With Rawhide as of 2012-02-08, selinux-policy-3.10.0-84.fc17.noarch, if I boot with enforcing on I cannot log in either graphically or at a console, as any user. In both cases I'm just cycled straight back to a login prompt. I'm attaching a full set of denials when booting and logging in with enforcing=0 (I log in at 21:13:45). Proposing as an Alpha blocker per criterion "Following on from the previous criterion, after firstboot is completed and on subsequent boots, a system installed according to any of the above criteria (or the appropriate Beta or Final criteria, when applying this criterion to those releases) must boot to a working graphical environment without unintended user intervention. This includes correctly accessing any encrypted partitions when the correct passphrase is supplied".
Created attachment 560444 [details] denials from boot+login with enforcing=0
It looks like something is wrong with your system. If you log in in permissive mode, what does $ id -Z $ semanage login -l and then try to run $ fixfiles restore
[adamw@adam x86_64]$ id -Z unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 [adamw@adam x86_64]$ semanage login -l /usr/sbin/semanage: SELinux policy is not managed or store cannot be accessed. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Note I haven't done anything weird to the system; I didn't do anything to cause it to get 'wrong'. Just updated Rawhide regularly and did the /usr switch as described on the wiki.
Looks like the system is totally mislabeled.
There's definitely something wiggy going on. After doing a 'fixfiles onboot' and rebooting to get a relabel I was able to log in with enforcing enabled just once, but could not shut down properly. After forcing a shut down the system booted up again, did another relabel (not requested by me), and then rebooted (as usual after a relabel); I could not log in, same symptoms. [adamw@adam ~]$ id -Z [root@adam adamw]# semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023
Here's the denials from the last boot: Feb 9 12:53:52 adam kernel: [ 2.388925] type=1400 audit(1328820827.827:3): avc: denied { ioctl } for pid=406 comm="systemd-remount" path="socket:[14631]" dev="sockfs" ino=14631 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket Feb 9 12:53:52 adam kernel: [ 2.389083] type=1400 audit(1328820827.827:4): avc: denied { sendto } for pid=406 comm="systemd-remount" path="/run/systemd/journal/socket" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket Feb 9 12:53:52 adam kernel: [ 2.420414] type=1400 audit(1328820827.858:5): avc: denied { getattr } for pid=426 comm="udevd" path="socket:[14693]" dev="sockfs" ino=14693 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket Feb 9 12:53:52 adam kernel: [ 5.435312] type=1400 audit(1328820830.877:6): avc: denied { sendto } for pid=724 comm="systemd-cgroups" path="/run/systemd/journal/socket" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket Feb 9 12:53:52 adam kernel: [ 7.505046] type=1400 audit(1328820832.949:7): avc: denied { ioctl } for pid=873 comm="systemd-user-se" path="socket:[16090]" dev="sockfs" ino=16090 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket Feb 9 12:53:53 adam kernel: [ 8.003604] type=1400 audit(1328820833.448:8): avc: denied { ioctl } for pid=991 comm="systemd-update-" path="socket:[18284]" dev="sockfs" ino=18284 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket Feb 9 12:54:00 adam kernel: [ 15.111975] type=1400 audit(1328820840.565:9): avc: denied { entrypoint } for pid=1267 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev="dm-2" ino=271173 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gkeyringd_exec_t:s0 tclass=file Feb 9 12:54:00 adam kernel: [ 15.116940] type=1400 audit(1328820840.570:10): avc: denied { getcap } for pid=1267 comm="gnome-keyring-d" scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tclass=process Feb 9 12:54:00 adam kernel: [ 15.117207] type=1400 audit(1328820840.570:11): avc: denied { setcap } for pid=1267 comm="gnome-keyring-d" scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tclass=process Feb 9 12:54:00 adam kernel: [ 15.118483] type=1400 audit(1328820840.572:12): avc: