1107796 – initial-setup-graphical fails to run when selinux enforcing

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1107796 - initial-setup-graphical fails to run when selinux enforcing

Summary: initial-setup-graphical fails to run when selinux enforcing

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	arm
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	ARMTracker F21AlphaBlocker
TreeView+	depends on / blocked

Reported:	2014-06-10 15:59 UTC by Paul Whalen
Modified:	2014-06-17 20:09 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-17 20:09:03 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Paul Whalen 2014-06-10 15:59:00 UTC

Description of problem:
When Selinux is enforcing, initial-setup-graphical fails to run.

Version-Release number of selected component (if applicable):
initial-setup-0.3.21-2.fc21.armv7hl

How reproducible:
everytime. 

Steps to Reproduce:
1. Boot ARM graphical image

Actual results:
Boots to log in screen

Expected results:
Initial-setup-graphical

Additional info:
systemctl status initial-setup-graphical -l
��● initial-setup-graphical.service - Initial Setup configuration program
   Loaded: loaded (/usr/lib/systemd/system/initial-setup-graphical.service; enabled)
   Active: failed (Result: exit-code) since Sat 2000-01-01 16:29:45 EST; 14 years 5 months ago
  Process: 435 ExecStart=/bin/xinit /bin/firstboot-windowmanager /bin/initial-setup -- /bin/Xorg :9 -ac -nolisten tcp (code=exited, status=1/FAILURE)
  Process: 394 ExecStartPre=/bin/plymouth quit (code=exited, status=0/SUCCESS)
 Main PID: 435 (code=exited, status=1/FAILURE)

Jan 01 16:29:31 localhost xinit[435]: (EE)
Jan 01 16:29:31 localhost xinit[435]: Please consult the Fedora Project support
Jan 01 16:29:31 localhost xinit[435]: at http://wiki.x.org
Jan 01 16:29:31 localhost xinit[435]: for help.
Jan 01 16:29:31 localhost xinit[435]: (EE) Please also check the log file at "/var/log/Xorg.9.log" for additional information.
Jan 01 16:29:31 localhost xinit[435]: (EE)
Jan 01 16:29:31 localhost xinit[435]: (EE) Server terminated with error (1). Closing log file.
Jan 01 16:29:45 localhost xinit[435]: /bin/xinit: giving up
Jan 01 16:29:45 localhost xinit[435]: /bin/xinit: unable to connect to X server: Connection refused
Jan 01 16:29:45 localhost xinit[435]: /bin/xinit: server error
Jan 01 16:29:45 localhost systemd[1]: initial-setup-graphical.service: main process exited, code=exited, status=1/FAILURE
Jan 01 16:29:45 localhost systemd[1]: Failed to start Initial Setup configuration program.
Jan 01 16:29:45 localhost systemd[1]: Unit initial-setup-graphical.service entered failed state.

When SE Linux is permissive, initial-setup-graphical runs as expected.

Comment 1 Adam Williamson 2014-06-10 16:10:48 UTC

can you find an AVC anywhere? does the X log provide any useful information?

Comment 2 Adam Williamson 2014-06-13 21:19:56 UTC

I built an x86_64 Xfce live image with today's anaconda and python-blivet (so it'd be possible to run an install). initial-setup-graphical runs on reboot, but the system seems frozen at that point - can't interact with i-s-g or do a ctrl-alt-f2. odd, but probably not the same bug. this one may be ARM-specific.

Comment 3 Paul Whalen 2014-06-17 14:19:48 UTC

Hi Adam, 

AVC:

type=AVC msg=audit(1403013537.525:407): avc:  denied  { connectto } for  pid=712 comm="dbus-daemon" path="/run/systemd/journal/stdout" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket

type=SYSCALL msg=audit(1403013537.525:407): arch=40000028 syscall=283 per=800000 success=no exit=-13 a0=23 a1=be83e69c a2=1d a3=ffffffff items=0 ppid=1 pid=712 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/usr/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)


*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that dbus-daemon should be allowed connectto access on the stdout unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dbus-daemon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Jun 17 10:05:32 localhost setroubleshoot: SELinux is preventing /usr/bin/dbus-daemon from connectto access on the unix_stream_socket /run/systemd/journal/stdout. For complete SELinux messages. run sealert -l 2baf4b71-f642-4443-a723-beb668f1d141
Jun 17 10:05:32 localhost python: SELinux is preventing /usr/bin/dbus-daemon from connectto access on the unix_stream_socket /run/systemd/journal/stdout.

Moving to selinux-policy.

Comment 4 Daniel Walsh 2014-06-17 20:09:03 UTC

Should be fixed in selinux-policy-3.13.1-59.fc21

Note You need to log in before you can comment on or make changes to this bug.