Bug 1664143
| Summary: | Fedora KDE systemd stop process timeout on dbus | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Paul Sadauskas <psadauskas> |
| Component: | selinux-policy-targeted | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 29 | CC: | dwalsh, flaviohenriquedesousaribeiro, psadauskas, th4949 |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-01-18 02:14:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Paul Sadauskas
2019-01-07 20:16:04 UTC
Could you attach output of: # sestatus Thanks, Lukas. $ sudo sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31 Hi Paul, Thanks for update. Could you put SELinux to permissive mode: # setenforce 0 and reproduce the issue? Then please attach ouput of: # ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts today Thanks, Lukas. I rebooted once before setting `setenforce 0` (the entry at 10:40:47), then ran the `setenforce 0` and rebooted again.
$ sudo ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts today
----
time->Wed Jan 9 10:40:47 2019
type=AVC msg=audit(1547055647.716:640): avc: denied { getattr } for pid=6640 comm="plymouthd" path="/sys/firmware/efi/efivars" dev="efivarfs" ino=15506 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=0
----
time->Wed Jan 9 10:45:18 2019
type=USER_AVC msg=audit(1547055918.368:322): pid=1811 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=0) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Wed Jan 9 10:45:43 2019
type=USER_AVC msg=audit(1547055943.437:326): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Jan 9 10:45:44 2019
type=AVC msg=audit(1547055944.468:374): avc: denied { getattr } for pid=5973 comm="plymouthd" path="/sys/firmware/efi/efivars" dev="efivarfs" ino=16400 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=1
Hi Paul, Could you try to reproduce with custom SELinux module? # cat local_plymouthd_efivarfs.cil (allow plymouthd_t efivarfs_t(dir (open read getattr))) (allow plymouthd_t efivarfs_t(file (open read getattr))) # semodule -i local_plymouthd_efivarfs.cil Thanks, Lukas. It appear to have no effect, I still have the stuck stop job. $ sudo ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts today ---- time->Thu Jan 10 10:41:56 2019 type=USER_AVC msg=audit(1547142116.840:375): pid=1172 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=2) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Thu Jan 10 10:42:12 2019 type=USER_AVC msg=audit(1547142132.156:382): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Paul, These AVCs are just information about Security SELinux policy reload. Hrm, OK. That makes sense. I pulled up the log for that reboot, and it looks like dbus isn't the one hanging the boot anymore, its something else: Jan 10 10:43:42 boyd systemd[1]: session-2.scope: Stopping timed out. Killing. Jan 10 10:43:42 boyd systemd[1]: session-2.scope: Killing process 2578 (vivaldi-bin) with signal SIGKILL. Jan 10 10:43:42 boyd systemd[1]: session-2.scope: Killing process 3084 (CacheThread_Blo) with signal SIGKILL. Jan 10 10:43:42 boyd systemd[1]: session-2.scope: Failed with result 'timeout'. I won't be back at that computer again until Monday, to double-check, but it looks like that selinux module fixed it? I didn't do anything exotic to this install, is something missing in the default configs that needs to be fixed? Thanks, Paul Zdenek, Could you please add rules from comment#5 ? Thanks, Lukas. Pull requests created to grant the dir:getattr and related permissions: https://github.com/fedora-selinux/selinux-policy/pull/240 https://github.com/fedora-selinux/selinux-policy-contrib/pull/82 *** Bug 1648978 has been marked as a duplicate of this bug. *** The pull requests have been merged to the main branch and should be a part of the next selinux-policy packages update. selinux-policy-3.14.2-47.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fe7af4a346 selinux-policy-3.14.2-47.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fe7af4a346 *** Bug 1665580 has been marked as a duplicate of this bug. *** selinux-policy-3.14.2-47.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |