In Fedora-Rawhide-20201007.n.0 , openQA tests for KDE and Workstation live images and Silverblue all failed. They all seem to be caused by selinux-policy-3.14.7-5.fc34 (which appeared in that compose), because I see relevant AVCs in the system logs, and I also tested booting the Workstation and KDE live images with 'enforcing=0' and they both booted normally. With SELinux in enforcing mode, the live images both boot to a login screen instead of directly to a working desktop, as they should. It's not possible to log in (at least in GNOME, didn't check KDE) - attempting just cycles back to the login screen. The installed Silverblue system boots to gnome-initial-setup and then when that is complete, to a kind of half-finished GNOME desktop - the user menu is present but the Activities menu is not. AVCs from the boots in enforcing mode: Workstation live ================ Oct 07 21:12:25 localhost-live audit[1403]: AVC avc: denied { transition } for pid=1403 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev="dm-0" ino=263929 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 Oct 07 21:12:25 localhost-live audit[1404]: AVC avc: denied { transition } for pid=1404 comm="gdm-session-wor" path="/etc/gdm/PreSession/Default" dev="dm-0" ino=170104 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 Oct 07 21:12:25 localhost-live audit[1405]: AVC avc: denied { transition } for pid=1405 comm="gdm-session-wor" path="/usr/libexec/gdm-wayland-session" dev="dm-0" ino=168361 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 KDE live ======== Oct 07 21:07:48 localhost-live audit[1285]: AVC avc: denied { transition } for pid=1285 comm="sddm-helper" path="/usr/bin/gnome-keyring-daemon" dev="dm-0" ino=262094 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 Oct 07 21:07:48 localhost-live audit[1286]: AVC avc: denied { transition } for pid=1286 comm="sddm-helper" path="/etc/sddm/wayland-session" dev="dm-0" ino=184819 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 Booting with enforcing=0 shows fewer AVCs (just the first in each case, I think), so I figure the subsequent ones are for fallbacks or something. This seems a clear F34 Beta blocker per Basic criterion "Release-blocking live images must boot to the expected boot menu, and then to a desktop or to a login prompt where it is clear how to log in to a desktop" - at least in GNOME (only case I tested) you can't log into the desktop.
Also breaks log in to a freshly installed regular system (after entering password system just returns to login manager), and systems upgraded from F32 or F33.
CCing GNOME / Silverblue and KDE folks for info.
*** Bug 1886946 has been marked as a duplicate of this bug. ***
Confirmed on Fedora Rawhide after a recent upgrade. Revelant log extract with SELinux in enforcing mode: Oct 10 21:21:51 computer gdm-password][2565]: gkr-pam: unable to locate daemon control file Oct 10 21:21:51 computer audit[2565]: USER_AUTH pid=2565 uid=0 auid=1234 ses=1234 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_localuser,pam_unix,pam_gnome_keyring acct="d> Oct 10 21:21:51 computer gdm-password][2565]: gkr-pam: stashed password to try later in open session ... Oct 10 21:21:51 computer gdm-password][2565]: pam_unix(gdm-password:session): session opened for user david(uid=1000) by (uid=0) Oct 10 21:21:51 computer audit[2593]: AVC avc: denied { transition } for pid=2593 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev="dm-0" ino=1234 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u> Oct 10 21:21:51 computer systemd[2578]: Reached target Timers. Oct 10 21:21:51 computer systemd[2578]: Starting D-Bus User Message Bus Socket. Oct 10 21:21:51 computer audit[2565]: USER_START pid=2565 uid=0 auid=1000 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_> Oct 10 21:21:51 computer gdm-password][2593]: gkr-pam: couldn't run gnome-keyring-daemon: Permission denied Oct 10 21:21:51 computer systemd[2578]: Listening on Multimedia System. Oct 10 21:21:51 computer gdm-password][2565]: gkr-pam: gnome-keyring-daemon