Description of problem: When booting graphical images on ARM initial-setup-graphical fails to run in enforcing. Version-Release number of selected component: initial-setup-0.3.21-3.fc21 Additional info: reporter: libreport-2.2.2 cmdline: python -m initial_setup executable: /usr/lib/python2.7/site-packages/initial_setup/__main__.py kernel: 3.16.0-0.rc1.git4.1.fc21.armv7hl runlevel: unknown type: Python uid: 0 Truncated backtrace: connection.py:651:call_blocking:DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. Traceback (most recent call last): File "/usr/lib/python2.7/runpy.py", line 162, in _run_module_as_main "__main__", fname, loader, pkg_name) File "/usr/lib/python2.7/runpy.py", line 72, in _run_code exec code in run_globals File "/usr/lib/python2.7/site-packages/initial_setup/__main__.py", line 104, in <module> ret = ui.run() File "/usr/lib/python2.7/site-packages/pyanaconda/ui/gui/__init__.py", line 408, in run self._currentAction.refresh() File "/usr/lib/python2.7/site-packages/pyanaconda/ui/gui/hubs/__init__.py", line 359, in refresh self._createBox() File "/usr/lib/python2.7/site-packages/initial_setup/gui/hubs/initial_setup_hub.py", line 24, in _createBox Hub._createBox(self) File "/usr/lib/python2.7/site-packages/pyanaconda/ui/gui/hubs/__init__.py", line 188, in _createBox spoke.initialize() File "/usr/lib/python2.7/site-packages/pyanaconda/ui/gui/spokes/network.py", line 1339, in initialize register_secret_agent(self) File "/usr/lib/python2.7/site-packages/pyanaconda/ui/gui/spokes/network.py", line 1288, in register_secret_agent proxy.Register("anaconda", dbus_interface=AGENT_MANAGER_IFACE) File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 70, in __call__ return self._proxy_method(*args, **keywords) File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 145, in __call__ **keywords) File "/usr/lib/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking message, timeout) DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. Local variables in innermost frame: byte_arrays: False self: <dbus._dbus.SystemBus (system) at 0xb2cfc570> args: ('anaconda',) object_path: '/org/freedesktop/NetworkManager/AgentManager' signature: None bus_name: dbus.UTF8String(':1.12') get_args_opts: {'byte_arrays': False, 'utf8_strings': False} timeout: -1.0 kwargs: {} dbus_interface: 'org.freedesktop.NetworkManager.AgentManager' message: <dbus.lowlevel.MethodCallMessage path: /org/freedesktop/NetworkManager/AgentManager, iface: org.freedesktop.NetworkManager.AgentManager, member: Register dest: :1.12> method: 'Register'
Created attachment 911573 [details] File: backtrace
Created attachment 911574 [details] File: dso_list
Created attachment 911575 [details] File: environ
Looks like another bug/missing piece in selinux-policy. Reassigning.
Did you get any AVC messages?
Sorry for the delay, below are avc's seen when attempting to restart initial-setup-graphical type=USER_AVC msg=audit(1409071225.085:414): pid=523 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.login1.NoSessionForPID dest=:1.23 spid=521 tpid=1163 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1409071247.896:415): pid=523 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.24 spid=624 tpid=1184 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1409071272.926:416): pid=523 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.24 spid=624 tpid=1184 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=SERVICE_START msg=audit(1409071301.472:417): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="initial-setup-graphical" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1409071301.472:418): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="initial-setup-graphical" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
What does # ps -efZ | grep unconfined_service_t
[root@wandq ~]# ps -efZ | grep unconfined_service_t system_u:system_r:unconfined_service_t:s0 root 545 1 0 09:37 ? 00:00:00 /bin/xinit /bin/firstboot-windowmanager /bin/initial-setup -- /bin/Xorg :9 -ac -nolistenp system_u:system_r:unconfined_service_t:s0 root 558 545 1 09:37 tty2 00:00:00 /usr/libexec/Xorg.bin :9 -ac -nolisten tcp system_u:system_r:unconfined_service_t:s0 root 581 545 0 09:37 ? 00:00:00 /bin/sh /bin/firstboot-windowmanager /bin/initial-setup system_u:system_r:unconfined_service_t:s0 root 596 581 0 09:37 ? 00:00:00 /usr/bin/xfwm4 system_u:system_r:unconfined_service_t:s0 root 602 581 0 09:37 ? 00:00:00 /bin/sh /bin/initial-setup system_u:system_r:unconfined_service_t:s0 root 607 602 33 09:37 ? 00:00:24 python -m initial_setup system_u:system_r:unconfined_service_t:s0 root 654 1 0 09:37 ? 00:00:00 /bin/dbus-launch --autolaunch 117888b86b634f70846aeab356fe1690 --binary-syntax --close-sr system_u:system_r:unconfined_service_t:s0 root 662 1 0 09:37 ? 00:00:00 /bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session system_u:system_r:unconfined_service_t:s0 root 667 1 0 09:37 ? 00:00:00 /usr/lib/xfce4/xfconf/xfconfd system_u:system_r:unconfined_service_t:s0 root 1013 1 0 09:37 ? 00:00:00 /usr/libexec/at-spi-bus-launcher system_u:system_r:unconfined_service_t:s0 root 1017 1013 0 09:37 ? 00:00:00 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3 system_u:system_r:unconfined_service_t:s0 root 1021 1 0 09:37 ? 00:00:00 /usr/libexec/at-spi2-registryd --use-gnome-session unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1063 1041 0 09:38 ttymxc0 00:00:00 grep --color=auto unconfined_service_t
Release Criteria - Expected image boot behavior: Release-blocking ARM disk images must boot to the initial-setup utility.
