Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1210045 - AVC Denials after i386 Workstation netinst
Summary: AVC Denials after i386 Workstation netinst
Keywords:
Status: CLOSED DUPLICATE of bug 1190377
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: i386
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: F22FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2015-04-08 18:48 UTC by Mike Ruckman
Modified: 2015-04-27 09:37 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-27 09:37:35 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Mike Ruckman 2015-04-08 18:48:18 UTC 
Description of problem:
Fresh installation of i386 Workstation from netinst results in 5 selinux denials on first login.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-119.fc22.noarch

How reproducible:
Always

Steps to Reproduce:
1. Boot workstation netinst
2. Use all defaults, don't create a user
3. Install
4. Go through g-i-s
5. log in with user from step 4
6. See notifications for avc denials

Actual results:
avc denials

Expected results:
no avc denials

Additional info:
Also proposing as a Final Blocker per the following criterion: There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop.
Comment 1 Mike Ruckman 2015-04-08 18:54:42 UTC 
The denials are for:
 - usesradd
 - gdm-session-worker
 - polkitd
 - colord
 - cupsd

All for "read" under "Attempted Access."
Comment 2 Lukas Vrabec 2015-04-09 14:43:18 UTC 
Do you have these AVCs?
Personally, I think this domains trying to read /etc/localtime. 
Could you confirm this? 

Thank you.
Comment 3 Adam Williamson 2015-04-20 18:38:39 UTC 
FWIW I didn't see this on an x86_64 Workstation network install today which got selinux-policy -122.
Comment 4 Petr Schindler 2015-04-20 18:49:25 UTC 
Discussed at today's blocker review meeting [1].

It was decided to delay the decision -  adamw couldn't reproduce this today and the report is short on detail, let's give roshi a chance to provide more info

[1] http://meetbot.fedoraproject.org/fedora-blocker-review/2015-04-20/
Comment 5 Mike Ruckman 2015-04-23 22:49:54 UTC 
Here are the selinux logs.
 -> http://paste.fedoraproject.org/214975/42982639/

Lukas, looks like you're correct.

I've only seen this on i386 and only when g-i-s is used to create the user. If you create the user in anaconda there are no denials. -122 was installed.

Sorry it took me so long to respond :(
Comment 6 Lukas Vrabec 2015-04-27 09:37:35 UTC 

*** This bug has been marked as a duplicate of bug 1190377 ***
Note You need to log in before you can comment on or make changes to this bug.