denied { open } for pid=1267 comm="gnome-keyring-d" name="urandom" dev="devtmpfs" ino=1033 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file Feb 9 12:54:00 adam kernel: [ 15.119744] type=1400 audit(1328820840.573:13): avc: denied { write } for pid=1267 comm="gnome-keyring-d" name="tmp" dev="dm-2" ino=32771 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Feb 9 12:54:00 adam kernel: [ 15.119781] type=1400 audit(1328820840.573:14): avc: denied { add_name } for pid=1267 comm="gnome-keyring-d" name="keyring-rNcedO" scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Feb 9 12:54:00 adam kernel: [ 15.119879] type=1400 audit(1328820840.573:15): avc: denied { create } for pid=1267 comm="gnome-keyring-d" name="keyring-rNcedO" scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir Feb 9 12:54:00 adam kernel: [ 15.120462] type=1400 audit(1328820840.574:16): avc: denied { write } for pid=1267 comm="gnome-keyring-d" name="keyring-rNcedO" dev="dm-2" ino=281325 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir Feb 9 12:54:00 adam kernel: [ 15.120499] type=1400 audit(1328820840.574:17): avc: denied { add_name } for pid=1267 comm="gnome-keyring-d" name="control" scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir Feb 9 12:54:00 adam kernel: [ 15.120534] type=1400 audit(1328820840.574:18): avc: denied { create } for pid=1267 comm="gnome-keyring-d" name="control" scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file Feb 9 12:54:05 adam kernel: [ 20.124669] type=1400 audit(1328820845.584:188): avc: denied { write } for pid=1584 comm="firefox" name="sh6llx3y.default" dev="dm-0" ino=131302 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=dir Feb 9 12:54:05 adam kernel: [ 20.124683] type=1400 audit(1328820845.584:189): avc: denied { add_name } for pid=1584 comm="firefox" name="lock" scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=dir Feb 9 12:54:05 adam kernel: [ 20.124721] type=1400 audit(1328820845.584:190): avc: denied { create } for pid=1584 comm="firefox" name="lock" scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=lnk_file Feb 9 12:54:05 adam kernel: [ 20.152429] type=1400 audit(1328820845.612:191): avc: denied { execute } for pid=1531 comm="gedit" name="build" dev="dm-2" ino=21631 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file Feb 9 12:54:05 adam kernel: [ 20.200719] type=1400 audit(1328820845.660:192): avc: denied { execute } for pid=1726 comm="dbus-daemon" name="mission-control-5" dev="dm-2" ino=137451 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:telepathy_mission_control_exec_t:s0 tclass=file Feb 9 12:54:05 adam kernel: [ 20.200763] type=1400 audit(1328820845.660:193): avc: denied { execute_no_trans } for pid=1726 comm="dbus-daemon" path="/usr/libexec/mission-control-5" dev="dm-2" ino=137451 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:telepathy_mission_control_exec_t:s0 tclass=file Feb 9 12:54:05 adam kernel: [ 20.229511] type=1400 audit(1328820845.689:194): avc: denied { unlink } for pid=1523 comm="gnome-shell" name="pulse-shm-559513627" dev="tmpfs" ino=21175 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file Feb 9 12:54:05 adam kernel: [ 20.233912] type=1400 audit(1328820845.693:195): avc: denied { open } for pid=1523 comm="gnome-shell" name="rfkill" dev="devtmpfs" ino=7599 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file Feb 9 12:54:05 adam kernel: [ 20.245060] type=1400 audit(1328820845.704:196): avc: denied { write } for pid=1726 comm="mission-control" name="mission-control" dev="dm-0" ino=134055 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:telepathy_mission_control_data_home_t:s0 tclass=dir Feb 9 12:54:05 adam kernel: [ 20.245084] type=1400 audit(1328820845.704:197): avc: denied { add_name } for pid=1726 comm="mission-control" name="accounts-goa.cfg.BBNU9V" scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:telepathy_mission_control_data_home_t:s0 tclass=dir Feb 9 12:54:16 adam kernel: [ 30.756450] type=1400 audit(1328820856.228:237): avc: denied { remove_name } for pid=1839 comm="pool" name=".