I installed from F18 Alpha RC2 DVD to a KVM. If I just boot the system to GDM and try to shut down from the menu at top right, it works fine. If I boot to GDM, log in, log out, and then try to shut down from the menu at top right, nothing seems to happen. Looking at the system logs, an selinux denial exactly coincides with the failure. See bottom for the selinux denial. If I try and file this via the selinux GUI, it decides it's a dupe of 672409. If I set SELinux to Permissive, then a polkit authentication dialog pops up, telling me authentication is required for powering off while 'other users' are logged in. If I enter my password, shutdown works. So the selinux denial is preventing the polkit auth process from working. (Though I don't know why exactly gdm thinks 'other users are logged in', when I just logged out.) Proposing as Beta blocker per criterion "All release-blocking desktops' offered mechanisms (if any) for shutting down, logging out and rebooting must work". ---------- SELinux is preventing /usr/lib/polkit-1/polkit-agent-helper-1 from read access on the file system-auth-ac. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that polkit-agent-helper-1 should be allowed read access on the system-auth-ac file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep polkit-agent-he /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:policykit_auth_t:s0-s0:c0.c1023 Target Context system_u:object_r:etc_runtime_t:s0 Target Objects system-auth-ac [ file ] Source polkit-agent-he Source Path /usr/lib/polkit-1/polkit-agent-helper-1 Port <Unknown> Host (removed) Source RPM Packages polkit-0.107-2.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-7.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux localhost 3.6.0-0.rc2.git2.1.fc18.x86_64 #1 SMP Wed Aug 22 11:54:04 UTC 2012 x86_64 x86_64 Alert Count 20 First Seen 2012-09-11 17:37:45 PDT Last Seen 2012-09-11 18:47:25 PDT Local ID c1e839fd-e621-443a-9fb8-c93adec7c325 Raw Audit Messages type=AVC msg=audit(1347414445.472:307): avc: denied { read } for pid=1745 comm="polkit-agent-he" name="system-auth-ac" dev="vda3" ino=147385 scontext=system_u:system_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=SYSCALL msg=audit(1347414445.472:307): arch=x86_64 syscall=open success=no exit=EACCES a0=8de980 a1=0 a2=1b6 a3=238 items=0 ppid=1725 pid=1745 auid=42 uid=42 gid=42 euid=0 suid=0 fsuid=0 egid=42 sgid=42 fsgid=42 tty=(none) ses=3 comm=polkit-agent-he exe=/usr/lib/polkit-1/polkit-agent-helper-1 subj=system_u:system_r:policykit_auth_t:s0-s0:c0.c1023 key=(null) Hash: polkit-agent-he,policykit_auth_t,etc_runtime_t,file,read audit2allow #============= policykit_auth_t ============== allow policykit_auth_t etc_runtime_t:file read; audit2allow -R #============= policykit_auth_t ============== allow policykit_auth_t etc_runtime_t:file read;
This is old F18 release. # sesearch -A -s policykit_auth_t -t etc_runtime_t -c file -p read -C Found 2 semantic av rules: allow policykit_auth_t etc_runtime_t : file { ioctl read getattr lock open } ; allow nsswitch_domain etc_runtime_t : file { ioctl read getattr lock open } ; With the latest builds.
Yes, it's old, because it's the Alpha. We don't use builds from updates-testing in composes. If we need a newer selinux-policy for the Alpha then we need a blocker/NTH bug it fixes. Re-opening, bugs shouldn't be closed until the fixing package is in stable.
I'm pretty sure this is 852403, now. *** This bug has been marked as a duplicate of bug 852403 ***