Description of problem: I clicked on the Install KDE button in KDE Live and this SELinux warning popped out. SELinux is preventing systemd from 'open' accesses on the file /tmp/webui-cockpit-ws.env. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd should be allowed open access on the webui-cockpit-ws.env file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:object_r:user_tmp_t:s0 Target Objects /tmp/webui-cockpit-ws.env [ file ] Source systemd Source Path systemd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-42.8-1.fc43.noarch Local Policy RPM selinux-policy-targeted-42.8-1.fc43.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 6.17.0-0.rc3.31.fc43.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Aug 25 15:09:54 UTC 2025 x86_64 Alert Count 1 First Seen 2025-09-11 13:25:03 UTC Last Seen 2025-09-11 13:25:03 UTC Local ID a7a301c0-e6f1-470b-8d6e-4751474c7ec3 Raw Audit Messages type=AVC msg=audit(1757597103.12:164): avc: denied { open } for pid=1 comm="systemd" path="/tmp/webui-cockpit-ws.env" dev="tmpfs" ino=47 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1 Hash: systemd,init_t,user_tmp_t,file,open Version-Release number of selected component: selinux-policy-targeted-42.8-1.fc43.noarch Additional info: reporter: libreport-2.17.15 comment: I clicked on the Install KDE button in KDE Live and this SELinux warning popped out. kernel: 6.17.0-0.rc3.31.fc43.x86_64 type: libreport hashmarkername: setroubleshoot component: selinux-policy package: selinux-policy-targeted-42.8-1.fc43.noarch reason: SELinux is preventing systemd from 'open' accesses on the file /tmp/webui-cockpit-ws.env. component: selinux-policy
Created attachment 2106368 [details] File: os_info
Created attachment 2106369 [details] File: description
Proposed as a Blocker for 43-final by Fedora user lruzicka using the blocker tracking app because: This violates the SELinux notification criterion: https://fedoraproject.org/wiki/Fedora_43_Final_Release_Criteria#SELinux_and_crash_notifications
*** Bug 2394840 has been marked as a duplicate of this bug. ***
Discussed at the 2025-09-15 (blocker / freeze exception) review meeting: This is accepted as a violation of "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image." https://meetbot-raw.fedoraproject.org//blocker-review_matrix_fedoraproject-org/2025-09-15/f43-blocker-review.2025-09-15-16.00.txt
I've just installed Fedora KDE Plasma Desktop 43 Beta from https://fedoramagazine.org/announcing-fedora-linux-43-beta/ and there is no such a denial. What steps did you make to trigger it? Cockpit is installed. # rpm -qa cockpit* selinux-policy* selinux-policy-42.8-1.fc43.noarch selinux-policy-targeted-42.8-1.fc43.noarch cockpit-bridge-345.1-1.fc43.noarch cockpit-system-345.1-1.fc43.noarch cockpit-ws-selinux-345.1-1.fc43.x86_64 cockpit-ws-345.1-1.fc43.x86_64 cockpit-storaged-345.1-1.fc43.noarch
The notification appears *on launch of the installer*, not in the installed system. openQA tests are seeing it too - you can see the notification appear at bottom right at about the 0:10 mark in https://openqa.fedoraproject.org/tests/3749351/video?filename=video.webm , for instance.
This is caused by /usr/libexec/anaconda/webui-desktop: echo "WEBUI_ADDRESS=$WEBUI_ADDRESS" > /tmp/webui-cockpit-ws.env systemctl start webui-cockpit-ws # systemctl cat webui-cockpit-ws # /usr/lib/systemd/system/webui-cockpit-ws.service [Unit] Description=Cockpit Web Service for Anaconda Installer After=network.target [Service] Type=simple EnvironmentFile=/tmp/webui-cockpit-ws.env Environment="COCKPIT_SUPERUSER=pkexec" ExecStart=/usr/libexec/anaconda/cockpit-coproc-wrapper.sh $WEBUI_ADDRESS Restart=on-failure RestartSec=5s [Install] WantedBy=multi-user.target Proper solution would probably require confining anaconda-live/anaconda-webui which does not seem to be reasonable now. Katerina, is this a new feature or has it been present for a long time, just unnoticed? Lukas, Adam, I don't understand why this would be a real blocker. I understand the rules, but frankly if I hadn't payed enough attention, I wouldn't have noticed the denial report pop up.
It's a blocker for polish reasons: this is a very longstanding criterion, the idea is that it's a bad experience for users if they see notifications about crashes or SELinux problems in the straight-out-of-the-box path. It creates a bad impression - people wonder "why is this thing popping up warnings right when I boot / install it? Did nobody test it?" So...any resolution which means we don't always get a user-visible notification when launching the installer on KDE would be acceptable here, whatever way we can think of to achieve that.
FEDORA-2025-d33ac21b4d (selinux-policy-42.12-1.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2025-d33ac21b4d
FEDORA-2025-d33ac21b4d has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-d33ac21b4d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-d33ac21b4d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
(In reply to Fedora Update System from comment #10) > FEDORA-2025-d33ac21b4d (selinux-policy-42.12-1.fc43) has been submitted as > an update to Fedora 43. > https://bodhi.fedoraproject.org/updates/FEDORA-2025-d33ac21b4d AVC in KDE is gone, installation and boot works
This works for me, too.
FEDORA-2025-d33ac21b4d (selinux-policy-42.12-1.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report.
*** Bug 2402492 has been marked as a duplicate of this bug. ***