends on / blocked
 
Reported: 2019-07-31 22:47 UTC by Chris Murphy
Modified: 2019-08-01 06:06 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-01 06:06:21 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
journal (201.22 KB, text/plain)
2019-07-31 22:47 UTC, Chris Murphy 		no flags Details
View All

Description Chris Murphy 2019-07-31 22:47:13 UTC 
Description of problem:

Failure during startup of Fedora-Workstation-Live-x86_64-Rawhide-20190731.n.0.iso

Version-Release number of selected component (if applicable):
systemd-243~rc1-1.fc31.x86_64

How reproducible:
Always


Steps to Reproduce:
1. Boot
2.
3.

Actual results:

Multiple "Failed to start Login Service" messages, followed by a hang while still in text startup, "Started GNOME Display Manager" appears but no gdm.

via early debug shell I see this

[   20.508996] localhost-live systemd[1]: systemd-logind.service: Start request repeated too quickly.
[   20.509133] localhost-live systemd[1]: systemd-logind.service: Failed with result 'exit-code'.

Expected results:

Should get to gdm.

Additional info:
Comment 1 Chris Murphy 2019-07-31 22:47:49 UTC 
Created attachment 1596824 [details]
journal
Comment 2 Chris Murphy 2019-07-31 22:49:47 UTC 
Succeeds with enforcing=0

[   17.511743] localhost audit[1231]: AVC avc:  denied  { create } for  pid=1231 comm="(modprobe)" name="linger" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0
[   17.511882] localhost systemd[1231]: systemd-logind.service: Failed to set up special execution directory in /var/lib: Permission denied
[   17.512664] localhost systemd[1231]: systemd-logind.service: Failed at step (null) spawning /sbin/modprobe: Permission denied
[   17.518924] localhost polkitd[1229]: Started polkitd version 0.116
[   17.524663] localhost audit[1232]: AVC avc:  denied  { create } for  pid=1232 comm="(d-logind)" name="linger" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0
Comment 3 Chris Murphy 2019-07-31 22:56:36 UTC 
selinux-policy-3.14.4-26.fc31.noarch
Comment 4 Fedora Blocker Bugs Application 2019-08-01 01:53:04 UTC 
Proposed as a Blocker for 31-beta by Fedora user chrismurphy using the blocker tracking app because:

 https://fedoraproject.org/wiki/Basic_Release_Criteria#Initialization_requirements

"All release-blocking images must boot in their supported configurations." Strictly speaking it does boot, it just doesn't finish startup and arrive at the desktop.

"Release-blocking live images must boot to the expected boot menu, and then to a desktop or to a login prompt where it is clear how to log in to a desktop." That's definitely not happening.

"The installer must run when launched normally from the release-blocking images." This is also violated. 

I'm not seeing an exception for intervening with enforcing=0 and also it doesn't seem like a good idea to ship a beta with a common bug that tells everyone they have to boot with enforcing=0 so I'm gonna go with this is a blocker.
Comment 5 Zbigniew Jędrzejewski-Szmek 2019-08-01 06:06:21 UTC 

*** This bug has been marked as a duplicate of bug 1734831 ***
Note You need to log in before you can comment on or make changes to this bug.