Bug 1665701

Summary: Failure to activate fwupd service
Product: [Fedora] Fedora Reporter: Mikhail Zabaluev <mikhail.zabaluev>
Component: tpm2-abrmd-selinuxAssignee: Javier Martinez Canillas <fmartine>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: baker1tex, david, dwalsh, fmartine, frh+fedora, h3x, jsnitsel, lvrabec, mgrepl, pf-redhat-bugzilla, plautrba, rhughes, yunying.sun, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: tpm2-abrmd-selinux-2.0.0-3.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-11 22:41:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Excerpt from journal containing the relevant messages
none
Gnome Software error message none

Description Mikhail Zabaluev 2019-01-13 06:24:05 UTC 
Created attachment 1520254 [details]
Excerpt from journal containing the relevant messages

Description of problem:
GNOME Software displays an error message saying that D-Bus service fwupd failed to get activated.

Version-Release number of selected component (if applicable):
fwupd-1.2.3-1.fc29.x86_64

How reproducible:
After every boot

Steps to Reproduce:
1. Boot up the system.
2. Launch the GNOME Software application.
3. Switch to the Updates tab in GNOME Software.

Actual results:

An error message is displayed about failure to activate service 'org.freedesktop.fwupd' due to a timeout. 

Expected results:

GNOME Software shows no error messages and displays the list of updates.

Additional info:

The message is also present in journal log messages created shortly after session start:

Jan 13 07:35:03 dbus-daemon[917]: [system] Failed to activate service 'org.freedesktop.fwupd': timed out (service_start_timeout=25000ms)
Jan 13 07:35:03 gnome-software[2122]: not GsPlugin error g-dbus-error-quark:20: Ошибка вызова StartServiceByName для org.freedesktop.fwupd: GDBus.Error:org.freedesktop.DBus.Error.TimedOut: Failed to activate service 'org.freedesktop.fwupd': timed out (service_start_timeout=25000ms)
Jan 13 07:35:03 gnome-software[2122]: not handling error failed for action refresh: Ошибка вызова StartServiceByName для org.freedesktop.fwupd: GDBus.Error:org.freedesktop.DBus.Error.TimedOut: Failed to activate service 'org.freedesktop.fwupd': timed out (service_start_timeout=25000ms)
Jan 13 07:35:03 gnome-software[2122]: can't reliably fixup error from domain g-dbus-error-quark
Jan 13 07:35:03 gnome-software[2122]: not handling error failed for action get-updates-historical: Ошибка вызова StartServiceByName для org.freedesktop.fwupd: GDBus.Error:org.freedesktop.DBus.Error.TimedOut: Failed to activate service 'org.freedesktop.fwupd': timed out (service_start_timeout=25000ms)
Jan 13 07:35:03 PackageKit[1327]: uid 1000 is trying to obtain org.freedesktop.packagekit.system-sources-refresh auth (only_trusted:0)
Jan 13 07:35:03 PackageKit[1327]: uid 1000 obtained auth for org.freedesktop.packagekit.system-sources-refresh
Jan 13 07:35:03 PackageKit[1327]: refresh-cache transaction /4832_dbacedae from uid 1000 finished with cancelled-priority after 110ms
Jan 13 07:35:03 audit[917]: USER_AVC pid=917 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.468 spid=2327 tpid=2324 scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=0
                             exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Jan 13 07:35:04 dbus-daemon[917]: [system] Activating via systemd: service name='org.freedesktop.fwupd' unit='fwupd.service' requested by ':1.453' (uid=1000 pid=2122 comm="/usr/bin/gnome-software --gapplication-service " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023")

Later on in journal, there is some more from fwupd and dbus-daemon:

Jan 13 07:35:28 fwupd[2313]: Failed to get PCR0s: Child process exited with code 1
Jan 13 07:35:29 dbus-daemon[917]: [system] Failed to activate service 'org.freedesktop.fwupd': timed out (service_start_timeout=25000ms)
Comment 1 Frederik Holden 2019-01-23 10:45:38 UTC 
I get the same error. I believe the SELinux denial is the crucial part, because if I set to permissive it starts fine.
Comment 2 David Bauer 2019-01-24 14:39:21 UTC 
i can reproduce it.
Comment 3 David Bauer 2019-01-24 14:40:17 UTC 
Created attachment 1523164 [details]
Gnome Software error message
Comment 4 Phil Baker 2019-02-24 13:00:34 UTC 
I get the exact same error as the original poster. Fresh install of Fedora 29 Workstation on Lenovo ThinkPad T560.
Comment 5 David Strauss 2019-02-24 21:44:01 UTC 
I also get the same error with Fedora 29 Workstation on a Lenovo ThinkPad T580.
Comment 6 Richard Hughes 2019-02-25 11:15:51 UTC 
> because if I set to permissive it starts fine

Reassigning to someone that can debug this further. Thanks!
Comment 7 Lukas Vrabec 2019-02-25 17:40:58 UTC 
This should be fixed in tpm2-abrmd-selinux component. 

