Bug 1763449 - selinux prevents writing to /var/lib on silverblue rebase reboot
Summary: selinux prevents writing to /var/lib on silverblue rebase reboot
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 31
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1767749 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-19 21:39 UTC by Boyd
Modified: 2020-11-24 20:27 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.14.4-40.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-24 20:27:08 UTC
Type: Bug


Attachments (Terms of Use)
journalctl -b -3 full output (228.71 KB, text/plain)
2019-10-19 21:39 UTC, Boyd
no flags Details

Description Boyd 2019-10-19 21:39:40 UTC
Created attachment 1627420 [details]
journalctl -b -3 full output

Description of problem:
When rebasing Silverblue from F30 to F31 systemd-logind won't start with selinux errors


Version-Release number of selected component (if applicable):


How reproducible:
rpm-ostree rebase fedora:fedora/31/x86_x64/silverblue


Steps to Reproduce:
1. rpm-ostree rebase fedora:fedora/31/x86_x64/silverblue
2. systemctl reboot
3.

Actual results:
System will not boot to login screen with errors such as:
Oct 19 08:51:52 xps13 systemd[920]: systemd-logind.service: Failed to set up special execution directory in /var/lib: Permission denied
Oct 19 08:51:52 xps13 systemd[920]: systemd-logind.service: Failed at step STATE_DIRECTORY spawning /sbin/modprobe: Permission denied



Expected results:
System boots normally


Additional info:
Running restorecon on /var/lib/systemd/linger or /sysroot/ostree/deploy/fedora/var/lib/systemd/linger does not seem to help
System can be booted with selinux=0 kernel parameter
Seems to be similar or same issue as CLOSED and NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1753404
https://bugzilla.redhat.com/show_bug.cgi?id=1734831

But this does not seem to be resolved for Silverblue

Comment 1 Hank Donnay 2019-10-31 14:38:21 UTC
I'm also affected by this.

I've got the stock selinux policy and haven't run any loginctl disable/enable-linger commands.

Comment 2 Lukas Vrabec 2019-10-31 17:54:44 UTC
Hi All, 

Could you please boot in permissive mode and attach output of: 

# ausearch -m AVC -ts boot 

Thanks,
Lukas.

Comment 3 Boyd 2019-10-31 22:05:10 UTC
Here you go...  Thanks!

[root@xps13 ~]# ausearch -m AVC -ts boot
----
time->Thu Oct 31 21:45:30 2019
type=AVC msg=audit(1572558330.228:99): avc:  denied  { read } for  pid=916 comm="(modprobe)" name="linger" dev="dm-0" ino=2621453 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=1
----
time->Thu Oct 31 21:45:30 2019
type=AVC msg=audit(1572558330.232:100): avc:  denied  { mounton } for  pid=916 comm="(modprobe)" path="/run/systemd/unit-root/var/lib/systemd/linger" dev="dm-0" ino=2621453 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=1
----
time->Thu Oct 31 21:45:42 2019
type=AVC msg=audit(1572558342.360:205): avc:  denied  { unlink } for  pid=949 comm="NetworkManager" name="internal-17f7861f-8422-4f6c-ae9c-7567648e7555-wlp2s0.lease" dev="dm-0" ino=4194464 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
[root@xps13 ~]#

Comment 4 Lukas Vrabec 2019-11-01 13:22:54 UTC
*** Bug 1767749 has been marked as a duplicate of this bug. ***

Comment 5 Hank Donnay 2019-11-01 14:21:09 UTC
The command returns nothing for me when booted on commit 1f77b254e196f244b20f14e0bac895ca151dd90dd18e0431e716ee1dbbe3f06e

Comment 6 jonubulin 2019-11-01 14:48:29 UTC
My output of sudo ausearch -m AVC -ts boot  :

