Description of problem: colord fails to start due to selinux Version-Release number of selected component (if applicable): colord-1.4.4-4.fc32.x86_64 colord-libs-1.4.4-4.fc32.x86_64 colord-gtk-0.2.0-3.fc32.x86_64 colord-kde-0.5.0-11.fc32.x86_64 selinux-policy-3.14.5-24.fc32.noarch selinux-policy-targeted-3.14.5-24.fc32.noarch How reproducible: Steps to Reproduce: 1. systemctl start colord 2. systemctl status colord Actual results: ● colord.service - Manage, Install and Generate Color Profiles Loaded: loaded (/usr/lib/systemd/system/colord.service; static; vendor preset: disabled) Active: failed (Result: signal) since Mon 2020-02-10 09:42:42 CET; 6s ago Process: 3745 ExecStart=/usr/libexec/colord (code=killed, signal=TRAP) Main PID: 3745 (code=killed, signal=TRAP) Feb 10 09:42:42 nb systemd[1]: Starting Manage, Install and Generate Color Profiles... Feb 10 09:42:42 nb colord[3745]: Failed to set scheduler settings: Permission denied Feb 10 09:42:42 nb systemd[1]: colord.service: Main process exited, code=killed, status=5/TRAP Feb 10 09:42:42 nb systemd[1]: colord.service: Failed with result 'signal'. Feb 10 09:42:42 nb systemd[1]: Failed to start Manage, Install and Generate Color Profiles. Expected results: ● colord.service - Manage, Install and Generate Color Profiles Loaded: loaded (/usr/lib/systemd/system/colord.service; static; vendor preset: disabled) Active: active (running) since Mon 2020-02-10 09:43:34 CET; 2s ago Main PID: 3778 (colord) Tasks: 4 (limit: 18993) Memory: 3.1M CGroup: /system.slice/colord.service └─3778 /usr/libexec/colord Feb 10 09:43:34 nb systemd[1]: Starting Manage, Install and Generate Color Profiles... Feb 10 09:43:34 nb systemd[1]: Started Manage, Install and Generate Color Profiles. Additional info: Running `setenforce 0` fixes the problem. Relabeling the file system did not help.
Proposed as a Blocker and Freeze Exception for 32-final by Fedora user lruzicka using the blocker tracking app because: There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop.
Discussed during the 2020-02-10 blocker review meeting: [1] The decision to classify this bug as an AcceptedBlocker was made: "All system services present after installation with one of the release-blocking package sets must start properly, unless they require hardware which is not present" [1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2020-02-10/f32-blocker-review.2020-02-10-17.01.log.txt
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle. Changing version to 32.
[ 14.983762] fmac.local audit[1442]: AVC avc: denied { setsched } for pid=1442 comm="colord" scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:colord_t:s0 tclass=process permissive=1 selinux-policy-3.14.5-28.fc32.noarch Is this related to bug 1795524? This is also selinux setsched related according to the AVC denial.
Chris, it looks so.
https://bugzilla.redhat.com/show_bug.cgi?id=1795524#c84 selinux will continue to deny setsched, so a fix is still needed in colord. Other daemons are affected, but I'm not sure whether there's a generic solution possible.
We're not going to change GThreadPool to stop trying to use setsched, but GThreadPool has been fixed to at least not abort. Nothing about this issue is unique to colord, other than that SELinux seems to be allowing some apps to use setsched but not others. *** This bug has been marked as a duplicate of bug 1795524 ***
BTW the abort on failure to call setsched() should be fixed since GLib 2.63.4, which should have hit F32 quite a while ago. If colord is still failing to launch nowadays, then you can reopen this issue (as if so, there must be multiple bugs involved).