Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1490668

Summary: Fedora-SoaS-Live-x86_64-27-20170911.n.0.iso does not login to liveuser
Product: [Fedora] Fedora Reporter: satellitgo
Component: sugarAssignee: Simon Schampijer <simon>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: high    
Version: 27CC: dsd, dwalsh, fgrose, kparal, lsm5, lvrabec, mgrepl, pbrobinson, plautrba, pmoore, quozl, satellitgo, sebastian, simon, smparrish, sumukher
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedFreezeException
Fixed In Version: selinux-policy-3.13.1-283.3.fc27 sugar-0.110.0-6.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-31 15:39:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1396703, 1396705    

Description satellitgo 2017-09-12 01:01:38 UTC
Description of problem:
Branched Fedora-SoaS-Live-x86_64-27-20170911.n.0.iso does not login to liveuser

Version-Release number of selected component (if applicable):


How reproducible:
anaconda starts after setenforce=0 used; but still does not login after QEMU/kvm install

Steps to Reproduce:
1.qemu/kvm user session: select branched live: fails to start
2.anaconda starts after add setenforce=0 in edited boot line; but still does not login after QEMU/kvm install
3.

Actual results:
SELinux is preventing qemu-system-x86 from search access on the directory 20655.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-system-x86 should be allowed search access on the 20655 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'qemu-system-x86' --raw | audit2allow -M my-qemusystemx86
# semodule -X 300 -i my-qemusystemx86.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:svirt_t:s0:c840,c976
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                20655 [ dir ]
Source                        qemu-system-x86
Source Path                   qemu-system-x86
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-260.6.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.12.8-300.fc26.x86_64
                              #1 SMP Thu Aug 17 15:30:20 UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-09-11 16:29:55 PDT
Last Seen                     2017-09-11 16:29:55 PDT
Local ID                      c1abe421-0d6d-4c4e-95e2-6621b6ee08ba

Raw Audit Messages
type=AVC msg=audit(1505172595.116:1141): avc:  denied  { search } for  pid=22358 comm="qemu-system-x86" name="20655" dev="proc" ino=7315920 scontext=unconfined_u:unconfined_r:svirt_t:s0:c840,c976 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=0


Hash: qemu-system-x86,svirt_t,unconfined_t,dir,search



Expected results:
login to liveuser and allow install to work

Additional info:

Comment 1 Fedora Blocker Bugs Application 2017-09-12 01:03:05 UTC
Proposed as a Freeze Exception for 27-beta by Fedora user satellit using the blocker tracking app because:

 non-blocking spin

Comment 2 Fedora Update System 2017-09-18 13:37:27 UTC
selinux-policy-3.13.1-283.3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a1b4dab97d

Comment 3 Kamil Páral 2017-09-18 17:53:37 UTC
Discussed at blocker review meeting [1]:

AcceptedFreezeException - This bug would be a blocker, because SoaS is secondary DE it is accepted as FE

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-09-18

Comment 4 Fedora Update System 2017-09-18 22:23:34 UTC
selinux-policy-3.13.1-283.3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a1b4dab97d

Comment 5 Fedora Update System 2017-09-20 15:26:53 UTC
selinux-policy-3.13.1-283.3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 satellitgo 2017-09-20 22:21:53 UTC
Fedora-SoaS-Live-x86_64-27-20170919.n.0.iso still does not login to live user in QEMU/KVM user (f26)

Comment 7 Kamil Páral 2017-09-21 07:30:02 UTC
You need to test 20170920 compose, that should contain the new selinux-policy (make sure to check).

Comment 8 sumantro 2017-09-21 11:18:24 UTC
Kamil, tested on 20170920 , it still fails to login. Just shows a black screen and throws back to live user login.

Comment 9 Lukas Vrabec 2017-09-21 12:36:15 UTC
I tried to login on compose: Fedora-SoaS-Live-x86_64-27-20170920.n.0

but I also cannot login when SELinux is disabled or in Permissive mode. 

I don't think that this is SELinux policy issue.

Comment 10 Kamil Páral 2017-09-21 15:20:28 UTC
Also, I was wrong, you need to test with 20170921 compose. 20170920 doesn't contain the correct selinux-policy I believe (why nobody checks this?!).

Comment 11 sumantro 2017-09-21 16:10:23 UTC
Kparal, tested Fedora-27-20170921.n.0  compose fails too.

Comment 12 sumantro 2017-09-24 12:09:13 UTC
Just tested , 923 compose doesnt fix this.

Comment 13 sumantro 2017-10-19 05:59:39 UTC
I can still reproduce this on Fedora-SoaS-Live-x86_64-27-20171017. It's weird that it has selinux-policy-3.13.1-283.10.fc27.src.rpm  but it still doesnt seem to fix this

Comment 14 Peter Robinson 2017-10-19 08:21:48 UTC
It might be an issue with config changes for the display manager that needs to be adjusted in the kickstart. I'm not sure which other desktops use lightdm (I think at least lxde/xfce) so it might be worth chcecking those to see if the kickstart changed.