#..cmeta" dev="dm-0" ino=137063 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:data_home_t:s0 tclass=dir Feb 9 12:54:16 adam kernel: [ 30.756465] type=1400 audit(1328820856.228:238): avc: denied { rename } for pid=1839 comm="pool" name=".#..cmeta" dev="dm-0" ino=137063 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:data_home_t:s0 tclass=file Feb 9 12:54:16 adam kernel: [ 30.756478] type=1400 audit(1328820856.228:239): avc: denied { unlink } for pid=1839 comm="pool" name="..cmeta" dev="dm-0" ino=137062 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:data_home_t:s0 tclass=file Feb 9 12:54:18 adam kernel: [ 32.904854] type=1400 audit(1328820858.380:240): avc: denied { create } for pid=1681 comm="bash" scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tclass=netlink_audit_socket Feb 9 12:54:18 adam kernel: [ 32.904958] type=1400 audit(1328820858.380:241): avc: denied { nlmsg_relay } for pid=1681 comm="bash" scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tclass=netlink_audit_socket Feb 9 12:54:18 adam kernel: [ 32.905253] type=1400 audit(1328820858.380:242): avc: denied { setpgid } for pid=1681 comm="bash" scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tclass=process Feb 9 12:55:18 adam kernel: [ 92.499972] type=1400 audit(1328820918.046:243): avc: denied { execute } for pid=1681 comm="bash" name="su" dev="dm-2" ino=286702 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:su_exec_t:s0 tclass=file Feb 9 12:55:18 adam kernel: [ 92.500342] type=1400 audit(1328820918.046:244): avc: denied { execute_no_trans } for pid=1863 comm="bash" path="/usr/bin/su" dev="dm-2" ino=286702 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:su_exec_t:s0 tclass=file Feb 9 12:55:18 adam kernel: [ 92.507156] type=1400 audit(1328820918.053:245): avc: denied { connectto } for pid=1863 comm="su" path="/run/dbus/system_bus_socket" scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket Feb 9 12:55:18 adam kernel: [ 92.517295] type=1400 audit(1328820918.063:246): avc: denied { setuid } for pid=1866 comm="su" capability=7 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tclass=capability Feb 9 12:55:18 adam kernel: [ 92.517435] type=1400 audit(1328820918.064:247): avc: denied { execute } for pid=1866 comm="su" name="unix_chkpwd" dev="dm-2" ino=9238 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file Feb 9 12:55:18 adam kernel: [ 92.517624] type=1400 audit(1328820918.064:248): avc: denied { execute_no_trans } for pid=1866 comm="su" path="/usr/sbin/unix_chkpwd" dev="dm-2" ino=9238 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file Feb 9 12:55:18 adam kernel: [ 92.518832] type=1400 audit(1328820918.065:249): avc: denied { dac_override } for pid=1866 comm="unix_chkpwd" capability=1 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tclass=capability Feb 9 12:55:18 adam kernel: [ 92.518892] type=1400 audit(1328820918.065:250): avc: denied { read } for pid=1866 comm="unix_chkpwd" name="shadow" dev="dm-2" ino=155107 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file Feb 9 12:55:18 adam kernel: [ 92.518929] type=1400 audit(1328820918.065:251): avc: denied { open } for pid=1866 comm="unix_chkpwd" name="shadow" dev="dm-2" ino=155107 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file Feb 9 12:55:18 adam kernel: [ 92.518967] type=1400 audit(1328820918.065:252): avc: denied { getattr } for pid=1866 comm="unix_chkpwd" path="/etc/shadow" dev="dm-2" ino=155107 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file Feb 9 12:55:59 adam kernel: [ 134.266279] type=1400 audit(1328820959.863:286): avc: denied { read } for pid=1871 comm="bash" name="log" dev="dm-2" ino=12 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir Feb 9 12:55:59 adam kernel: [ 134.278804] type=1400 audit(1328820959.875:287): avc: denied { signull } for pid=1523 comm="gnome-shell" scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tclass=process Feb 9 12:56:00 adam kernel: [ 134.420880] type=1400 audit(1328820960.018:288): avc: denied { open } for pid=1903 comm="file" name="messages" dev="dm-2" ino=9560 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file
Looks like you are mislabeled again? When you rebooted with the relabel, did it seem to relabel?