----
time->Fri Nov  1 10:20:14 2019
type=AVC msg=audit(1572600014.309:93): avc:  denied  { read } for  pid=1008 comm="firewalld" name="site-packages" dev="dm-2" ino=1187855 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=1
----
time->Fri Nov  1 10:20:14 2019
type=AVC msg=audit(1572600014.453:99): avc:  denied  { read } for  pid=1067 comm="(modprobe)" name="linger" dev="dm-2" ino=1106050 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=1
----
time->Fri Nov  1 10:20:14 2019
type=AVC msg=audit(1572600014.457:100): avc:  denied  { mounton } for  pid=1067 comm="(modprobe)" path="/run/systemd/unit-root/var/lib/systemd/linger" dev="dm-2" ino=1106050 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=1
----
time->Fri Nov  1 10:20:31 2019
type=AVC msg=audit(1572600031.049:214): avc:  denied  { read } for  pid=1131 comm="gdbus" path="/var/home/<username>/.local/share/icc/edid-6608c115f4ad7a4dbfc8db2e8900a4ac.icc" dev="dm-5" ino=4194434 scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=1
----
time->Fri Nov  1 10:20:31 2019
type=AVC msg=audit(1572600031.599:215): avc:  denied  { getattr } for  pid=1131 comm="colord" path="/var/home/<username>/.local/share/icc/edid-6608c115f4ad7a4dbfc8db2e8900a4ac.icc" dev="dm-5" ino=4194434 scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=1
----
time->Fri Nov  1 10:20:31 2019
type=AVC msg=audit(1572600031.600:216): avc:  denied  { map } for  pid=1131 comm="colord" path="/var/home/<username>/.local/share/icc/edid-6608c115f4ad7a4dbfc8db2e8900a4ac.icc" dev="dm-5" ino=4194434 scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=1
----
time->Fri Nov  1 10:20:31 2019
type=AVC msg=audit(1572600031.768:219): avc:  denied  { getattr } for  pid=1131 comm="colord" path="/var/home/<username>/.local/share/icc/edid-d81dc20af206bf6dc271920a1c71c4b3.icc" dev="dm-5" ino=4195613 scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=1
----
time->Fri Nov  1 10:20:31 2019
type=AVC msg=audit(1572600031.768:220): avc:  denied  { read } for  pid=1131 comm="colord" path="/var/home/<username>/.local/share/icc/edid-d81dc20af206bf6dc271920a1c71c4b3.icc" dev="dm-5" ino=4195613 scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=1
----
time->Fri Nov  1 10:20:31 2019
type=AVC msg=audit(1572600031.768:221): avc:  denied  { map } for  pid=1131 comm="colord" path="/var/home/<username>/.local/share/icc/edid-d81dc20af206bf6dc271920a1c71c4b3.icc" dev="dm-5" ino=4195613 scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=1

Comment 7 Lukas Vrabec 2019-11-01 17:31:23 UTC
Hi All,

All the AVCs should be fixed in the latest version of selinux-policy for Fedora 31. For AVCs with unlabeled_t please run:

# restorecon -Rv /

and for default_t AVcs please run: 

# semanage fcontext -a -e /home /var/home
# restorecon -Rv /var/


Thanks,
Lukas.

Comment 8 jonubulin 2019-11-02 07:51:16 UTC
Is it save to run 
# restorecon -Rv /
on silverblue? According to https://bugzilla.redhat.com/show_bug.cgi?id=1259018#c17 this command should not be run on ostree-based systems.

Comment 9 Boyd 2019-11-02 07:52:59 UTC
This still doesn't work

Comment 10 Boyd 2019-11-05 11:19:37 UTC
If someone finds this through a search, here is at least a workaround from discussion.fedoraproject.org:  https://discussion.fedoraproject.org/t/selinux-still-a-problem-for-f31-rebase/10688/2?u=boydkelly

let the boot fail, then reboot into rescue mode and run journalctl -b-1 | grep -A20 'Starting Login' | audit2allow -M mylogind, then semodule -i mylogind. Terrible, but the system now boots in enforcing mode until I find a better fix.

Its regrettable that problems are closed as notabug without any user confirmation.  This is clearly a bug, and could be solved more efficiently with user interaction.

