Bug 1665701
Summary: | Failure to activate fwupd service | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mikhail Zabaluev <mikhail.zabaluev> | ||||||
Component: | tpm2-abrmd-selinux | Assignee: | Javier Martinez Canillas <fmartine> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 29 | CC: | baker1tex, david, dwalsh, fmartine, frh+fedora, h3x, jsnitsel, lvrabec, mgrepl, pf-redhat-bugzilla, plautrba, rhughes, yunying.sun, zpytela | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | tpm2-abrmd-selinux-2.0.0-3.fc29 | Doc Type: | If docs needed, set a value | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2019-03-11 22:41:32 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
I get the same error. I believe the SELinux denial is the crucial part, because if I set to permissive it starts fine. i can reproduce it. Created attachment 1523164 [details]
Gnome Software error message
I get the exact same error as the original poster. Fresh install of Fedora 29 Workstation on Lenovo ThinkPad T560. I also get the same error with Fedora 29 Workstation on a Lenovo ThinkPad T580. > because if I set to permissive it starts fine
Reassigning to someone that can debug this further. Thanks!
This should be fixed in tpm2-abrmd-selinux component. Guys, this AVC should be fixed: USER_AVC pid=917 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.468 spid=2327 tpid=2324 scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=0 Thanks, Lukas. Assuming you're referring to the tpm2-abrmd-selinux package, the last update to it of any kind for Fedora 29 was in July 2018 [1]. There are no pending updates to test, either. [1] https://koji.fedoraproject.org/koji/packageinfo?packageID=27215 Oh, I see. Lukas was referring to where it should be fixed, not that it should already be fixed. Hello Lukas, (In reply to Lukas Vrabec from comment #7) > This should be fixed in tpm2-abrmd-selinux component. > > Guys, this AVC should be fixed: > USER_AVC pid=917 uid=81 auid=4294967295 ses=4294967295 > subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { > send_msg } for msgtype=method_return dest=:1.468 spid=2327 tpid=2324 > scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 > tclass=dbus permissive=0 > > Thanks, > Lukas. I'm not able to reproduce this on a F29 machine with SELinux in enforcing mode. I've a TPM2 device but both fwupd and tpm2-abrmd services are running correctly: sudo systemctl status fwupd [sudo] password for javier: Sorry, try again. [sudo] password for javier: ● fwupd.service - Firmware update daemon Loaded: loaded (/usr/lib/systemd/system/fwupd.service; static; vendor preset: disabled) Active: active (running) since Tue 2019-02-26 10:05:18 CET; 10min ago Docs: https://fwupd.org/ Main PID: 19252 (fwupd) Tasks: 5 (limit: 4915) Memory: 13.8M CGroup: /system.slice/fwupd.service └─19252 /usr/libexec/fwupd/fwupd sudo systemctl status tpm2-abrmd ● tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon Loaded: loaded (/usr/lib/systemd/system/tpm2-abrmd.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2019-02-15 12:39:28 CET; 1 weeks 3 days ago Main PID: 2350 (tpm2-abrmd) Tasks: 6 (limit: 4915) Memory: 1.3M CGroup: /system.slice/tpm2-abrmd.service └─2350 /usr/sbin/tpm2-abrmd Feb 15 12:39:28 minerva systemd[1]: Starting TPM2 Access Broker and Resource Management Daemon... Feb 15 12:39:28 minerva systemd[1]: Started TPM2 Access Broker and Resource Management Daemon. $ rpm -qa fwupd fwupd-1.2.3-1.fc29.x86_64 $ rpm -qa tpm2-abrmd tpm2-abrmd-2.0.3-2.fc29.x86_64 But did I understand correctly that the problem is that fwupd isn't able to send D-Bus messages to tpm2-abrmd? So I guess we need to add the following to the tpm2-abrmd SELinux policy: --- a/selinux/tabrmd.te +++ b/selinux/tabrmd.te @@ -18,5 +18,6 @@ optional_policy(` dbus_stub() dbus_system_domain(tabrmd_t, tabrmd_exec_t) allow system_dbusd_t tabrmd_t:unix_stream_socket rw_stream_socket_perms; + fwupd_dbus_chat(tabrmd_t) ') Best regards, Javier Workaround which is probably sensible anyway: https://github.com/hughsie/fwupd/pull/1048 Confirming fix from comment#10 tpm2-abrmd-selinux-2.0.0-3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-c91e7e82d8 tpm2-abrmd-selinux-2.0.0-3.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-c91e7e82d8 tpm2-abrmd-selinux-2.0.0-3.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1520254 [details] Excerpt from journal containing the relevant messages Description of problem: GNOME Software displays an error message saying that D-Bus service fwupd failed to get activated. Version-Release number of selected component (if applicable): fwupd-1.2.3-1.fc29.x86_64 How reproducible: After every boot Steps to Reproduce: 1. Boot up the system. 2. Launch the GNOME Software application. 3. Switch to the Updates tab in GNOME Software. Actual results: An error message is displayed about failure to activate service 'org.freedesktop.fwupd' due to a timeout. Expected results: GNOME Software shows no error messages and displays the list of updates. Additional info: The message is also present in journal log messages created shortly after session start: Jan 13 07:35:03 dbus-daemon[917]: [system] Failed to activate service 'org.freedesktop.fwupd': timed out (service_start_timeout=25000ms) Jan 13 07:35:03 gnome-software[2122]: not GsPlugin error g-dbus-error-quark:20: Ошибка вызова StartServiceByName для org.freedesktop.fwupd: GDBus.Error:org.freedesktop.DBus.Error.TimedOut: Failed to activate service 'org.freedesktop.fwupd': timed out (service_start_timeout=25000ms) Jan 13 07:35:03 gnome-software[2122]: not handling error failed for action refresh: Ошибка вызова StartServiceByName для org.freedesktop.fwupd: GDBus.Error:org.freedesktop.DBus.Error.TimedOut: Failed to activate service 'org.freedesktop.fwupd': timed out (service_start_timeout=25000ms) Jan 13 07:35:03 gnome-software[2122]: can't reliably fixup error from domain g-dbus-error-quark Jan 13 07:35:03 gnome-software[2122]: not handling error failed for action get-updates-historical: Ошибка вызова StartServiceByName для org.freedesktop.fwupd: GDBus.Error:org.freedesktop.DBus.Error.TimedOut: Failed to activate service 'org.freedesktop.fwupd': timed out (service_start_timeout=25000ms) Jan 13 07:35:03 PackageKit[1327]: uid 1000 is trying to obtain org.freedesktop.packagekit.system-sources-refresh auth (only_trusted:0) Jan 13 07:35:03 PackageKit[1327]: uid 1000 obtained auth for org.freedesktop.packagekit.system-sources-refresh Jan 13 07:35:03 PackageKit[1327]: refresh-cache transaction /4832_dbacedae from uid 1000 finished with cancelled-priority after 110ms Jan 13 07:35:03 audit[917]: USER_AVC pid=917 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.468 spid=2327 tpid=2324 scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Jan 13 07:35:04 dbus-daemon[917]: [system] Activating via systemd: service name='org.freedesktop.fwupd' unit='fwupd.service' requested by ':1.453' (uid=1000 pid=2122 comm="/usr/bin/gnome-software --gapplication-service " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023") Later on in journal, there is some more from fwupd and dbus-daemon: Jan 13 07:35:28 fwupd[2313]: Failed to get PCR0s: Child process exited with code 1 Jan 13 07:35:29 dbus-daemon[917]: [system] Failed to activate service 'org.freedesktop.fwupd': timed out (service_start_timeout=25000ms)