Bug 859614

Summary: [abrt] systemd-analyze-191-2.fc18: connection.py:651:call_blocking:DBusException: org.freedesktop.DBus.Error.Failed: Resource temporarily unavailable
Product: [Fedora] Fedora Reporter: drago01
Component: selinux-policyAssignee: systemd-maint
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: awilliam, bruno, bugzilla, cfergeau, dominick.grift, dwalsh, elad, erat.simon, hdegoede, jmontleo, johannbg, kparal, lnykryn, lpoetter, metherid, mgrepl, mishu, msekleta, notting, plautrba, rdieter, robatino, systemd-maint, twaugh, vpavlin
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:adb7b7128083666e2b51f4df784886aac8b4f8fe
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-20 16:10:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: core_backtrace
none
ausearch -m user_avc output
none
This patch and the updated policy should fix the communications problems with systemd none

Description drago01 2012-09-22 12:34:38 UTC 
Description of problem:
Typed systemd-analyze in a terminal

Version-Release number of selected component:
systemd-analyze-191-2.fc18

Additional info:
libreport version: 2.0.13
abrt_version:   2.0.12
cmdline:        /usr/bin/python /usr/bin/systemd-analyze
kernel:         3.6.0-0.rc6.git0.2.fc18.x86_64

backtrace:
:connection.py:651:call_blocking:DBusException: org.freedesktop.DBus.Error.Failed: Resource temporarily unavailable
:
:Traceback (most recent call last):
:  File "/usr/bin/systemd-analyze", line 307, in <module>
:    time()
:  File "/usr/bin/systemd-analyze", line 91, in time
:    initrd_time, start_time, finish_time = acquire_start_time()
:  File "/usr/bin/systemd-analyze", line 34, in acquire_start_time
:    initrd_time = int(properties.Get('org.freedesktop.systemd1.Manager', 'InitRDTimestampMonotonic'))
:  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 70, in __call__
:    return self._proxy_method(*args, **keywords)
:  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
:    **keywords)
:  File "/usr/lib/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
:    message, timeout)
:DBusException: org.freedesktop.DBus.Error.Failed: Resource temporarily unavailable
:
:Local variables in innermost frame:
:byte_arrays: False
:self: <dbus._dbus.SystemBus (system) at 0x7fdb9012cf50>
:args: ('org.freedesktop.systemd1.Manager', 'InitRDTimestampMonotonic')
:object_path: '/org/freedesktop/systemd1'
:signature: None
:bus_name: dbus.UTF8String(':1.2')
:get_args_opts: {'byte_arrays': False, 'utf8_strings': False}
:timeout: -1.0
:kwargs: {}
:dbus_interface: 'org.freedesktop.DBus.Properties'
:message: <dbus.lowlevel.MethodCallMessage path: /org/freedesktop/systemd1, iface: org.freedesktop.DBus.Properties, member: Get dest: :1.2>
:method: 'Get'
Comment 1 drago01 2012-09-22 12:34:41 UTC 
Created attachment 615787 [details]
File: core_backtrace
Comment 2 Adam Williamson 2012-09-22 15:28:56 UTC 
try it with enforcing=0, there's known issues between new systemd and selinux-policy ATM.
Comment 3 drago01 2012-09-24 12:06:31 UTC 
(In reply to comment #2)
> try it with enforcing=0, there's known issues between new systemd and
> selinux-policy ATM.

Yes works fine with emforcing=0 .. moving to selinux-policy
Comment 4 drago01 2012-09-24 12:06:56 UTC 
(In reply to comment #3)
> (In reply to comment #2)
> > try it with enforcing=0, there's known issues between new systemd and
> > selinux-policy ATM.
> 
> Yes works fine with emforcing=0 .. moving to selinux-policy

e*n*forcing=0
Comment 5 Miroslav Grepl 2012-09-24 12:12:55 UTC 
What does

# ausearch -m user_avc
Comment 6 Adam Williamson 2012-09-24 17:38:28 UTC 
Can you try with the selinux-policy build that was just added to the update:

selinux-policy-3.11.1-23.fc18

and see if it works okay with that?
Comment 7 drago01 2012-09-24 17:52:48 UTC 
(In reply to comment #6)
> Can you try with the selinux-policy build that was just added to the update:
> 
> selinux-policy-3.11.1-23.fc18
> 
> and see if it works okay with that?

