Description of problem: When execute "ostree admin upgrade -r" which suppose to upgrade the system and reboot it afterwards I encounter the following error: ** (pkttyagent:1523): WARNING **: Unable to register authentication agent: Timeout was reached Error registering authentication agent: Timeout was reached (g-io-error-quark, 24) Failed to start reboot.target: Connection timed out error: Child process exited with code 1 Version-Release number of selected component (if applicable): Fedora-atomic Version: 22 both bare metal and raw disk deployed to VirtualBox How reproducible: -bash-4.3# ostree admin status * fedora-atomic 06a63ecfcf053d1625e9ddf406429eef3c7fe3ecccbe636a54b90175a5899e7d.0 Version: 22.17 origin refspec: fedora-atomic:fedora-atomic/f22/x86_64/docker-host -bash-4.3# ostree admin upgrade -r 57 metadata, 390 content objects fetched; 128092 KiB transferred in 89 seconds Copying /etc changes: 25 modified, 0 removed, 41 added Transaction complete; bootconfig swap: yes deployment count change: 1 ** (pkttyagent:1523): WARNING **: Unable to register authentication agent: Timeout was reached Error registering authentication agent: Timeout was reached (g-io-error-quark, 24) Failed to start reboot.target: Connection timed out error: Child process exited with code 1 Actual results: Expected results: Expected to reboot the system after an upgrade. Additional info: Considering journal during the execution of the above command seems the reason for this error is SELinux. May 28 12:50:03 atomic-01.host kernel: SELinux: Context system_u:object_r:systemd_timedated_unit_file_t:s0 is not valid (left unmapped). May 28 12:51:50 atomic-01.host audit[654]: <audit-1107> pid=654 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.15 spid=672 tpid=1523 scontext=system_u:system_r:policykit_t:s0 tcontext=unconfined_u:system_r:install_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' May 28 12:52:15 atomic-01.host polkitd[672]: Registered Authentication Agent for unix-process:1521:32024 (system bus name :1.15 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) May 28 12:52:15 atomic-01.host audit[654]: <audit-1107> pid=654 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=672 tpid=1523 scontext=system_u:system_r:policykit_t:s0 tcontext=unconfined_u:system_r:install_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' May 28 12:52:15 atomic-01.host audit[654]: <audit-1107> pid=654 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.15 spid=672 tpid=1523 scontext=system_u:system_r:policykit_t:s0 tcontext=unconfined_u:system_r:install_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' May 28 12:52:40 atomic-01.host polkitd[672]: Unregistered Authentication Agent for unix-process:1521:32024 (system bus name :1.15, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Once I switch SELinux to Permissive mode all works as expected.
Yeah, eventually we may need our own domain for this, but for now I'd suggest we just allow install_t these AVs.
commit 0b5f1956f684cd989d6b198c96d3f250954870bf Author: Miroslav Grepl <mgrepl> Date: Mon Jun 1 12:37:01 2015 +0200 Make "ostree admin upgrade -r" command which suppose to upgrade the system and reboot working again. BZ(1225920)
When can we expect selinux-policy-3.13.1-127.fc22 to be added to Fedora-atomic? Thanks for the assistance!
selinux-policy-3.13.1-128.1.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-128.1.fc22
Package selinux-policy-3.13.1-128.1.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-128.1.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-9714/selinux-policy-3.13.1-128.1.fc22 then log in and leave karma (feedback).
selinux-policy-3.13.1-128.1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.