Description of problem:
Installed Fedora-Workstation-Live-x86_64-Rawhide-20170110.n.0.iso. As soon as the system booted the first time, was issued this SELinux denial alert.

Version-Release number of selected component:
selinux-policy-3.13.1-233.fc26.noarch

Additional info:
reporter:       libreport-2.9.0
hashmarkername: setroubleshoot
kernel:         4.10.0-0.rc3.git0.1.fc26.x86_64
type:           libreport

Proposed as a Blocker for 26-final by Fedora user coremodule using the blocker tracking app because:

 This bug violates the following F26 Final criteria:

"There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."

Description of problem:
Updated Rawhide 26.  AVC regarding truncated 'ostnamed' after logging in.  Duplicate of 1392161.  Looks like 1361809 , 1367292 .  Last comment on 1367292 said "If problems still persist, please make note of it in this bug report."

Version-Release number of selected component:
selinux-policy-3.13.1-231.fc26.noarch

Additional info:
reporter:       libreport-2.9.0
hashmarkername: setroubleshoot
kernel:         4.10.0-0.rc2.git4.1.fc26.x86_64
type:           libreport

And attached audit log with permissive mode

type=AVC msg=audit(1484227039.425:11726): avc:  denied  { mounton } for  pid=19024 comm="(ostnamed)" path="/proc/irq" dev="proc" ino=4026531858 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1484227039.425:11727): avc:  denied  { mounton } for  pid=19024 comm="(ostnamed)" path="/proc/mtrr" dev="proc" ino=4026531973 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file permissive=1
type=SERVICE_START msg=audit(1484227039.463:11728): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Nearly every openQA test is running into this in recent composes. +1 blocker.

+1 blocker

Description of problem:
Simply booted a freshly installed Rawhide VM and logged in.

Version-Release number of selected component:
selinux-policy-3.13.1-233.fc26.noarch

Additional info:
reporter:       libreport-2.9.0
hashmarkername: setroubleshoot
kernel:         4.10.0-0.rc3.git4.1.fc26.x86_64
type:           libreport

AVC is generated because systemd-hostnamed.service has option ProtectKernelTunables set to yes. If this option is enabled for the service then systemd will disable sysctl syscall by installing seccomp filter. Also the service will be spawned in its own mount namespace where some filesystem paths that are otherwise write-able by root will become read-only. This is done by recursively bind mounting those paths into the same locations and then remounting bind mounts as read-only.

If you want to get rid of AVC then either allow systemd to do remounting or remove ProtectKernelTunables=yes from systemd-hostnamed.service. Note that that localed, resolved, timesyncd and timedated unit files also contain ProtectKernelTunables=yes option.

I think it would make sense to adjust our SELinux policy because otherwise services can't take full advantage of this new systemd security feature.

(In reply to Adam Williamson from comment #5)
> Nearly every openQA test is running into this in recent composes. +1 blocker.

(In reply to Stephen Gallagher from comment #6)
> +1 blocker

It super nice that you gave +1 for harmless AVC bug.
IMHO there are different bugs which should get blocker.  (BZ1413075 and maybe related/duplicate BZ1413047)

It's hard to know which one is at fault, but SELinux is preventing the system from working *at all* on Fedora 26/Rawhide right now. This looked likely to be the culprit. If this one is indeed harmless and the problem is elsewhere, please advise.

It's hard to know which one is at fault, but SELinux is preventing the system from working *at all* on Fedora 26/Rawhide right now. This looked likely to be the culprit. If this one is indeed harmless and the problem is elsewhere, please advise.

I can see this AVC even on older kernel but it does not cause such problem as I reported in different bugs(BZ1413075 BZ1413047)

FWIW, filesystem paths that systemd may try to remount due to use of new security related features can be found in respective tables here,

https://github.com/systemd/systemd/blob/master/src/core/namespace.c

Michal, 
Thank you. Fixed. Build will be available ASAP.

Any news on that build?

commit 08645ba5ed6467bee8218bec32015ef4f1c70fa0
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jan 17 17:47:55 2017 +0100

    Allow systemd using ProtectKernelTunables securit feature. BZ(1392161)

Adam, 
Issue is fixed here:
https://koji.fedoraproject.org/koji/buildinfo?buildID=834475

I think that this change caused another bug @see BZ1418682

Discussed during the 2017-02-13 blocker review meeting: [1]

The decision was made to classify this bug as an AcceptedBlocker was made as it violates the following Final criteria:

"There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-02-13/f26-blocker-review.2017-02-13-18.01.txt

A similar AVC still shows up in Fedora-Rawhide-20170214.n.0 testing, e.g.:

https://openqa.fedoraproject.org/tests/56815#step/_console_avc_crash/9

it now seems to be complaining about /proc/mtrr .

This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

There's another report for the /proc/mtrr one:
https://bugzilla.redhat.com/show_bug.cgi?id=1411360
so let's close this.