Bug 1921579
| Summary: | cannot boot: selinux blocks dbus-broker from starting | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | fattony4 |
| Component: | dbus-broker | Assignee: | Tom Gundersen <tgunders> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 33 | CC: | amigadave, caillon+fedoraproject, daherrma, gnome-sig, jbliznak, lpackham, lpoetter, mclasen, rhughes, rstrode, sandmann, tgunders, walters, yaneti |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-02-19 15:25:51 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
fattony4
2021-01-28 09:07:34 UTC
Meanwhile, I have reinstalled dbus-common dbus-daemon and upgraded the kernel, but I still cannot enable SElinux. In permissive I can boot - in enforced it is NOT possible. The `dbus-broker-27` RPM in rawhide now improves this log-message and includes the file-path. Until then, can you check whether `/usr/share/dbus-1/contexts/dbus_contexts/` is accessible by the `dbus` user, and that you did not place any files in there which have restricted access-modifiers? I cannot find that folder: `/usr/share/dbus-1/contexts/` (In reply to fattony4 from comment #4) > I cannot find that folder: `/usr/share/dbus-1/contexts/` Ah, sorry, those are stored in the SELinux directory. This should be `/etc/selinux/targeted/contexts/dbus_contexts`. Alternatively, `find / -name "dbus_contexts"` should be able to locate it. (I know that I did not place any files in there.) About `/etc/selinux/targeted/contexts/dbus_contexts`: I could not log in as `dbus` user and check that way. Not sure the following output contains the answer to what you're looking for. $ namei -l /etc/selinux/targeted/contexts/dbus_contexts f: /etc/selinux/targeted/contexts/dbus_contexts drwxr-xr-x root root / drwxr-xr-x root root etc drwxr-xr-x root root selinux drwxr-xr-x root root targeted drwxr-xr-x root root contexts -rw-r--r-- root root dbus_contexts $ stat /etc/selinux/targeted/contexts/dbus_contexts File: /etc/selinux/targeted/contexts/dbus_contexts Size: 195 Blocks: 8 IO Block: 4096 regular file Device: 23h/35d Inode: 797311 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Context: system_u:object_r:default_context_t:s0 Access: 2021-02-18 17:59:34.086414561 +0100 Modify: 2021-01-15 11:23:04.000000000 +0100 Change: 2021-01-17 14:38:31.338905110 +0100 Birth: 2021-01-17 14:38:31.338905110 +0100 $ ls -lZ /etc/selinux/targeted/contexts/dbus_contexts -rw-r--r--. 1 root root system_u:object_r:default_context_t:s0 195 Jan 15 11:23 /etc/selinux/targeted/contexts/dbus_contexts $ getfattr -m security.selinux -d /etc/selinux/targeted/contexts/dbus_contexts # file: etc/selinux/targeted/contexts/dbus_contexts security.selinux="system_u:object_r:default_context_t:s0" If this is not useful, please tell me how to check. I installed dbus-broker-27-2.fc35 from here: https://src.fedoraproject.org/rpms/dbus-broker Here's the output from `journalctl -u dbus-broker.service`, with some comments added (##): https://pastebin.com/qfxzFUBU Relevant line: dbus-broker-launch[2130]: Access denied in /usr/share/dbus-1/system.d/com.teamviewer.TeamViewer.Daemon.conf +1: /usr/share/dbus-1/system.d/com.teamviewer.TeamViewer.Daemon.conf It seems TeamViewer caused my problem! After uninstalling the package, I can enable SElinux again! Thanks for your help. (In reply to fattony4 from comment #7) > I installed dbus-broker-27-2.fc35 from here: > https://src.fedoraproject.org/rpms/dbus-broker > > Here's the output from `journalctl -u dbus-broker.service`, with some > comments added (##): https://pastebin.com/qfxzFUBU > > Relevant line: > dbus-broker-launch[2130]: Access denied in > /usr/share/dbus-1/system.d/com.teamviewer.TeamViewer.Daemon.conf +1: > /usr/share/dbus-1/system.d/com.teamviewer.TeamViewer.Daemon.conf > > It seems TeamViewer caused my problem! After uninstalling the package, I can > enable SElinux again! > > Thanks for your help. Thank you very much for confirming this! I assume TeamViewer was installed via a 3rd party repository? In that case, I will just close this. If this is actually part of Fedora, let me know and I will try to put the right people on CC. Sorry for the delay, but I was tracking down some other bugs this week, and it took a few days. Thanks for the fast responses and trying the preliminary builds! If there is anything left for me to do, please don't hesitate to re-open this! No problem, thanks for your effort! I installed the TeamViewer rpm from https://www.teamviewer.com/download/linux/ some time ago. It automatically adds a repository. I have tried to install it again, and it leads to the same error on boot. Created a ticket on the TeamViewer community: https://community.teamviewer.com/English/discussion/111272/cannot-boot-with-teamviewer-installed-and-selinux-enabled/ |