Comment 15 Frederick Grose 2017-10-23 22:25:50 UTC
Observed on Fedora-SoaS-Live-x86_64-27-20171023.n.0.iso (similar failure on Fedora-SoaS-Live-x86_64-27_Beta-1.5.iso).

$ journalctl -ab -o short-monotonic > soas27bootjournal.txt
   see https://gist.github.com/FGrose/97d834d362c7e1e3f690b97612c673dd

Comment 17 satellitgo 2017-10-25 16:02:14 UTC
https://paste.fedoraproject.org/paste/8ZPkQlrHDD0k~OkmzCi0gQ

mtd: Using the F26-SOAS-x86_64-20171005.iso media, it boots just fine.  Recording a screencapture of it booting, doing an install... and will paste the command line.

Comment 18 Peter Robinson 2017-10-26 08:54:07 UTC
It's because the sugar session is crashing (check in the sugar logs) and I need a patch from someone upstream to fix it I believe

Comment 19 satellitgo 2017-10-27 12:38:54 UTC
in f27 I get a return of "no match for group package "sugar-help"  when I try to do 'dnf groupinstall sugar-desktop'   can this be the reason sugar desktop fails to boot?

Comment 20 Frederick Grose 2017-10-27 13:41:42 UTC
(In reply to satellitgo from comment #19)
Yes, likely.  See this post and thread,
https://www.mail-archive.com/soas@lists.sugarlabs.org/msg02835.html

Comment 21 Peter Robinson 2017-10-27 15:48:17 UTC
So looks like sugar-help was orphaned and no one picked it up [1], I wasn't aware it was orphaned. So we'll likely have to somehow disable help loading so it doesn't crash.

I don't have time to look at this, can someone assist here?

[1] https://src.fedoraproject.org/rpms/sugar-help/c/f01b6ff474c7a160b76e21eef4af67a3277e20e2?branch=master

Comment 22 James Cameron 2017-10-27 20:25:13 UTC
> have to somehow disable help loading so it doesn't crash.

No, that has nothing to do with it.  Sugar already starts fine without the Help activity present.

What is missing from the .rpm is a file you added in a patch in the .src.rpm.

Adding that file would fix the problem.

Comment 23 Peter Robinson 2017-10-28 06:16:12 UTC
> What is missing from the .rpm is a file you added in a patch in the .src.rpm.
> 
> Adding that file would fix the problem.

Needed to run autoreconf due to the added files. New build shortly

Comment 24 Fedora Update System 2017-10-28 10:27:00 UTC
sugar-0.110.0-6.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f1b18782d4

Comment 25 Peter Robinson 2017-10-28 10:31:36 UTC
Right this build should fix this:
https://koji.fedoraproject.org/koji/buildinfo?buildID=991563

/usr/lib/python2.7/site-packages/jarabe/view/viewhelp.py
/usr/lib/python2.7/site-packages/jarabe/view/viewhelp.pyc
/usr/lib/python2.7/site-packages/jarabe/view/viewhelp.pyo
/usr/lib/python2.7/site-packages/jarabe/view/viewhelp_webkit1.py
/usr/lib/python2.7/site-packages/jarabe/view/viewhelp_webkit1.pyc
/usr/lib/python2.7/site-packages/jarabe/view/viewhelp_webkit1.pyo
/usr/lib/python2.7/site-packages/jarabe/view/viewhelp_webkit2.py
/usr/lib/python2.7/site-packages/jarabe/view/viewhelp_webkit2.pyc
/usr/lib/python2.7/site-packages/jarabe/view/viewhelp_webkit2.pyo

Comment 26 Frederick Grose 2017-10-28 15:16:10 UTC
Confirmed. After updating the image with the following command it now launches Sugar.
# dnf install (downloaded)sugar-*-0.110.0-6.fc27.noarch.rpm

Comment 27 satellitgo 2017-10-28 15:43:13 UTC
https://koji.fedoraproject.org/koji/buildinfo?buildID=991563

(download) installed with software updater; f27 workstation with sugar-runner
sugar starts

sugar-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-all-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-background-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-backup-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-datetime-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-frame-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-keyboard-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-language-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-modemconfiguration-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-network-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-power-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-updater-0.110.0-6.fc27.noarch.rpm (info) (download)
	sugar-cp-webaccount-0.110.0-6.fc27.noarch.rpm (info) (download)

Comment 28 Fedora Blocker Bugs Application 2017-10-29 23:52:37 UTC
Proposed as a Freeze Exception for 27-final by Fedora user satellit using the blocker tracking app because:

 https://bugzilla.redhat.com/show_bug.cgi?id=1490668#c27
	already accepted as FE for beta now need it for final
sugar-dektop is non blocking spin

Comment 29 Fedora Update System 2017-10-30 14:46:06 UTC
sugar-0.110.0-6.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f1b18782d4

Comment 30 Fedora Update System 2017-10-31 15:39:13 UTC
sugar-0.110.0-6.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.