No it does not.
Comment 8 drago01 2012-09-24 17:53:54 UTC 
Created attachment 616678 [details]
ausearch -m user_avc output

@Miroslav: Here is the output of ausearch -m user_avc
Comment 9 Lennart Poettering 2012-09-24 23:35:13 UTC 
*** Bug 859854 has been marked as a duplicate of this bug. ***
Comment 10 Hans de Goede 2012-09-25 08:22:54 UTC 
*** Bug 859860 has been marked as a duplicate of this bug. ***
Comment 11 Hans de Goede 2012-09-25 08:26:40 UTC 
I can confirm that setting selinux to permissive fixes:
859854 - No more text-mode login / virtual consoles after upd. to 191
859860 - Selecting poweroff results in logout rather then poweroff

Upgrading selinux policy to 3.11.1-23.fc18, does not fix these!

They are still broken when selinux is in enforcing mode. Strange enough I'm not seeing any (related) AVC messages in audit.log. Are dbus selinux denials logged somewhere else ?
Comment 12 Miroslav Grepl 2012-09-25 09:27:02 UTC 
I am just building 

selinux-policy-3.11.1-24.fc18

Could you test this policy then? Thank you.
Comment 13 drago01 2012-09-25 13:04:31 UTC 
(In reply to comment #12)
> I am just building 
> 
> selinux-policy-3.11.1-24.fc18
> 
> Could you test this policy then? Thank you.

Unfortunately it still does not. I can reproduce both bugs with it (lack of VTs and the "org.freedesktop.DBus.Error.Failed: Resource temporarily unavailable" one).

I did rebuild the initrd after updating but this did not help either.
Comment 14 Daniel Walsh 2012-09-25 19:05:55 UTC 
I also sent an updated patch to systemd to fix other problems.
Comment 15 Daniel Walsh 2012-09-25 19:07:08 UTC 
Created attachment 617221 [details]
This patch and the updated policy should fix the communications problems with systemd
Comment 16 Lennart Poettering 2012-09-27 16:41:15 UTC 
*** Bug 860786 has been marked as a duplicate of this bug. ***
Comment 17 Bill Nottingham 2012-10-02 21:08:18 UTC 
*** Bug 862387 has been marked as a duplicate of this bug. ***
Comment 18 Bill Nottingham 2012-10-03 15:46:10 UTC 
*** Bug 862585 has been marked as a duplicate of this bug. ***
Comment 19 Adam Williamson 2012-10-03 18:27:24 UTC 
Discussed at 2012-10-03 blocker review meeting: http://meetbot.fedoraproject.org/fedora-qa/2012-10-03/f18-beta-blocker-review-2.2012-10-03-16.00.log.txt . This would theoretically count as a Beta blocker, but the broken systemd is not in fact in the 'stable' repository and being used for composes, it is only in updates-testing, so our Beta composes are not affected by this.

We agreed to 'executive un-propose' the bug rather than rejecting it: it's still potentially possible that someone could fuck up and pull a systemd 190+ build into a compose without the fix for this issue, then it would have to be a blocker. So we're taking it off the list for now, but it should be re-added if systemd is pushed to stable or pulled into a Beta compose without a fix for this issue.
Comment 20 Fedora Update System 2012-10-03 19:49:04 UTC 
glibc-2.16-17.fc18, rtkit-0.11-3.fc18, systemd-193-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/FEDORA-2012-14581/rtkit-0.11-3.fc18,systemd-193-1.fc18,glibc-2.16-17.fc18
Comment 21 Adam Williamson 2012-10-04 20:45:15 UTC 
Lennart, Dan, the latest selinux-policy which has actually been submitted as an update is selinux-policy-3.11.1-25.fc18 . Is that new enough to be working properly? There are builds up to -32 in koji, but nothing beyond -25 has been submitted to bodhi. If anything post -25 is needed for systemd to work properly, please submit a new enough build as an update *ASAP*, or Beta composes will start breaking.
Comment 22 Owen Taylor 2012-10-04 20:52:37 UTC 
Still had problems with the packages from Comment #20, but with selinux-policy-3.11.1-32.fc18 from Koji, things seem to work.
Comment 23 Adam Williamson 2012-10-05 01:53:11 UTC 
*** Bug 862821 has been marked as a duplicate of this bug. ***
Comment 24 Adam Williamson 2012-10-05 02:18:27 UTC 
owen: you need systemd-194, not 193 (194 is what was eventually pushed stable). we haven't nailed down precisely what selinux-policy is the minimum good build, but for systemd you definitely need 194, nothing earlier.
Comment 25 drago01 2012-10-07 22:45:08 UTC 
This is *not* fixed:

