Bug 1225920
| Summary: | SELinux does not allow ostree to reboot after an upgrade | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Todor Todorov <todor.a.todorov> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 22 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, plautrba |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-128.1.fc22 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-06-11 18:37:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Yeah, eventually we may need our own domain for this, but for now I'd suggest we just allow install_t these AVs. commit 0b5f1956f684cd989d6b198c96d3f250954870bf
Author: Miroslav Grepl <mgrepl>
Date: Mon Jun 1 12:37:01 2015 +0200
Make "ostree admin upgrade -r" command which suppose to upgrade the system and reboot working again. BZ(1225920)
When can we expect selinux-policy-3.13.1-127.fc22 to be added to Fedora-atomic? Thanks for the assistance! selinux-policy-3.13.1-128.1.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-128.1.fc22 Package selinux-policy-3.13.1-128.1.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-128.1.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-9714/selinux-policy-3.13.1-128.1.fc22 then log in and leave karma (feedback). selinux-policy-3.13.1-128.1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: When execute "ostree admin upgrade -r" which suppose to upgrade the system and reboot it afterwards I encounter the following error: ** (pkttyagent:1523): WARNING **: Unable to register authentication agent: Timeout was reached Error registering authentication agent: Timeout was reached (g-io-error-quark, 24) Failed to start reboot.target: Connection timed out error: Child process exited with code 1 Version-Release number of selected component (if applicable): Fedora-atomic Version: 22 both bare metal and raw disk deployed to VirtualBox How reproducible: -bash-4.3# ostree admin status * fedora-atomic 06a63ecfcf053d1625e9ddf406429eef3c7fe3ecccbe636a54b90175a5899e7d.0 Version: 22.17 origin refspec: fedora-atomic:fedora-atomic/f22/x86_64/docker-host -bash-4.3# ostree admin upgrade -r 57 metadata, 390 content objects fetched; 128092 KiB transferred in 89 seconds Copying /etc changes: 25 modified, 0 removed, 41 added Transaction complete; bootconfig swap: yes deployment count change: 1 ** (pkttyagent:1523): WARNING **: Unable to register authentication agent: Timeout was reached Error registering authentication agent: Timeout was reached (g-io-error-quark, 24) Failed to start reboot.target: Connection timed out error: Child process exited with code 1 Actual results: Expected results: Expected to reboot the system after an upgrade. Additional info: Considering journal during the execution of the above command seems the reason for this error is SELinux. May 28 12:50:03 atomic-01.host kernel: SELinux: Context system_u:object_r:systemd_timedated_unit_file_t:s0 is not valid (left unmapped). May 28 12:51:50 atomic-01.host audit[654]: <audit-1107> pid=654 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.15 spid=672 tpid=1523 scontext=system_u:system_r:policykit_t:s0 tcontext=unconfined_u:system_r:install_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' May 28 12:52:15 atomic-01.host polkitd[672]: Registered Authentication Agent for unix-process:1521:32024 (system bus name :1.15 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) May 28 12:52:15 atomic-01.host audit[654]: <audit-1107> pid=654 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=672 tpid=1523 scontext=system_u:system_r:policykit_t:s0 tcontext=unconfined_u:system_r:install_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' May 28 12:52:15 atomic-01.host audit[654]: <audit-1107> pid=654 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.15 spid=672 tpid=1523 scontext=system_u:system_r:policykit_t:s0 tcontext=unconfined_u:system_r:install_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' May 28 12:52:40 atomic-01.host polkitd[672]: Unregistered Authentication Agent for unix-process:1521:32024 (system bus name :1.15, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Once I switch SELinux to Permissive mode all works as expected.