Bug 1797414 - can't login due to AVC denied { sys_nice } for pid=964 comm="accounts-daemon"
Summary: can't login due to AVC denied { sys_nice } for pid=964 comm="accounts-daemon"
Keywords:
Status: CLOSED DUPLICATE of bug 1795524
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-03 04:34 UTC by Chris Murphy
Modified: 2020-02-06 21:44 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-02-04 09:38:44 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
journal (849.97 KB, text/plain)
2020-02-03 04:36 UTC, Chris Murphy
no flags Details

Description Chris Murphy 2020-02-03 04:34:59 UTC
Description of problem:

I can't figure out the exactly sequence, if the accounts-daemon trap is caused by the boltd crash, bug 1797412, or the AVC on accounts-daemon.


Version-Release number of selected component (if applicable):
selinux-policy-3.14.5-21.fc32.noarch

How reproducible:
Always

Steps to Reproduce:
1. Boot
2.
3.

Actual results:

[   11.341461] fmac.local kernel: traps: accounts-daemon[882] trap int3 ip:7f01418e6e05 sp:7f01339edb40 error:0 in libglib-2.0.so.0.6304.0[7f01418ab000+84000]

...

[   12.239701] fmac.local audit[964]: AVC avc:  denied  { sys_nice } for  pid=964 comm="accounts-daemon" capability=23  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=0
[   12.239828] fmac.local audit[964]: AVC avc:  denied  { setsched } for  pid=964 comm="accounts-daemon" scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=process permissive=0


...

[   12.737928] fmac.local systemd-coredump[975]: Process 964 (accounts-daemon) of user 0 dumped core.

...
[   37.246372] fmac.local gdm[905]: Failed to contact accountsservice: Error calling StartServiceByName for org.freedesktop.Accounts: Timeout was reached


Expected results:

accountsservice shouldn't crash, or I can't login.


Additional info:

This is happening on an installed system. I don't know that it affects clean installs yet, but if it does, it's a beta blocker:

A system installed without a graphical package set must boot to a working login prompt without any unintended user intervention, and all virtual consoles intended to provide a working login prompt must do so.

Comment 1 Chris Murphy 2020-02-03 04:36:32 UTC
Created attachment 1657249 [details]
journal

Comment 2 Chris Murphy 2020-02-03 04:52:16 UTC
This is what I'm seeing:
https://openqa.fedoraproject.org/tests/516083#step/_boot_to_anaconda/11

So I'm willing to bet this bug, or bug 179411 or bug 179412, or all three, are the cause of all these traps and thus startup failure.

Problem doesn't happen with enforcing=0

Comment 3 Fedora Blocker Bugs Application 2020-02-03 04:55:35 UTC
Proposed as a Blocker for 32-beta by Fedora user chrismurphy using the blocker tracking app because:

 Workstation (not sure if KDE is affected)
No part of any release-blocking desktop's panel (or equivalent) configuration may crash on startup or be entirely non-functional. 

Server:
A system installed without a graphical package set must boot to a working login prompt without any unintended user intervention, and all virtual consoles intended to provide a working login prompt must do so.

Comment 4 Chris Murphy 2020-02-03 15:51:57 UTC
This might be a dup of bug 1795524.

Comment 5 Lukas Vrabec 2020-02-04 09:38:44 UTC

*** This bug has been marked as a duplicate of bug 1795524 ***

Comment 6 Adam Williamson 2020-02-06 21:44:30 UTC
Dropping proposed blocker status, since we've decided it's a dupe.


Note You need to log in before you can comment on or make changes to this bug.