Yes. Note the chronology: there were not one but *two* relabels, the first requested by me via 'fixfiles onboot' after which I was able to boot successfully with enforcing enabled one time, the second of which was *not* requested by me, but happened after I had to forcibly reboot when I could not shut down. In both cases, the relabel did appear to actually happen (progress counter went to 100% and then briefly counted up to like 350%, then system restarted). -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Discussed at 2012-02-10 blocker review meeting. Although it's unclear exactly what's going on here, maxamillion says he's seeing it with tc2 live images, and 789233 may well be the same bug. The consequences are serious enough that we're accepting this as a blocker immediately, per criterion "Following on from the previous criterion, after firstboot is completed and on subsequent boots, a system installed according to any of the above criteria (or the appropriate Beta or Final criteria, when applying this criterion to those releases) must boot to a working graphical environment without unintended user intervention. This includes correctly accessing any encrypted partitions when the correct passphrase is supplied". Can be revisited if it turns out this is just some system-specific wigginess. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
I'm seeing this too. My first thought was "my whole system is mislabled" but a restorecon -v -F / didn't do anything. In my current boot with enforcing=0 I get: [jwboyer@vader ~]$ id -Z system_u:system_r:kernel_t:s0 [jwboyer@vader ~]$ semanage login -l /usr/sbin/semanage: SELinux policy is not managed or store cannot be accessed. [jwboyer@vader ~]$ sudo fixfiles restore -2147483648% [jwboyer@vader ~]$ While I appreciate fixfiles going above and beyond the call of duty so much that it overflowed, I have no idea what that means.
Oh, and i have selinux-policy -85 at the moment: [jwboyer@vader ~]$ rpm -qa | grep selinux-policy selinux-policy-targeted-3.10.0-85.fc17.noarch selinux-policy-3.10.0-85.fc17.noarch [jwboyer@vader ~]$
+1 (more or less) to Josh's #11 and #12 1) I had to add "enforcing=0" to the LXDE Live CD in order to install F17 because I couldn't login otherwise. 2) I relabeled twice without success. 3) I can only login with "enforcing=0" via LXDM and at a console. [th@box ~] $ id -Z unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023
I see this after clean minimal installs from the 17 Alpha TC2 DVD (both i386 or x86_64). I can log in only after booting with "enforcing=0". This did NOT happen with 17 Alpha TC1. Relabeling doesn't help.
I think the root problem is that the systemd process is running with system_u:system_r:kernel_t:s0 instead of system_u:system_r:init_t:s0 (as in Fedora 16).
david: yes, we know that now. dan and lennart have identified the problem, lennart said he'd work on it. I'm not sure if the new systemd build which landed today is expected to address this or not. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Adam: systemd-42-1 does not change the behavior, but there's nothing in the changelog to suggest that it was meant to.
*** Bug 789233 has been marked as a duplicate of this bug. ***
*** Bug 787841 has been marked as a duplicate of this bug. ***
*** Bug 789422 has been marked as a duplicate of this bug. ***
Actually 42 should have fixed that. If it didn't I am puzzled.
I confirm that systemd-42 does fix this.
*** Bug 789425 has been marked as a duplicate of this bug. ***
*** Bug 789438 has been marked as a duplicate of this bug. ***
*** Bug 789427 has been marked as a duplicate of this bug. ***
*** Bug 789430 has been marked as a duplicate of this bug. ***
Dan, Lennart, are you using rawhide itself, or the f17 branch? I just did two clean installs of rawhide from the network using the Fedora 16 netinst ISO (one from mirrors.mit.edu, one from dl.fedoraproject.org). After installation I was not able to log in; I had to reboot with the kernel option 'enforcing=0'. I verified that systemd-42-1.fc17.x86_64 was installed (was this built for rawhide? I would expect it to be labeled fc18). And I still see this: # secon --pid 1 user: system_u role: system_r type: kernel_t sensitivity: s0 clearance: s0 mls-range: s0
I am using F17. There is a simple test to see if systemd is still broken. ln -s /usr/lib/systemd/systemd /bin/systemd Then reboot, if everything ends up labeled correctly then you have a bad systemd package.