Comment 11 Lukas Vrabec 2019-11-05 16:58:55 UTC
Boyd, 

Could you please share with me the output files of command: "# audit2allow -M mylogind" ? I can look on the rules and add them to the distribution  policy. 

THanks,
Lukas

Comment 12 browseria 2019-11-06 14:55:01 UTC
I just tried rebasing from f30 to f31 last night and encountered this exact same bug. It is most definitely still a problem.

Comment 13 Boyd 2019-11-07 12:59:54 UTC
Its weird,  I can't even run audit2allow -M mylogind   It just hangs....

Comment 14 jonubulin 2019-11-07 17:33:32 UTC
(In reply to Lukas Vrabec from comment #11)
> Could you please share with me the output files of command: "# audit2allow
> -M mylogind" ? I can look on the rules and add them to the distribution 
> policy.

If I run 
# journalctl -b-1 | grep -A20 'Starting Login' | audit2allow -M mylogind
the resulting mylogind.te file looks as following:

module mylogind 1.0;

require {
	type init_t;
	type systemd_logind_var_lib_t;
	class dir read;
}

#============= init_t ==============
allow init_t systemd_logind_var_lib_t:dir read;

Comment 15 Lukas Vrabec 2019-11-08 15:59:46 UTC
Hi, 

Is this the only one allow rule? Because it's allowed by default in distribution policy (selinux-policy rpm package)

rpm -q selinux-policy
selinux-policy-3.14.5-5.fc32.noarch

# sesearch -A -s init_t -t systemd_logind_var_lib_t -c dir -p read
allow init_t file_type:dir { getattr ioctl lock open read relabelfrom relabelto search };
allow init_t systemd_mount_directory:dir { create getattr ioctl lock mounton open read search };

Thanks,
Lukas.

Comment 16 jonubulin 2019-11-09 08:22:04 UTC
(In reply to Lukas Vrabec from comment #15)
> Is this the only one allow rule? 

At least it is the only rule returned by executing the command 
# journalctl -b-1 | grep -A20 'Starting Login' | audit2allow -M mylogind

> Because it's allowed by default in
> distribution policy (selinux-policy rpm package)
> 
> rpm -q selinux-policy
> selinux-policy-3.14.5-5.fc32.noarch

# rpm -q selinux-policy
selinux-policy-3.14.4-39.fc31.noarch

> 
> # sesearch -A -s init_t -t systemd_logind_var_lib_t -c dir -p read
> allow init_t file_type:dir { getattr ioctl lock open read relabelfrom
> relabelto search };
> allow init_t systemd_mount_directory:dir { create getattr ioctl lock mounton
> open read search };

# sesearch -A -s init_t -t systemd_logind_var_lib_t -c dir -p read
returns nothing

Comment 17 Lukas Vrabec 2019-11-11 17:02:09 UTC
Hi jonubulin, 

Issue is fixed in -40.fc31

# sesearch -A -s init_t -t systemd_logind_var_lib_t -c dir -p read
allow init_t file_type:dir { getattr ioctl lock open read relabelfrom relabelto search };
allow init_t systemd_mount_directory:dir { create getattr ioctl lock mounton open read search };


Thanks,
Lukas.

Comment 18 jonubulin 2019-11-14 16:13:50 UTC
Unfortunately this is still an issue on my system, even tough I updated to the new selinux policy version.

# rpm -q selinux-policy
selinux-policy-3.14.4-40.fc31.noarch

# sesearch -A -s init_t -t systemd_logind_var_lib_t -c dir -p read
still no output

Maybe it is a issue specific to Silverblue?