--------------
ERROR:dbus.proxies:Introspect error on :1.2:/org/freedesktop/systemd1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: SELinux policy denies access.
Traceback (most recent call last):
  File "/usr/bin/systemd-analyze", line 307, in <module>
    time()
  File "/usr/bin/systemd-analyze", line 91, in time
    initrd_time, start_time, finish_time = acquire_start_time()
  File "/usr/bin/systemd-analyze", line 34, in acquire_start_time
    initrd_time = int(properties.Get('org.freedesktop.systemd1.Manager', 'InitRDTimestampMonotonic'))
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: SELinux policy denies access.
--------------

systemd-194-1.fc18.x86_64
selinux-policy-3.11.1-32.fc18.noarch

----
time->Mon Oct  8 00:43:17 2012
type=USER_AVC msg=audit(1349649797.648:308): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=1000 uid=1000 gid=1000 cmdline="/usr/bin/python /usr/bin/systemd-analyze" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Mon Oct  8 00:43:17 2012
type=USER_AVC msg=audit(1349649797.650:309): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=1000 uid=1000 gid=1000 cmdline="/usr/bin/python /usr/bin/systemd-analyze" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Comment 26 Daniel Walsh 2012-10-08 12:18:59 UTC 
Ok we can add this, but does dbus actually launch /usr/bin/python /usr/bin/systemd-analyze rather then just /usr/bin/systemd-analyze
Comment 27 Daniel Walsh 2012-10-08 12:21:09 UTC 
Fixed in selinux-policy-3.11.1-33.fc18.noarch
Comment 28 Fedora Update System 2012-10-11 09:02:40 UTC 
selinux-policy-3.11.1-36.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-36.fc18
Comment 29 drago01 2012-10-11 09:39:28 UTC 
(In reply to comment #27)
> Fixed in selinux-policy-3.11.1-33.fc18.noarch

Only partly fixed.

Running "systemd-analyze" works.

Running "systemd-analyze blame" explodes:

ERROR:dbus.proxies:Introspect error on :1.0:/org/freedesktop/systemd1/unit/netconsole_2eservice: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: SELinux policy denies access.
Traceback (most recent call last):
  File "/usr/bin/systemd-analyze", line 309, in <module>
    verb.get(args[0], unknown_verb)()
  File "/usr/bin/systemd-analyze", line 108, in blame
    data = acquire_time_data()
  File "/usr/bin/systemd-analyze", line 22, in acquire_time_data
    ixt = int(properties.Get('org.freedesktop.systemd1.Unit', 'InactiveExitTimestampMonotonic'))
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: SELinux policy denies access.

-----

time->Thu Oct 11 11:38:03 2012
type=USER_AVC msg=audit(1349948283.350:315): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=1000 uid=1000 gid=1000 path="/etc/rc.d/init.d/netconsole" cmdline="/usr/bin/python /usr/bin/systemd-analyze blame" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Comment 30 drago01 2012-10-11 10:18:20 UTC 
(I have tested with -36).
Comment 31 drago01 2012-10-11 10:24:38 UTC 
bash-completion for systemctl also does not work:

