Bug 1655687
| Summary: | pkexec /usr/sbin/grub2-set-bootflag fails on user login | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Stephen Hobbs <shobbs> |
| Component: | grub2 | Assignee: | Bootloader engineering team <bootloader-eng-team> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Release Test Team <release-test-team-automation> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.0 | CC: | fmartine, jwright, kwalker, pholica, pkotvan, ptalbert, rik.theys |
| Target Milestone: | rc | ||
| Target Release: | 8.0 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | grub2-2.02-64.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-13 23:09:36 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Stephen Hobbs
2018-12-03 17:04:22 UTC
The Policy shipped with grub2 is the following: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd"> <policyconfig> <vendor>GNU GRUB</vendor> <vendor_url>https://www.gnu.org/software/grub/</vendor_url> <action id="org.gnu.grub.set-bootflag"> <!-- SECURITY: - A normal active user on the local machine does not need permission to set bootflags to show the menu / mark current boot successful. --> <description>Set GRUB bootflags</description> <message>Authentication is required to modify the bootloaders bootflags</message> <defaults> <allow_any>no</allow_any> <allow_inactive>no</allow_inactive> <allow_active>yes</allow_active> </defaults> <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/grub2-set-bootflag</annotate> </action> </policyconfig> It indicates that active (local) requests will succeed. However, the unit ships a systemd user unit and timer that is enabled by default. grub2.spec: <snip> ln -s ../grub-boot-success.timer \ %{buildroot}%{_userunitdir}/timers.target.wants <snip> When you have the above, and you login to the system remotely(beyond very common) for the first time after boot, you get this message. The above grub-boot-success.timer should be opt-in and not hard-coded into the specfile... - Kyle Walker Reproduced the problem in old compose RHEL-8.0-20181113.1 (grub2-2.02-57.el8). Login to the machine through ssh using a non-root user and check that grub2-set-bootflag failed: $ systemctl --user status grub-boot-success ● grub-boot-success.service - Mark boot as successful Loaded: loaded (/usr/lib/systemd/user/grub-boot-success.service; static; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2019-02-20 12:10:43 EST; 1min 46s ago Process: 1471 ExecStart=/usr/bin/pkexec /usr/sbin/grub2-set-bootflag boot_success (code=exited, status=127) Main PID: 1471 (code=exited, status=127) ---------------------------------------------------------------------------------- Verified in latest compose RHEL-8.0-20190220.n.0 (grub2-2.02-66.el8) that is fixed. Login to the machine through ssh using a non-root user and check that grub2-set-bootflag succeeded: $ systemctl --user status grub-boot-success ● grub-boot-success.service - Mark boot as successful Loaded: loaded (/usr/lib/systemd/user/grub-boot-success.service; static; vendor preset: enabled) Active: inactive (dead) since Wed 2019-02-20 19:33:52 IST; 5s ago Process: 1493 ExecStart=/usr/sbin/grub2-set-bootflag boot_success (code=exited, status=0/SUCCESS) Main PID: 1493 (code=exited, status=0/SUCCESS) |