I see # restorecon -vrn /run restorecon reset /run/user/mk/dconf context unconfined_u:object_r:config_home_t:s0->system_u:object_r:user_tmp_t:s0 restorecon reset /run/user/mk/dconf/user context unconfined_u:object_r:config_home_t:s0->system_u:object_r:user_tmp_t:s0 I would expect these files on tmpfs to be created correctly from the beginning. I don't know if it could be enforced in the policy or if dconf should do something in a different way. selinux-policy-3.10.0-25.fc16.noarch libselinux-2.1.5-4.fc16.x86_64 dconf-0.9.0-1.fc16.x86_64 dracut-013-8.fc16.noarch systemd-35-1.fc16.x86_64 kernel-3.1.0-0.rc6.git0.0.fc16.x86_64
This happens after Bug 737837 - systemd-tmpfiles: Failed to set security context ... for /var: Permission denied and could thus be related.
I am building a new f16 policy which should have a fix.
selinux-policy-3.10.0-28.fc16 should have fix for systemd-tmpfiles problems.
Heh, it seems like you got two conflicting fixes - now we have the opposite prooblem. After an enforcing reboot: # restorecon -vrn /run restorecon reset /run/user/mk/dconf context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0 restorecon reset /run/user/mk/dconf/user context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0 restorecon reset /run/user/gdm/dconf context system_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0 restorecon reset /run/user/gdm/dconf/user context system_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0 # rpm -q selinux-policy-targeted selinux-policy-targeted-3.10.0-28.fc16.noarch
ok, how about dmesg issues?
You will need to update on selinux-policy-3.10.0-29.fc16
With selinux-policy-targeted-3.10.0-29.1.fc16.noarch libselinux-2.1.5-5.fc16.x86_64 systemd-35-1.fc16.x86_64 kernel-3.1.0-0.rc6.git0.0.fc16.x86_64 and after a relabeling boot and login as mk I get: # restorecon -rvn /run restorecon reset /run/user/mk/dconf context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0 restorecon reset /run/user/mk/dconf/user context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0 restorecon reset /run/user/gdm/dconf context system_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0 restorecon reset /run/user/gdm/dconf/user context system_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0 - and I also don't see any indication of any fix in the changelog
Ok, the problem is file name transition does not work correctly.
checkpolicy-2.1.3-1.1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/checkpolicy-2.1.3-1.1.fc16
Package checkpolicy-2.1.3-1.1.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing checkpolicy-2.1.3-1.1.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/checkpolicy-2.1.3-1.1.fc16 then log in and leave karma (feedback).
I installed selinux-policy-targeted-3.10.0-31.fc16.noarch checkpolicy-2.1.3-1.1.fc16.x86_64 and rebooted-relabeled, but still: # restorecon -rvn /run restorecon reset /run/user/mk/dconf context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0 restorecon reset /run/user/mk/dconf/user context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0 restorecon reset /run/user/gdm/dconf context system_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0 restorecon reset /run/user/gdm/dconf/user context system_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0 (/home/mk is an nfs mount and I have use_nfs_home_dirs on - I doubt that could make any difference, but just in case...)
I have not investigated these, but they should not cause problems. I am more concerned about livecd or full installed logins blowing up.
Seems to be solved by selinux-policy-targeted-3.10.0-32.fc16.noarch too.
Package selinux-policy-3.10.0-32.fc16, checkpolicy-2.1.3-1.2.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-32.fc16 checkpolicy-2.1.3-1.2.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-32.fc16,checkpolicy-2.1.3-1.2.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-32.fc16, checkpolicy-2.1.3-1.2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.