*** Bug 789545 has been marked as a duplicate of this bug. ***
@David [root@box ~]# cat /etc/fedora-release Fedora release 17 (Beefy Miracle) [root@box ~]# uname -r 3.3.0-0.rc3.git4.1.fc17.i686 [root@box ~]# cat /proc/cmdline BOOT_IMAGE=/boot/vmlinuz-3.3.0-0.rc3.git4.1.fc17.i686 root=UUID=cb9dd76f-22b1-456c-8a6d-32788e70afd4 ro rd.dm=0 rd.luks=0 rd.lvm=0 rd.md=0 KEYTABLE=us LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 [root@box ~]# rpm -q dracut dracut-015-9.git20120213.fc17.noarch [root@box ~]# rpm -q systemd systemd-42-1.fc17.i686 [root@box ~]# rpm -q selinux-policy selinux-policy-3.10.0-87.fc17.noarch [root@box ~]# rpm -q selinux-policy-targeted selinux-policy-targeted-3.10.0-87.fc17.noarch [root@box ~]# secon --pid 1 user: system_u role: system_r type: init_t sensitivity: s0 clearance: s0 mls-range: s0 [root@box ~]# And login's OK.
@Tom H, the problem I am seeing is with rawhide, not the f17 branch: # cat /etc/fedora-release Fedora release 18 (Rawhide) # uname -r 3.3.0-0.rc3.git2.2.fc18.x86_64 # cat /proc/cmdline BOOT_IMAGE=/vmlinuz-3.3.0-0.rc3.git2.2.fc18.x86_64 root=/dev/mapper/vg_harpovmfedorarawhide-lv_root ro KEYTABLE=us rd.lvm.lv=vg_harpovmfedorarawhide/lv_root rd.luks=0 rd.lvm.lv=vg_harpovmfedorarawhide/lv_swap LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 rd.md=0 rd.dm=0 enforcing=0 # rpm -q dracut dracut-015-9.git20120213.fc17.noarch # rpm -q systemd systemd-42-1.fc17.x86_64 # rpm -q selinux-policy selinux-policy-3.10.0-87.fc17.noarch # rpm -q selinux-policy-targeted selinux-policy-targeted-3.10.0-87.fc17.noarch # secon --pid 1 user: system_u role: system_r type: kernel_t sensitivity: s0 clearance: s0 mls-range: s0
Okay... /usr/lib/systemd/systemd is not labeled correctly after installation: # ls -Z /usr/lib/systemd/systemd -rwxr-xr-x. root root system_u:object_r:lib_t:s0 /usr/lib/systemd/systemd but the installed policy is correct: # matchpathcon /usr/lib/systemd/systemd /usr/lib/systemd/systemd system_u:object_r:init_exec_t:s0 and restoring the file context from policy allows me to log in (with SELinux enforcing) after a reboot: # restorecon /usr/lib/systemd/systemd # reboot This is using the Fedora 16 netinst ISO. This happens when installing either rawhide or pre-alpha Fedora 17. Is this an anaconda issue? Is there a newer installer for testing?
David: if you're installing 17, you should use one of the 17 Alpha pre-composes at http://dl.fedoraproject.org/pub/alt/stage/ , current is Alpha RC1. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
This is fixed when using the Fedora 17 Alpha installer to install Rawhide.
In today's HTTP F17 minimal install I could not login until booting something else to set SELINUX=disabled in /etc/selinux/config. https://bugzilla.redhat.com/attachment.cgi?id=574982 is the logs from that install.
Could you try to boot with enforcing=0 instead of SELINUX=disabled. It means you will boot in permissive mode.
I didn't save a copy of /etc/selinux/config before changing it, and don't remember whether it was set to enforcing or permissive. Also I didn't wait on a reply here to install many additional apps and X and yum upgrade. Having changed it to permissive and using enforcing=0 on cmdline I was forced to "eternally" wait on a "relabel"/re-reboot of a (multiboot) system on which I never wanted selinux in the first place. Luckily, enforcing=0 did enable successful login, even after changing config from permissive to enforcing and booting again. Without another fresh install I think it likely impossible to properly answer comment 36 or follow-up on comment 35. Note that I failed to mention in in comment 35 that I had actually done multiple minimal installs with same result, writing about it 2012/04/02 20:01 -0400 on the test list.
Probably caused by segfault in restorecon. I guess try again when policycoreutils package gets updated, please do not pile onto other bugs. I am updateing to Rawhide today.