didn't start properly Oct 10 21:21:51 computer systemd[2578]: Listening on Sound System. Oct 10 21:21:51 computer systemd[2578]: Listening on D-Bus User Message Bus Socket. Oct 10 21:21:51 computer systemd[2578]: Reached target Sockets. Oct 10 21:21:51 computer systemd[2578]: Reached target Basic System. Oct 10 21:21:51 computer systemd[2578]: Reached target Main User Target. Oct 10 21:21:51 computer systemd[2578]: Startup finished in 200ms. Oct 10 21:21:51 computer systemd[1]: Started User Manager for UID 1000. Oct 10 21:21:51 computer systemd[1]: Started Session 2 of user david. Oct 10 21:21:51 computer audit[2601]: AVC avc: denied { transition } for pid=2601 comm="gdm-session-wor" path="/etc/gdm/PreSession/Default" dev="dm-0" ino=1234 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:u> Oct 10 21:21:51 computer gdm-password][2565]: Gdm: Unable to run script: Failed to execute child process “/etc/gdm/PreSession/Default” (Permission denied) Oct 10 21:21:51 computer kernel: rfkill: input handler enabled Oct 10 21:21:51 computer audit[2602]: AVC avc: denied { transition } for pid=2602 comm="gdm-session-wor" path="/usr/libexec/gdm-wayland-session" dev="dm-0" ino=1234 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfine> Oct 10 21:21:52 computer gdm-password][2565]: pam_unix(gdm-password:session): session closed for user david Oct 10 21:21:52 computer audit[2565]: USER_END pid=2565 uid=0 auid=1000 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_l> Oct 10 21:21:52 computer audit[2565]: CRED_DISP pid=2565 uid=0 auid=1000 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix,pam_gnome_keyring acct="david" exe="/usr/libexec/gdm-session-w> Oct 10 21:21:52 computer kernel: rfkill: input handler disabled Oct 10 21:21:52 computer gdm[1999]: Gdm: GdmDisplay: Session never registered, failing Oct 10 21:21:52 computer systemd[1]: session-2.scope: Succeeded. Oct 10 21:21:52 computer systemd-logind[1801]: Session 2 logged out. Waiting for processes to exit. Oct 10 21:21:52 computer systemd-logind[1801]: Removed session 2. In SELinux permissive mode (working): Oct 10 21:28:08 computer gdm-password][2540]: gkr-pam: unable to locate daemon control file Oct 10 21:28:08 computer audit[2540]: USER_AUTH pid=2540 uid=0 auid=1234 ses=1234 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_localuser,pam_unix,pam_gnome_keyring acct="d> Oct 10 21:28:08 computer gdm-password][2540]: gkr-pam: stashed password to try later in open session ... Oct 10 21:28:09 computer systemd[2554]: pam_unix(systemd-user:session): session opened for user david(uid=1000) by (uid=0) Oct 10 21:28:09 computer audit[2554]: USER_START pid=2554 uid=0 auid=1000 ses=3 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="dav> Oct 10 21:28:09 computer systemd[2565]: Not generating service for XDG autostart app-gnome\x2dkeyring\x2dsecrets-autostart.service, startup phases are not supported. ... Oct 10 21:28:09 computer audit[2569]: AVC avc: denied { transition } for pid=2569 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev="dm-0" ino=1234 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u> Oct 10 21:28:09 computer systemd[2554]: Listening on Multimedia System. Oct 10 21:28:09 computer gdm-password][2540]: pam_unix(gdm-password:session): session opened for user david(uid=1000) by (uid=0) Oct 10 21:28:09 computer systemd[2554]: Listening on Sound System. Oct 10 21:28:09 computer systemd[2554]: Listening on D-Bus User Message Bus Socket. Oct 10 21:28:09 computer systemd[2554]: Reached target Sockets. Oct 10 21:28:09 computer systemd[2554]: Reached target Basic System. Oct 10 21:28:09 computer systemd[2554]: Reached target Main User Target. Oct 10 21:28:09 computer systemd[2554]: Startup finished in 194ms. Oct 10 21:28:09 computer systemd[1]: Started User Manager for UID 1000. Oct 10 21:28:09 computer systemd[1]: Started Session 2 of user david. Oct 10 21:28:09 computer gdm-password][2540]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring
Adam, David, Does this problem appear only with kernel 5.9?
