1355861 – 20160712 Workstation Rawhide nightly fails to boot in enforcing mode, boots in permissive

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1355861 - 20160712 Workstation Rawhide nightly fails to boot in enforcing mode, boots in permissive

Summary: 20160712 Workstation Rawhide nightly fails to boot in enforcing mode, boots i...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	F25AlphaBlocker
TreeView+	depends on / blocked

Reported:	2016-07-12 18:27 UTC by Adam Williamson
Modified:	2016-07-18 07:14 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-15 22:58:09 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
sealert -a /var/log/audit/audit.log output on 20160711 (11.06 KB, text/plain) 2016-07-12 18:29 UTC, Adam Williamson	no flags	Details
sealert -a /var/log/audit/audit.log output on 20160712 (11.06 KB, text/plain) 2016-07-12 18:29 UTC, Adam Williamson	no flags	Details
journalctl -b \| grep -i avc \| grep den output on 20160711 (1.95 KB, text/plain) 2016-07-12 18:30 UTC, Adam Williamson	no flags	Details
journalctl -b \| grep -i avc \| grep den output on 20160712 (1.98 KB, text/plain) 2016-07-12 18:30 UTC, Adam Williamson	no flags	Details
View All

Description Adam Williamson 2016-07-12 18:27:48 UTC

Today's Rawhide Workstation nightly live:

https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20160712.n.0/compose/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-Rawhide-20160712.n.0.iso

does not boot in enforcing mode, it gets stuck in a loop during GNOME init. It boots fine in permissive mode.

The previous day's nightly:

https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20160711.n.0/compose/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-Rawhide-20160711.n.0.iso

boots OK in enforcing mode. A new selinux-policy landed in 20160712.n.0 - selinux-policy-3.13.1-201.fc25 - so this is the obvious suspect.

Booting both images in permissive mode seems to produce the same five AVCs:

SELinux is preventing (-localed) from mounton access on the directory /dev.
SELinux is preventing accounts-daemon from write access on the directory root.
SELinux is preventing accounts-daemon from add_name access on the directory .cache.
SELinux is preventing accounts-daemon from create access on the directory .cache.
SELinux is preventing gdbus from write access on the fifo_file /run/systemd/inhibit/1.ref.

according to 'sealert -a /var/log/audit/audit.log' as root. However, looking at the journal - 'journalctl -b | grep -i avc | grep den' - shows one on 20160712 that is not apparent on 20160711:

Jul 12 18:23:57 localhost audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-logind" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system

that does not appear in 20160711.

Proposing as an F25 Alpha blocker: violates "All release-blocking images must boot in their supported configurations" for the Workstation live, which is a release-blocking image.

Comment 1 Adam Williamson 2016-07-12 18:29:38 UTC

Created attachment 1178971 [details]
sealert -a /var/log/audit/audit.log output on 20160711

Comment 2 Adam Williamson 2016-07-12 18:29:56 UTC

Created attachment 1178972 [details]
sealert -a /var/log/audit/audit.log output on 20160712

Comment 3 Adam Williamson 2016-07-12 18:30:22 UTC

Created attachment 1178973 [details]
journalctl -b | grep -i avc | grep den output on 20160711

Comment 4 Adam Williamson 2016-07-12 18:30:39 UTC

Created attachment 1178974 [details]
journalctl -b | grep -i avc | grep den output on 20160712

Comment 5 Lukas Vrabec 2016-07-13 06:42:42 UTC

I probably see the issue here. I will fix this ASAP.

Comment 6 Lukas Vrabec 2016-07-13 08:46:42 UTC

I built selinux-policy-3.13.1-202.fc25 selinux policy package. This should fix the issue.

Comment 7 Adam Williamson 2016-07-13 15:57:00 UTC

Thanks. We didn't get a nightly today because of https://fedorahosted.org/rel-eng/ticket/6442 , I'll be able to confirm the fix (or not) when that's resolved.

Comment 8 Couret Charles-Antoine 2016-07-15 21:55:50 UTC

The update doesn't fix the issue for me.
Many services couldn't be started and the boot failed. With selinux=0 in the command line to boot, no problem.

Comment 9 Adam Williamson 2016-07-15 22:58:09 UTC

It does fix nightly live image boots, though. The last couple of days of Workstation nightly lives have booted OK.

Comment 10 Couret Charles-Antoine 2016-07-18 07:14:52 UTC

It's fixed for me after manual relabelling.
Thanks.

Note You need to log in before you can comment on or make changes to this bug.