----
time->Thu Oct 11 12:24:24 2012
type=USER_AVC msg=audit(1349951064.230:365): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=1000 uid=0 gid=0 path="/dev/null" cmdline="systemctl --full --no-legend show --property CanStart -- proc-sys-fs-binfmt_misc.automount -.mount boot.mount dev-hugepages.mount dev-mqueue.mount proc-sys-fs-binfmt_misc.mount run-user-1000-gvfs.mount sys-fs-fuse-connections.mount sys-kernel-config.mount sys-kernel-debug.mount tmp.mount systemd-ask-password-console.path systemd-ask-password-plymouth.path systemd-ask-password-wall.path abrt-ccpp.service abrt-oops.service abrt-vmcore.service abrt-xorg.service abrtd.service accounts-daemon.service acpid.service alsa-restore.service alsa-store.service arp-ethers.service atd.service auditd.service avahi-daemon.service bluetooth.service ceph.service colord-sane.service colord.service crond.service dbus.service dm-event.service dracut-shutdown.service ebtables.service emergency.service fedora-autorelabel-mark.service fedora-autorelabel.service fedora-configure.service fedora-import-state.service fedora-loadmodules.service fedora-readonly. '
Comment 32 Fedora Update System 2012-10-11 17:21:10 UTC 
Package selinux-policy-3.11.1-36.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-36.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15934/selinux-policy-3.11.1-36.fc18
then log in and leave karma (feedback).
Comment 33 Chris Murphy 2012-10-14 23:16:50 UTC 
selinux-policy-3.11.1-36.fc18.noarch
[root@f18v ~]# ausearch -m user_avc

time->Sun Oct 14 17:03:29 2012
type=USER_AVC msg=audit(1350255809.098:301): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=0 uid=0 gid=0 path="/etc/rc.d/init.d/network" cmdline="/usr/bin/python /usr/bin/systemd-analyze blame" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Comment 34 Chris Murphy 2012-10-14 23:17:19 UTC 
*** Bug 864784 has been marked as a duplicate of this bug. ***
Comment 35 Miroslav Grepl 2012-10-15 08:36:00 UTC 
#============= system_dbusd_t ==============
#!!!! This avc is allowed in the current policy

allow system_dbusd_t initrc_exec_t:service status;


Fixed in selinux-policy-3.11.1-36.fc18
Comment 36 drago01 2012-10-15 08:43:35 UTC 
(In reply to comment #35)
> #============= system_dbusd_t ==============
> #!!!! This avc is allowed in the current policy
> 
> allow system_dbusd_t initrc_exec_t:service status;
> 
> 
> Fixed in selinux-policy-3.11.1-36.fc18

As I wrote in comment 29 and comment 30 the bug happens with -36 here. Also the avc is different from the one that is fixed in your comment:

----------------------------
time->Thu Oct 11 12:24:24 2012
type=USER_AVC msg=audit(1349951064.230:365): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=1000 uid=0 gid=0 path="/dev/null" cmdline="systemctl --full --no-legend show --property CanStart -- proc-sys-fs-binfmt_misc.automount -.mount boot.mount dev-hugepages.mount dev-mqueue.mount proc-sys-fs-binfmt_misc.mount run-user-1000-gvfs.mount sys-fs-fuse-connections.mount sys-kernel-config.mount sys-kernel-debug.mount tmp.mount systemd-ask-password-console.path systemd-ask-password-plymouth.path systemd-ask-password-wall.path abrt-ccpp.service abrt-oops.service abrt-vmcore.service abrt-xorg.service abrtd.service accounts-daemon.service acpid.service alsa-restore.service alsa-store.service arp-ethers.service atd.service auditd.service avahi-daemon.service bluetooth.service ceph.service colord-sane.service colord.service crond.service dbus.service dm-event.service dracut-shutdown.service ebtables.service emergency.service fedora-autorelabel-mark.service fedora-autorelabel.service fedora-configure.service fedora-import-state.service fedora-loadmodules.service fedora-readonly. '
------------------------------
Comment 37 drago01 2012-10-15 08:45:29 UTC 
(In reply to comment #36)
> (In reply to comment #35)
> > #============= system_dbusd_t ==============
> > #!!!! This avc is allowed in the current policy
> > 
> > allow system_dbusd_t initrc_exec_t:service status;
> > 
> > 
> > Fixed in selinux-policy-3.11.1-36.fc18
> 
> As I wrote in comment 29 and comment 30 the bug happens with -36 here. 