Guys, this AVC should be fixed: 
USER_AVC pid=917 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.468 spid=2327 tpid=2324 scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=0

Thanks,
Lukas.
Comment 8 David Strauss 2019-02-25 21:30:22 UTC 
Assuming you're referring to the tpm2-abrmd-selinux package, the last update to it of any kind for Fedora 29 was in July 2018 [1]. There are no pending updates to test, either.

[1] https://koji.fedoraproject.org/koji/packageinfo?packageID=27215
Comment 9 David Strauss 2019-02-25 21:31:06 UTC 
Oh, I see. Lukas was referring to where it should be fixed, not that it should already be fixed.
Comment 10 Javier Martinez Canillas 2019-02-26 09:18:39 UTC 
Hello Lukas,

(In reply to Lukas Vrabec from comment #7)
> This should be fixed in tpm2-abrmd-selinux component. 
> 
> Guys, this AVC should be fixed: 
> USER_AVC pid=917 uid=81 auid=4294967295 ses=4294967295
> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  {
> send_msg } for msgtype=method_return dest=:1.468 spid=2327 tpid=2324
> scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:system_r:fwupd_t:s0
> tclass=dbus permissive=0
> 
> Thanks,
> Lukas.

I'm not able to reproduce this on a F29 machine with SELinux in enforcing mode. I've a TPM2 device but both fwupd and tpm2-abrmd services are running correctly:

sudo systemctl status fwupd
[sudo] password for javier: 
Sorry, try again.
[sudo] password for javier: 
● fwupd.service - Firmware update daemon
   Loaded: loaded (/usr/lib/systemd/system/fwupd.service; static; vendor preset: disabled)
   Active: active (running) since Tue 2019-02-26 10:05:18 CET; 10min ago
     Docs: https://fwupd.org/
 Main PID: 19252 (fwupd)
    Tasks: 5 (limit: 4915)
   Memory: 13.8M
   CGroup: /system.slice/fwupd.service
           └─19252 /usr/libexec/fwupd/fwupd

sudo systemctl status tpm2-abrmd
● tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon
   Loaded: loaded (/usr/lib/systemd/system/tpm2-abrmd.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-02-15 12:39:28 CET; 1 weeks 3 days ago
 Main PID: 2350 (tpm2-abrmd)
    Tasks: 6 (limit: 4915)
   Memory: 1.3M
   CGroup: /system.slice/tpm2-abrmd.service
           └─2350 /usr/sbin/tpm2-abrmd

Feb 15 12:39:28 minerva systemd[1]: Starting TPM2 Access Broker and Resource Management Daemon...
Feb 15 12:39:28 minerva systemd[1]: Started TPM2 Access Broker and Resource Management Daemon.

$ rpm -qa fwupd
fwupd-1.2.3-1.fc29.x86_64

$ rpm -qa tpm2-abrmd
tpm2-abrmd-2.0.3-2.fc29.x86_64

But did I understand correctly that the problem is that fwupd isn't able to send D-Bus messages to tpm2-abrmd?

So I guess we need to add the following to the tpm2-abrmd SELinux policy: 

--- a/selinux/tabrmd.te
+++ b/selinux/tabrmd.te
@@ -18,5 +18,6 @@ optional_policy(`
     dbus_stub()
     dbus_system_domain(tabrmd_t, tabrmd_exec_t)
     allow system_dbusd_t tabrmd_t:unix_stream_socket rw_stream_socket_perms;
+    fwupd_dbus_chat(tabrmd_t)
 ')

Best regards,
Javier
Comment 11 Richard Hughes 2019-02-26 14:01:29 UTC 
Workaround which is probably sensible anyway: https://github.com/hughsie/fwupd/pull/1048
Comment 12 Lukas Vrabec 2019-02-27 09:35:37 UTC 
Confirming fix from comment#10
Comment 13 Fedora Update System 2019-03-08 13:08:01 UTC 
tpm2-abrmd-selinux-2.0.0-3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-c91e7e82d8
Comment 14 Fedora Update System 2019-03-08 22:40:51 UTC 
tpm2-abrmd-selinux-2.0.0-3.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-c91e7e82d8
Comment 15 Fedora Update System 2019-03-11 22:41:32 UTC 
tpm2-abrmd-selinux-2.0.0-3.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.