Comment 19 browseria 2019-11-21 05:37:29 UTC
# rpm -q selinux-policy
selinux-policy-3.14.3-52.fc30.noarch

# rpm-ostree status
State: idle
AutomaticUpdates: check; rpm-ostreed-automatic.timer: no runs since boot
Deployments:
  ostree://fedora:fedora/31/x86_64/silverblue
                   Version: 31.20191118.0 (2019-11-18T00:40:47Z)
                BaseCommit: 80944945d229dc557bc8c2b9e49c7bfbe055cc7b5537bcf8b9aa6893061e1fc4
              GPGSignature: Valid signature by 7D22D5867F2A4236474BF7B850CB390B3C3359C4
                      Diff: 1279 upgraded, 4 downgraded, 15 removed, 33 added
           LayeredPackages: libvirt libvirt-client libvirt-daemon-kvm libvirt-devel qemu-kvm
                            samba virt-install virt-manager

● ostree://fedora:fedora/30/x86_64/silverblue
                   Version: 30.20191118.0 (2019-11-18T00:46:57Z)
                BaseCommit: dc602503781b077644b5afb7754624a1e9aa197dcccd348add4ddd23552b0213
              GPGSignature: Valid signature by F1D8EC98F241AAF20DF69420EF3C111FCFC659B9
           LayeredPackages: libvirt libvirt-client libvirt-daemon-kvm libvirt-devel qemu-kvm
                            samba virt-install virt-manager
                    Pinned: yes

