If you use the 017.1-1.fc9 version of livecd-tools on a updated F9 system to make a Xfce livecd, the image builds fine, but then the user can't login. It seems /home/fedora gets a unconfined_t selinux context, and selinux won't let the user login. Backing off to 017-1.fc9, everything works fine as expected. Happy to provide more info...
Do you have the log of the livecd-creator run handy? If not, I can probably get one, but it'll take me a teensy bit to get things set up to do so.
I don't... ;( I can do another run here in a bit and save that though.
I'll attach the entire output, but these jump out: Installing: selinux-policy-targeted ##################### [623/846]libsemanage.dbase_llist_query: could not query record value SELinux: Could not load policy file /etc/selinux/targeted/policy/policy.23: Invalid argument /usr/sbin/load_policy: Can't load policy: Invalid argument libsemanage.semanage_reload_policy: load_policy returned error code 2. libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/policy.kern to /etc/selinux/targeted/policy/policy.23. (No such file or directory). semodule: Failed! libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory). /usr/sbin/semanage: Could not add SELinux user guest_u libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory). /usr/sbin/semanage: Could not add SELinux user xguest_u
Oops. Thats the output from the livecd-tools-017-1.fc9 case. Let me update to the 017.1-1.fc9 and re-run.
The output from the 017.1-1 run is 25MB... Do you still want me to attach it?
Created attachment 311487 [details] full log of fedora-livecd-xfce.ks with livecd-tools-017.1-1.fc9.i386 The resulting iso does not work
(In reply to comment #5) > The output from the 017.1-1 run is 25MB... Mine is only 500 Kb, so attached it. The relevant part: Installier: selinux-policy-targeted ##################### [622/856]libsemanage.dbase_llist_query: could not query record value SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.23, searching for an older version. SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.23: No such file or directory /usr/sbin/load_policy: Can't load policy: No such file or directory libsemanage.semanage_reload_policy: load_policy returned error code 2. libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/policy.kern to /etc/selinux/targeted/policy/policy.23. (No such file or directory). semodule: Failed! libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
cwickert -- yours is pulling from updates, the official spin will be pulling from the release version only. Eric/Dan -- would it be expected to get failures with the new SELinux bits in livecd-creator without an updated couple of packages?
You need the updated policy and kernel I believe.
In the host running livecd-tools? Or in the chroot? The host here is F9+all updates here...
Updated policy in the chroot, updated kernel on the host is what my hunch would be
ok, so what do we do for the F9 Xfce spin then? I would guess use the previous livecd-creator for the spinning on the host? If we add the updated policy, then we need a src.rpm image, right?
Yeah, I think that spinning with the F9 livecd-tools is probably the right thing to do. Were we doing this concurrent with the release as per the intent, we'd have been doing that to begin with.
And confirmed that that makes things better. Going to close this as CANTFIX as fundamentally, the "work with SELinux enforcing" changes kind of require a packages with fixes being installed.