Discussed at 2014-08-27 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2014-08-27/f21-blocker-review.2014-08-27-15.59.log.txt . Accepted as a release blocker per criterion "Expected image boot behavior ... Release-blocking ARM disk images must boot to the initial-setup utility." , https://fedoraproject.org/wiki/Fedora_21_Alpha_Release_Criteria#Expected_image_boot_behavior
So does it talk to system_u:system_r:unconfined_service_t:s0 root 581 545 0 09:37 ? 00:00:00 /bin/sh /bin/firstboot-windowmanager /bin/initial-setup I guess so. commit 4a4e7e79d480851a212ebf5f583c95b239440cb9 Author: Miroslav Grepl <mgrepl> Date: Thu Aug 28 15:24:37 2014 +0200 Labeli initial-setup as install_exec_t.
selinux-policy-3.13.1-77.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-77.fc21
Package selinux-policy-3.13.1-77.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-77.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-9873/selinux-policy-3.13.1-77.fc21 then log in and leave karma (feedback).
Installed and relabeled, doesn't appear to have resolved the issue, avcs below: type=USER_AVC msg=audit(1409249826.957:383): pid=646 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.14 spid=757 tpid=744 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1409249851.983:384): pid=646 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.14 spid=757 tpid=744 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=SERVICE_START msg=audit(1409249881.119:385): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="initial-setup-graphical" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1409249881.119:386): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="initial-setup-graphical" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
33e4e46c9b3262601a3c1e35ab649451904d982a 20452f33ae53d0840c11bd912779a0d6a115b409 I have just added to git the ability to dbus chat with all dbus system domains. Which will fix this issue.
(In reply to Paul Whalen from comment #14) > Installed and relabeled, doesn't appear to have resolved the issue, avcs > below: > > type=USER_AVC msg=audit(1409249826.957:383): pid=646 uid=81 auid=4294967295 > ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 > msg='avc: denied { send_msg } for msgtype=method_return dest=:1.14 > spid=757 tpid=744 scontext=system_u:system_r:NetworkManager_t:s0 > tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus > exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' > type=USER_AVC msg=audit(1409249851.983:384): pid=646 uid=81 auid=4294967295 > ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 > msg='avc: denied { send_msg } for msgtype=method_return dest=:1.14 > spid=757 tpid=744 scontext=system_u:system_r:NetworkManager_t:s0 > tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus > exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' > type=SERVICE_START msg=audit(1409249881.119:385): pid=1 uid=0 > auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' > comm="initial-setup-graphical" exe="/usr/lib/systemd/systemd" hostname=? > addr=? terminal=? res=success' > type=SERVICE_STOP msg=audit(1409249881.119:386): pid=1 uid=0 auid=4294967295 > ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' > comm="initial-setup-graphical" exe="/usr/lib/systemd/systemd" hostname=? > addr=? terminal=? res=success' Ok, this is with installed system. I am still interested in # ps -efZ |grep unconfined_service output with your upgraded system.
selinux-policy-3.13.1-78.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-78.fc21
selinux-policy-3.13.1-78.fc21 fixes this on TC5. Many Thanks!
selinux-policy-3.13.1-78.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.