Since the Fedora-Rawhide-20190407.n.1 compose, many services fail to start on boot of a freshly-installed Rawhide system, and the network does not come up. This seems to be clearly an SELinux issue, likely introduced by selinux-policy-3.14.4-8.fc31 : booting with 'enforcing=0' solves all the problems, all services start successfully and the network comes up. Here are all the denials shown by ausearch from the permissive boot: ---- time->Mon Apr 8 16:57:11 2019 type=AVC msg=audit(1554767831.028:97): avc: denied { mounton } for pid=662 comm="(d-logind)" path="/run/systemd/unit-root/proc/sys/kernel/domainname" dev="proc" ino=1545 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 ---- time->Mon Apr 8 16:57:11 2019 type=AVC msg=audit(1554767831.052:101): avc: denied { mounton } for pid=665 comm="(d-logind)" path="/run/systemd/unit-root/proc/sys/kernel/domainname" dev="proc" ino=1545 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 ---- time->Mon Apr 8 16:57:11 2019 type=AVC msg=audit(1554767831.081:105): avc: denied { mounton } for pid=668 comm="(d-logind)" path="/run/systemd/unit-root/proc/sys/kernel/domainname" dev="proc" ino=1545 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 ---- time->Mon Apr 8 16:57:11 2019 type=AVC msg=audit(1554767831.107:109): avc: denied { mounton } for pid=671 comm="(d-logind)" path="/run/systemd/unit-root/proc/sys/kernel/domainname" dev="proc" ino=1545 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 ---- time->Mon Apr 8 16:57:11 2019 type=AVC msg=audit(1554767831.146:114): avc: denied { mounton } for pid=677 comm="(d-logind)" path="/run/systemd/unit-root/proc/sys/kernel/domainname" dev="proc" ino=1545 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 ---- time->Mon Apr 8 16:57:58 2019 type=AVC msg=audit(1554767878.936:212): avc: denied { setattr } for pid=1 comm="systemd" name="tty1" dev="devtmpfs" ino=1044 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0 ---- time->Mon Apr 8 16:57:58 2019 type=AVC msg=audit(1554767878.936:213): avc: denied { setattr } for pid=1 comm="systemd" name="tty1" dev="devtmpfs" ino=1044 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0 ---- time->Mon Apr 8 16:58:25 2019 type=AVC msg=audit(1554767905.909:67): avc: denied { mounton } for pid=682 comm="(d-logind)" path="/run/systemd/unit-root/proc/sys/kernel/domainname" dev="proc" ino=12788 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 Proposing as an F31 Beta blocker - this violates all criteria related to network-based functions on the installed system (e.g. package install).
Will be fixed in next version of selinux-policy rpm package. commit 639e317c9b53a6b1f520a0e02bf489c6b173eaae (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Tue Apr 9 10:21:04 2019 +0200 Allow systemd labeled as init_t to setattr on unallocated ttys BZ(1697667) commit 68d5b6395399b4b4a04d2fc4fc37dd91a6b54450 Author: Lukas Vrabec <lvrabec> Date: Mon Apr 8 12:29:36 2019 +0200 Allow systemd to mounton kernel sysctls BZ(1696201)
This is likely the problem behind [bug 1697548] I reported earlier, at systemd component.
[bug 1697370], I mean.
*** Bug 1697548 has been marked as a duplicate of this bug. ***
The selinux-policy package build failed: http://koji.fedoraproject.org/koji/buildinfo?buildID=1247012 can you please check and fix it? Thanks.
http://koji.fedoraproject.org/koji/buildinfo?buildID=1248381 Fixed.
This does indeed seem resolved in current Rawhide, thanks.