And comment 31 (sorry mixed them up). Both definitely happen with -36.
Comment 38 drago01 2012-10-15 08:49:45 UTC 
[root@localhost ~]# rpm -q selinux-policy
selinux-policy-3.11.1-36.fc18.noarch
[root@localhost ~]# systemd-analyze blame
ERROR:dbus.proxies:Introspect error on :1.2:/org/freedesktop/systemd1/unit/netconsole_2eservice: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: SELinux policy denies access.
Traceback (most recent call last):
  File "/usr/bin/systemd-analyze", line 309, in <module>
    verb.get(args[0], unknown_verb)()
  File "/usr/bin/systemd-analyze", line 108, in blame
    data = acquire_time_data()
  File "/usr/bin/systemd-analyze", line 22, in acquire_time_data
    ixt = int(properties.Get('org.freedesktop.systemd1.Unit', 'InactiveExitTimestampMonotonic'))
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: SELinux policy denies access.

The other one can be reproduced by 
systemctl start d<tab>
Comment 39 Miroslav Grepl 2012-10-15 08:50:53 UTC 
I apologize. I wanted to wrote

"Fixed in selinux-policy-3.11.1-38.fc18"

You can download this release from koji for now.

http://koji.fedoraproject.org/koji/buildinfo?buildID=359788
Comment 40 drago01 2012-10-15 08:55:38 UTC 
(In reply to comment #39)
> I apologize. I wanted to wrote
> 
> "Fixed in selinux-policy-3.11.1-38.fc18"
> 
> You can download this release from koji for now.
> 
> http://koji.fedoraproject.org/koji/buildinfo?buildID=359788

Still seeing this avc:

time->Mon Oct 15 10:54:04 2012
type=USER_AVC msg=audit(1350291244.605:322): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=0 uid=0 gid=0 path="/dev/null" cmdline="/usr/bin/python /usr/bin/systemd-analyze blame" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:null_device_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?

and

time->Mon Oct 15 10:56:08 2012
type=USER_AVC msg=audit(1350291368.163:330): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=0 uid=0 gid=1023692192 path="/dev/null" cmdline="systemctl --full --no-legend show --property CanStart -- proc-sys-fs-binfmt_misc.mount sys-fs-fuse-connections.mount systemd-ask-password-console.path alsa-restore.service alsa-store.service arp-ethers.service ceph.service dm-event.service dracut-shutdown.service ebtables.service emergency.service fedora-autorelabel-mark.service fedora-autorelabel.service fedora-configure.service fedora-import-state.service fedora-loadmodules.service fedora-storage-init-late.service fedora-wait-storage.service getty initrd-switch-root.service ip6tables.service iptables.service libvirtd.service lvm2-lvmetad.service mdmonitor.service netconsole.service network.service NetworkManager-wait-online.service pcscd.service plymouth-quit-wait.service plymouth-quit.service plymouth-read-write.service plymouth-start.service plymouth-switch-root.service prefdm.service rc-local.service remount-rootfs.service rescue.service rpcbind.service sssd. '

With -38.
Comment 41 Miroslav Grepl 2012-10-15 08:59:13 UTC 
Ok, this is different.
Comment 42 Miroslav Grepl 2012-10-15 09:00:35 UTC 
*** Bug 866159 has been marked as a duplicate of this bug. ***
Comment 43 Miroslav Grepl 2012-10-15 09:02:20 UTC 
*** Bug 864720 has been marked as a duplicate of this bug. ***
Comment 44 Chris Murphy 2012-10-15 09:36:35 UTC 
After applying:
selinux-policy-3.11.1-38.fc18.noarch
selinux-policy-targeted-3.11.1-38.fc18.noarch
And setting autorelabel=1, after the 2nd boot, "systemd-analyze blame" is working for me.
Comment 45 drago01 2012-10-20 10:59:12 UTC 
(In reply to comment #44)
> After applying:
> selinux-policy-3.11.1-38.fc18.noarch
> selinux-policy-targeted-3.11.1-38.fc18.noarch
> And setting autorelabel=1, after the 2nd boot, "systemd-analyze blame" is
> working for me.

Can't confirm this.

Even with -41 a relabel does not fix anything.