# journalctl -b-1 | grep -A20 'Starting Login'
Nov 18 14:13:39 washer systemd[1]: Starting Login Service...
Nov 18 14:13:39 washer systemd[1]: Stopped Daemon for power management.
Nov 18 14:13:39 washer systemd[761]: systemd-logind.service: Failed to set up special execution directory in /var/lib: Permission denied
Nov 18 14:13:39 washer systemd[761]: systemd-logind.service: Failed at step STATE_DIRECTORY spawning /sbin/modprobe: Permission denied
Nov 18 14:13:39 washer audit[761]: AVC avc:  denied  { read } for  pid=761 comm="(modprobe)" name="linger" dev="sde5" ino=1706700 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0
Nov 18 14:13:39 washer audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=upower comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 18 14:13:39 washer audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=upower comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 18 14:13:39 washer systemd[1]: Starting Daemon for power management...
Nov 18 14:13:39 washer systemd[765]: upower.service: Failed to set up special execution directory in /var/lib: Permission denied
Nov 18 14:13:39 washer systemd[765]: upower.service: Failed at step STATE_DIRECTORY spawning /usr/libexec/upowerd: Permission denied
Nov 18 14:13:39 washer audit[765]: AVC avc:  denied  { read } for  pid=765 comm="(upowerd)" name="upower" dev="sde5" ino=1441816 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:devicekit_var_lib_t:s0 tclass=dir permissive=0
Nov 18 14:13:39 washer audit[766]: AVC avc:  denied  { read } for  pid=766 comm="(d-logind)" name="linger" dev="sde5" ino=1706700 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0
Nov 18 14:13:39 washer systemd[766]: systemd-logind.service: Failed to set up special execution directory in /var/lib: Permission denied
Nov 18 14:13:39 washer systemd[766]: systemd-logind.service: Failed at step STATE_DIRECTORY spawning /usr/lib/systemd/systemd-logind: Permission denied
Nov 18 14:13:39 washer systemd[1]: upower.service: Main process exited, code=exited, status=238/STATE_DIRECTORY
Nov 18 14:13:39 washer systemd[1]: upower.service: Failed with result 'exit-code'.
Nov 18 14:13:39 washer systemd[1]: Failed to start Daemon for power management.
Nov 18 14:13:39 washer audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=upower comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Main process exited, code=exited, status=238/STATE_DIRECTORY
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Failed with result 'exit-code'.
Nov 18 14:13:39 washer audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-logind comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
--
Nov 18 14:13:39 washer systemd[1]: Starting Login Service...
Nov 18 14:13:39 washer audit[771]: AVC avc:  denied  { read } for  pid=771 comm="(modprobe)" name="linger" dev="sde5" ino=1706700 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0
Nov 18 14:13:39 washer systemd[771]: systemd-logind.service: Failed to set up special execution directory in /var/lib: Permission denied
Nov 18 14:13:39 washer systemd[771]: systemd-logind.service: Failed at step STATE_DIRECTORY spawning /sbin/modprobe: Permission denied
Nov 18 14:13:39 washer audit[772]: AVC avc:  denied  { read } for  pid=772 comm="(d-logind)" name="linger" dev="sde5" ino=1706700 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0
Nov 18 14:13:39 washer systemd[772]: systemd-logind.service: Failed to set up special execution directory in /var/lib: Permission denied
Nov 18 14:13:39 washer systemd[772]: systemd-logind.service: Failed at step STATE_DIRECTORY spawning /usr/lib/systemd/systemd-logind: Permission denied
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Main process exited, code=exited, status=238/STATE_DIRECTORY
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Failed with result 'exit-code'.
Nov 18 14:13:39 washer systemd[1]: Failed to start Login Service.
Nov 18 14:13:39 washer audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-logind comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Service has no hold-off time (RestartSec=0), scheduling restart.
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 2.
Nov 18 14:13:39 washer systemd[1]: Stopped Login Service.
Nov 18 14:13:39 washer audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-logind comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 18 14:13:39 washer audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-logind comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 18 14:13:39 washer systemd[1]: Starting Login Service...
Nov 18 14:13:39 washer audit[775]: AVC avc:  denied  { read } for  pid=775 comm="(modprobe)" name="linger" dev="sde5" ino=1706700 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0
Nov 18 14:13:39 washer systemd[775]: systemd-logind.service: Failed to set up special execution directory in /var/lib: Permission denied
Nov 18 14:13:39 washer systemd[775]: systemd-logind.service: Failed at step STATE_DIRECTORY spawning /sbin/modprobe: Permission denied
Nov 18 14:13:39 washer audit[776]: AVC avc:  denied  { read } for  pid=776 comm="(d-logind)" name="linger" dev="sde5" ino=1706700 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0
Nov 18 14:13:39 washer systemd[776]: systemd-logind.service: Failed to set up special execution directory in /var/lib: Permission denied
Nov 18 14:13:39 washer systemd[776]: systemd-logind.service: Failed at step STATE_DIRECTORY spawning /usr/lib/systemd/systemd-logind: Permission denied
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Main process exited, code=exited, status=238/STATE_DIRECTORY
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Failed with result 'exit-code'.
Nov 18 14:13:39 washer systemd[1]: Failed to start Login Service.
Nov 18 14:13:39 washer audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-logind comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Service has no hold-off time (RestartSec=0), scheduling restart.
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 3.
Nov 18 14:13:39 washer systemd[1]: Stopped Login Service.
Nov 18 14:13:39 washer audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-logind comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 18 14:13:39 washer audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-logind comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 18 14:13:39 washer systemd[1]: Starting Login Service...
Nov 18 14:13:39 washer audit[789]: AVC avc:  denied  { read } for  pid=789 comm="(modprobe)" name="linger" dev="sde5" ino=1706700 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0
Nov 18 14:13:39 washer systemd[789]: systemd-logind.service: Failed to set up special execution directory in /var/lib: Permission denied
Nov 18 14:13:39 washer systemd[789]: systemd-logind.service: Failed at step STATE_DIRECTORY spawning /sbin/modprobe: Permission denied
Nov 18 14:13:39 washer audit[790]: AVC avc:  denied  { read } for  pid=790 comm="(d-logind)" name="linger" dev="sde5" ino=1706700 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0
Nov 18 14:13:39 washer systemd[790]: systemd-logind.service: Failed to set up special execution directory in /var/lib: Permission denied
Nov 18 14:13:39 washer systemd[790]: systemd-logind.service: Failed at step STATE_DIRECTORY spawning /usr/lib/systemd/systemd-logind: Permission denied
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Main process exited, code=exited, status=238/STATE_DIRECTORY
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Failed with result 'exit-code'.
Nov 18 14:13:39 washer systemd[1]: Failed to start Login Service.
Nov 18 14:13:39 washer audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-logind comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Service has no hold-off time (RestartSec=0), scheduling restart.
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 4.
Nov 18 14:13:39 washer systemd[1]: Stopped Login Service.
Nov 18 14:13:39 washer audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-logind comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 18 14:13:39 washer audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-logind comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 18 14:13:39 washer systemd[1]: Starting Login Service...
Nov 18 14:13:39 washer audit[793]: AVC avc:  denied  { read } for  pid=793 comm="(modprobe)" name="linger" dev="sde5" ino=1706700 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0
Nov 18 14:13:39 washer systemd[793]: systemd-logind.service: Failed to set up special execution directory in /var/lib: Permission denied
Nov 18 14:13:39 washer systemd[793]: systemd-logind.service: Failed at step STATE_DIRECTORY spawning /sbin/modprobe: Permission denied
Nov 18 14:13:39 washer audit[794]: AVC avc:  denied  { read } for  pid=794 comm="(d-logind)" name="linger" dev="sde5" ino=1706700 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0
Nov 18 14:13:39 washer systemd[794]: systemd-logind.service: Failed to set up special execution directory in /var/lib: Permission denied
Nov 18 14:13:39 washer systemd[794]: systemd-logind.service: Failed at step STATE_DIRECTORY spawning /usr/lib/systemd/systemd-logind: Permission denied
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Main process exited, code=exited, status=238/STATE_DIRECTORY
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Failed with result 'exit-code'.
Nov 18 14:13:39 washer systemd[1]: Failed to start Login Service.
Nov 18 14:13:39 washer audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-logind comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Service has no hold-off time (RestartSec=0), scheduling restart.
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 5.
Nov 18 14:13:39 washer systemd[1]: Stopped Login Service.
Nov 18 14:13:39 washer audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-logind comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 18 14:13:39 washer audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-logind comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Start request repeated too quickly.
Nov 18 14:13:39 washer systemd[1]: systemd-logind.service: Failed with result 'exit-code'.
Nov 18 14:13:39 washer systemd[1]: Failed to start Login Service.
Nov 18 14:13:39 washer systemd[1]: upower.service: Service RestartSec=100ms expired, scheduling restart.
Nov 18 14:13:39 washer systemd[1]: upower.service: Scheduled restart job, restart counter is at 3.

