Bug 2100528
| Summary: | %systemd_user_postun_with_restart spews errors and doesn't work | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Maxwell G <maxwell> | ||||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 35 | CC: | decathorpe, dwalsh, fedoraproject, filbranden, flepied, grepl.miroslav, gtirloni, lnykryn, lvrabec, mmalik, msekleta, omosnace, pkoncity, ryncsn, ssahani, s, systemd-maint, vmojzis, yuwatana, zbyszek, zpytela | ||||||
| Target Milestone: | --- | Keywords: | Triaged | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | selinux-policy-35.19-1.fc35 | Doc Type: | If docs needed, set a value | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2022-10-02 02:43:04 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Maxwell G
2022-06-23 15:47:06 UTC
Please don't use pastebins for bug reports: those pages are dropped after some time, and then the bug report will be completely useless. I suppose this could be related to selinux. Can you attach the output from 'journalctl -b' from around the upgrade? > Please don't use pastebins for bug reports: those pages are dropped after some time, and then the bug report will be completely useless. I purposely used a pastebin that doesn't delete anything :). I don't like that either. > I suppose this could be related to selinux. Yes, it works fine when selinux is set to Permissive. > Can you attach the output from 'journalctl -b' from around the upgrade? Sure. Created attachment 1892237 [details]
Journalctl Log
Unfortunately I don't see any avcs in the log. But anyway, if it works with Permissive, it's a question of a policy update. It's possible that certain SELinux denials are hidden. The following command removes the dontaudit rules from active policy: # semodule -DB Re-run the Steps to Reproduce. Please collect the SELinux denials that appeared in last 10 minutes: # ausearch -m avc -m user_avc -m selinux_err -i -ts recent Attach them here. Thank you. The following command returns the dontaudit rules back to active policy: # semodule -B Created attachment 1892300 [details]
ausearch output without dontaudit
> It's possible that certain SELinux denials are hidden.
Yes, that seems to be the case. I was surprised to see no denials in the audit log when I first checked.
Relevant part of https://paste.sr.ht/~gotmax23/4c65f75a120cb8563eac191a48d5df92bba7429c Running scriptlet: syncthing-1.20.2-1.fc35.x86_64 2/2 Failed to start transient service unit: Connection reset by peer Failed to set unit properties on syncthing.service: Transport endpoint is not connected Above-mentioned error messages indicate that the following SELinux denials can cause the problem: ---- type=AVC msg=audit(06/23/2022 15:31:28.730:2712) : avc: denied { read write } for pid=871 comm=dbus-broker path=socket:[2405808] dev="sockfs" ino=2405808 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ---- type=AVC msg=audit(06/23/2022 15:31:28.740:2713) : avc: denied { read write } for pid=871 comm=dbus-broker path=socket:[2407739] dev="sockfs" ino=2407739 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ---- Here is a policy module which can solve the problem: # cat testpolicy.cil ( allow system_dbusd_t rpm_script_t ( unix_stream_socket ( read write ))) # semodule -i testpolicy.cil # Let me know if the situation improved. To remove the policy module, please use the following command: # semodule -r testpolicy I was able to get it work with $ cat testpolicy.cil ( allow system_dbusd_t rpm_script_t ( unix_stream_socket ( read write ))) ( allow init_t rpm_script_t ( unix_stream_socket ( read write ))) This also affected the recent GNOME updates in F36: (...) Cleanup : gnome-remote-desktop-42.2-2.fc36.x86_64 33/50 Running scriptlet: gnome-remote-desktop-42.2-2.fc36.x86_64 33/50 Failed to start transient service unit: Connection reset by peer Failed to set unit properties on gnome-remote-desktop.service: Transport endpoint is not connected (...) Cleanup : tracker-3.3.1-1.fc36.x86_64 45/50 Running scriptlet: tracker-3.3.1-1.fc36.x86_64 45/50 Failed to start transient service unit: Connection reset by peer Failed to set unit properties on tracker-xdg-portal-3.service: Transport endpoint is not connected (...) *** Bug 2106722 has been marked as a duplicate of this bug. *** FEDORA-2022-b6f216be9a has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-b6f216be9a FEDORA-2022-b6f216be9a has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-b6f216be9a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-b6f216be9a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-b6f216be9a has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report. |