@Miroslav any update on this? The avc is still the same ...
Comment 46 Chris Murphy 2012-10-20 18:09:32 UTC 
Still also having this problem in the following config:

Fedora-18-Beta-TC5-x86_64-Live-Desktop.iso
btrfs volume (boot, root, home on subvols)
anaconda 18.19-1 for the install (same as TC6)
selinux-policy-3.11.1-36.fc18.noarch

I'm weirdly unable to get -41 from koji:
[root@f18v ~]# koji download-build --arch=x86_64 --arch=no-arch 361286
No x86_64 or no-arch packages available for selinux-policy-3.11.1-41.fc18
Comment 47 Elad Alfassa 2012-10-20 18:16:28 UTC 
(In reply to comment #46)
> Still also having this problem in the following config:
> 
> Fedora-18-Beta-TC5-x86_64-Live-Desktop.iso
> btrfs volume (boot, root, home on subvols)
> anaconda 18.19-1 for the install (same as TC6)
> selinux-policy-3.11.1-36.fc18.noarch
> 
> I'm weirdly unable to get -41 from koji:
> [root@f18v ~]# koji download-build --arch=x86_64 --arch=no-arch 361286
> No x86_64 or no-arch packages available for selinux-policy-3.11.1-41.fc18

1) Don't run things that don't need root with root privileges :)
2) it's noarch, not no-arch
Comment 48 Chris Murphy 2012-10-20 19:09:33 UTC 
(In reply to comment #47)
> 1) Don't run things that don't need root with root privileges :)
Infrastructure install in a VM only for testing. Not worth it to create any other users.
> 2) it's noarch, not no-arch
Lovely user error on that one.

With -41 installed, no reboot, no relabel, the problem is resolved: systemd-analyze blame works as expected.
Comment 49 Miroslav Grepl 2012-10-23 15:57:09 UTC 
Switching to modify.
Comment 50 Fedora Update System 2012-10-23 20:33:28 UTC 
selinux-policy-3.11.1-43.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-43.fc18
Comment 51 Fedora Update System 2012-10-26 15:36:16 UTC 
selinux-policy-3.11.1-46.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-46.fc18
Comment 52 Fedora Update System 2012-10-26 19:25:30 UTC 
Package selinux-policy-3.11.1-46.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-46.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16862/selinux-policy-3.11.1-46.fc18
then log in and leave karma (feedback).
Comment 53 drago01 2012-10-26 19:41:03 UTC 
Still does not work with 46 ...

time->Fri Oct 26 21:37:24 2012
type=USER_AVC msg=audit(1351280244.831:311): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=0 uid=0 gid=0 path="/dev/null" cmdline="/usr/bin/python /usr/bin/systemd-analyze blame" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:null_device_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'


bash-completition works so there is at least some progress.

Miroslav did you try to reproduce it? It is very straight forward to reproduce just type "systemd-analyze blame" in a terminal.
Comment 54 Daniel Walsh 2012-10-26 19:49:27 UTC 
I believe you are seeing a separate bug here, since this indicates that dbus is attempting to list status on /dev/null.  The current systemd is broken, in that it does not getting the remote end of the connection.  systemd is supposed to be checking against unconfined_t which would be allowed.

What version of systemd are you using?
Comment 55 drago01 2012-10-26 20:08:35 UTC 
(In reply to comment #54)
> I believe you are seeing a separate bug here, since this indicates that dbus
> is attempting to list status on /dev/null.  The current systemd is broken,
> in that it does not getting the remote end of the connection.  systemd is
> supposed to be checking against unconfined_t which would be allowed.
> 
> What version of systemd are you using?

systemd-194-1.fc18.x86_64
Comment 56 Chris Murphy 2012-10-26 20:53:39 UTC 
Bug is not reproducible with this combination.
systemd-195-1.fc18.x86_64
systemd-analyze-195-1.fc18.x86_64
selinux-policy-3.11.1-36.fc18.noarch

Not with that combination, substituting selinux-policy-3.11.1-43
Not with that combination, substituting selinux-policy-3.11.1-46
Comment 57 drago01 2012-10-26 21:47:10 UTC 
I can confirm that updating to systemd-195-4 fixes it.
Comment 58 Fedora Update System 2012-12-20 16:10:38 UTC 
selinux-policy-3.11.1-36.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.