Bug 1134558

Summary: [abrt] rolekit: connection.py:584:call_async:ValueError: Unable to guess signature from an empty dict
Product: [Fedora] Fedora Reporter: Stephen Gallagher <sgallagh>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: dominick.grift, dwalsh, extras-qa, lvrabec, mgrepl, sgallagh, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/581bd7a647257b89718d71aac4e7f8a08c328264
Whiteboard: abrt_hash:1276e3d8c413730eab40128170aeeffc4b64689c
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1134553 Environment:
Last Closed: 2015-11-09 14:16:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1134553    
Bug Blocks:    

Description Stephen Gallagher 2014-08-27 19:04:54 UTC 
+++ This bug was initially created as a clone of Bug #1134553 +++

Description of problem:
Attempted to run 'rolectl list instances'

The issue appears to be an incorrectly-handled SELinux denial which crashes roled and fails to return an error to the rolectl client, which waits forever.

Version-Release number of selected component:
rolekit-0.0.3-1.fc21

Additional info:
reporter:       libreport-2.2.3
cmdline:        /usr/bin/python -Es /usr/sbin/roled --nofork --nopid
dso_list:       dbus-python-1.2.0-6.fc21.x86_64
executable:     /usr/sbin/roled
kernel:         3.16.1-300.fc21.x86_64
runlevel:       N 3
type:           Python
uid:            0

Truncated backtrace:
connection.py:584:call_async:ValueError: Unable to guess signature from an empty dict

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/dbus/connection.py", line 607, in msg_reply_handler
    *message.get_args_list()))
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 416, in _introspect_error_handler
    self._introspect_execute_queue()
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 387, in _introspect_execute_queue
    proxy_method(*args, **keywords)
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 137, in __call__
    **keywords)
  File "/usr/lib/python2.7/site-packages/dbus/connection.py", line 584, in call_async
    message.append(signature=signature, *args)
ValueError: Unable to guess signature from an empty dict

Local variables in innermost frame:
bus_name: dbus.UTF8String(':1.5')
byte_arrays: False
self: <dbus._dbus.SystemBus (system) at 0x7f7b99aa9590>
args: (('system-bus-name', {'name': ':1.29'}), 'org.fedoraproject.rolekit1.all', {}, 1, '')
require_main_loop: True
object_path: '/org/freedesktop/PolicyKit1/Authority'
signature: None
reply_handler: <function reply_cb at 0x7f7b9749b2a8>
error_handler: <function error_handler at 0x7f7b9749b1b8>
dbus_interface: 'org.freedesktop.PolicyKit1.Authority'
timeout: 2147483.647
kwargs: {}
e: ValueError('Unable to guess signature from an empty dict',)
message: <dbus.lowlevel.MethodCallMessage path: /org/freedesktop/PolicyKit1/Authority, iface: org.freedesktop.PolicyKit1.Authority, member: CheckAuthorization dest: :1.5>
get_args_opts: {'byte_arrays': False, 'utf8_strings': False}
method: 'CheckAuthorization'

--- Additional comment from Stephen Gallagher on 2014-08-27 14:47:17 EDT ---



--- Additional comment from Stephen Gallagher on 2014-08-27 14:47:18 EDT ---



--- Additional comment from Stephen Gallagher on 2014-08-27 15:00:23 EDT ---

I say that it's related to SELinux because it doesn't hang in permissive mode.

There are two bugs here: one in SELinux to properly allow the behavior and another in cockpit itself to properly handle permission denied errors.

audit2why:

type=USER_AVC msg=audit(1409164980.789:721): pid=608 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.30 spid=748 tpid=22117 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.
Comment 1 Miroslav Grepl 2014-08-28 13:32:09 UTC 
What does

ps -efZ |grep unconfined_service_t
Comment 2 Stephen Gallagher 2014-08-28 13:56:04 UTC 
system_u:system_r:unconfined_service_t:s0 root 596 1  0 Aug21 ?        00:00:01 /sbin/rngd -f
system_u:system_r:unconfined_service_t:s0 root 24998 1  0 09:55 ?      00:00:00 /usr/bin/python -Es /usr/sbin/roled --nofork --nopid
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 25003 24971  0 09:55 pts/1 00:00:00 grep --color=auto unconfined_service_t
Comment 3 Daniel Walsh 2014-08-31 11:10:37 UTC 
33e4e46c9b3262601a3c1e35ab649451904d982a will allow unconfined_service_t to dbus chat with all dbus services.  

But rngd looks like it should be running as rngd_t

ls -lZ /sbin/rngd
Comment 4 Stephen Gallagher 2014-08-31 14:32:43 UTC 
(In reply to Daniel Walsh from comment #3)
> 33e4e46c9b3262601a3c1e35ab649451904d982a will allow unconfined_service_t to
> dbus chat with all dbus services.  
> 

Thanks

> But rngd looks like it should be running as rngd_t
> 
> ls -lZ /sbin/rngd

This is irrelevant. I launched rngd manually from a root shell for an unrelated task. Don't worry about it.
Comment 5 Miroslav Grepl 2014-09-01 08:37:15 UTC 
We will need to write a policy for /usr/sbin/roled. 

Anyway Dan's fix will be a part of the next build.
Comment 6 Fedora End Of Life 2015-11-04 15:49:39 UTC 
This message is a reminder that Fedora 21 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 21. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '21'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 21 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.