I don't know off the top of my head. The thing that changed and caused the problem was selinux, though, not the kernel. The kernel didn't change between Fedora-Rawhide-20201006.n.1 (which worked) and Fedora-Rawhide-20201007.n.0 (which was the first time the bug showed up), the thing that changed was selinux-policy. Can we please have this fixed? It is blocking all other Rawhide testing in openQA at present.
*** Bug 1888634 has been marked as a duplicate of this bug. ***
*** Bug 1888442 has been marked as a duplicate of this bug. ***
Zdenek, I'm still seeing the same problem occur with an up-to-date Rawhide repository. SELinux in permissive mode works OK, and this login loop still occurs when SELinux is in enforcing mode. Relevant packages installed are: - selinux-policy.noarch 3.14.7-5.fc34 - gdm.x86_64 1:3.38.1-1.fc34 - kernel.x86_64 5.10.0-0.rc0.20201014gitb5fc7a89e58b.41.fc34 - gnome-keyring.x86_64 3.36.0-4.fc33 - gnome-keyring-pam.x86_64 3.36.0-4.fc33 Oct 16 10:23:11 computer audit[1234]: AVC avc: denied { transition } for pid=1234 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev="dm-0" ino=1234 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u> ... Oct 16 10:23:11 computer gdm-password][1234]: gkr-pam: couldn't run gnome-keyring-daemon: Permission denied ... Oct 16 10:23:11 computer gdm-password][1234]: gkr-pam: gnome-keyring-daemon didn't start properly ... Oct 16 10:23:11 computer audit[1234]: AVC avc: denied { transition } for pid=1234 comm="gdm-session-wor" path="/etc/gdm/PreSession/Default" dev="dm-0" ino=1234 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:u> Oct 16 10:23:11 computer gdm-password][1234]: Gdm: Unable to run script: Failed to execute child process “/etc/gdm/PreSession/Default” (Permission denied) Oct 16 10:23:11 computer kernel: rfkill: input handler enabled Oct 16 10:23:11 computer audit[1234]: AVC avc: denied { transition } for pid=1234 comm="gdm-session-wor" path="/usr/libexec/gdm-wayland-session" dev="dm-0" ino=1234 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfine> Oct 16 10:23:11 computer gdm-password][1234]: pam_unix(gdm-password:session): session closed for user johndoe O ... Oct 16 10:23:11 computer gdm[1234]: Gdm: GdmDisplay: Session never registered, failing
So https://github.com/fedora-selinux/selinux-policy/commit/f28692cd4a5d8d380a2c78e6a208119ce46d9722 seems the bad commit. For LXDE rawhide, selinux-policy-3.14.7-5.fc34 with the above commit reverted works fine.
Fedora-Workstation-Live-Rawhide-20201014.n.0 live image (downloaded from near mirror server) seems fine with selinux-policy-3.14.7-5.fc34 with the above commit reverted.
Thanks everybody for your help, new builds will be ready soon.
*** Bug 1889521 has been marked as a duplicate of this bug. ***
This bug appears to be still a problem for this image https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20201020.n.0/compose/Spins/x86_64/iso/Fedora-KDE-Live-x86_64-Rawhide-20201020.n.0.iso The system boots up. However, it is unable to login and start the installation.
Yeah, it won't be fixed until there is a new selinux-policy build in the compose.
(In reply to Adam Williamson from comment #15) > Yeah, it won't be fixed until there is a new selinux-policy build in the > compose. Do we know when that will happen?
(In reply to AndyBetts from comment #16) > (In reply to Adam Williamson from comment #15) > > Yeah, it won't be fixed until there is a new selinux-policy build in the > > compose. > > Do we know when that will happen? Now I would expect soon: https://github.com/fedora-selinux/selinux-policy/pull/458
Either we will resolve it soon or revert the commit which led to the current state.
There is a new rawhide build https://koji.fedoraproject.org/koji/taskinfo?taskID=54035777 with the commit reverted, but there already is a different solution on the way. I'd like to close this bz if somebody else confirms the logging in working.
We'll be able to tell from the openQA results for the new Rawhide compose (20201023.n.0 doesn't have the new build, next compose should).
Confirming that selinux-policy-3.14.7-6.fc34.noarch fixed the issue for me (Rawhide repository).
yes, openQA tests confirm this too.
*** Bug 1887137 has been marked as a duplicate of this bug. ***