# df -Th
Filesystem     Type      Size  Used Avail Use% Mounted on
devtmpfs       devtmpfs  5.9G     0  5.9G   0% /dev
tmpfs          tmpfs     5.9G   91M  5.8G   2% /dev/shm
tmpfs          tmpfs     5.9G  1.8M  5.9G   1% /run
tmpfs          tmpfs     5.9G     0  5.9G   0% /sys/fs/cgroup
/dev/sde3      ext4       69G  8.5G   57G  14% /sysroot
tmpfs          tmpfs     5.9G   64M  5.8G   2% /tmp
/dev/sde5      ext4       69G  2.6G   63G   4% /var
/dev/sde1      ext4      976M  144M  766M  16% /boot
/dev/sde2      ext4       75G  9.5G   62G  14% /var/home
/dev/sdc       ext4       11T  7.5T  2.9T  73% /var/mnt/data
tmpfs          tmpfs     1.2G  9.2M  1.2G   1% /run/user/1000

Comment 20 jonubulin 2019-12-07 15:20:40 UTC
Is there any way to provide additional information which could help to fix this issue?

Comment 21 jonubulin 2019-12-14 13:44:20 UTC
I fixed the issue following the described steps in  
https://docs.fedoraproject.org/en-US/fedora-silverblue/troubleshooting/#_selinux_problems
For whatever reason the SELinux policy was modified from the default one or wasn't updated during the upgrade to Silverblue 31. Copying the default SELinux policy shipped in the OSTree compose fixed the issue.

Comment 22 Ben Cotton 2020-11-03 17:23:06 UTC
This message is a reminder that Fedora 31 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 31 on 2020-11-24.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '31'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 31 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 23 Ben Cotton 2020-11-24 20:27:08 UTC
Fedora 31 changed to end-of-life (EOL) status on 2020-11-24. Fedora 31 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.