Bug 1473954 - blueman not allowed to setup bluetooth network
blueman not allowed to setup bluetooth network
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
27
All Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-22 13:47 EDT by Aleksandar Kostadinov
Modified: 2018-03-06 15:56 EST (History)
11 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-283.26.fc27
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-02-27 12:22:31 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ausearch -m USER_AVC,AVC -ts today (1.47 KB, text/plain)
2017-10-03 09:28 EDT, Aleksandar Kostadinov
no flags Details
ausearch -m USER_AVC,AVC -ts today (re comment 7) (2.56 KB, text/plain)
2017-10-03 13:42 EDT, Aleksandar Kostadinov
no flags Details
screenshot of error on XFCE startup (24.97 KB, image/png)
2018-01-05 16:17 EST, Aleksandar Kostadinov
no flags Details

  None (edit)
Description Aleksandar Kostadinov 2017-07-22 13:47:55 EDT
Description of problem:
g-io-error-quark: GDBus.Error:org.freedesktop.DBus.Python.GLib.Error: Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/dbus/service.py", line 707, in _message_cb
    retval = candidate_method(self, *args, **keywords)
  File "/usr/lib/python3.6/site-packages/blueman/main/DbusService.py", line 38, in wrapper
    return method(*args[1:], **kwargs)
  File "/usr/lib/python3.6/site-packages/blueman/plugins/mechanism/Network.py", line 56, in ReloadNetwork
    self.confirm_authorization(caller, "org.blueman.network.setup")
  File "/usr/libexec/blueman-mechanism", line 166, in confirm_authorization
    action_id, {}, 1, "")
  File "/usr/lib64/python3.6/site-packages/gi/overrides/Gio.py", line 172, in __call__
    None)
GLib.GError: g-dbus-error-quark: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.67" (uid=0 pid=2407 comm="python3 /usr/libexec/blueman-mechanism " label="system_u:system_r:blueman_t:s0") interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" error name="(unset)" requested_reply="0" destination=":1.9" (uid=995 pid=1113 comm="/usr/lib/polkit-1/polkitd --no-debug " label="system_u:system_r:policykit_t:s0") (9)
 (36)

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-260.1.fc26.noarch
blueman-2.1-0.5.alpha1.fc26.x86_64

How reproducible:
always

Steps to Reproduce:
1. type in terminal `blueman-report`

And error window appears with the error pasted under Description.
Comment 1 Raphael Groner 2017-09-01 13:06:58 EDT
Reproducible here after the upgrade to Fedora 26, never seen with Fedora 25.

selinux-policy-3.13.1-260.6.fc26.noarch
blueman-2.1-0.5.alpha1.fc26.x86_64

Output of blueman-report:

blueman: 2.1.alpha1
BlueZ: 5.46
Distribution: 
Desktop: X-Cinnamon
Comment 2 Raphael Groner 2017-09-02 05:50:28 EDT
The error seems to be related to Cinnamon's bluetooth service. If this service is disabled in autostart settings, we don't see the popup window with the mentioned message, after the login to a cinnamon session.
Comment 3 Aleksandar Kostadinov 2017-09-03 11:09:02 EDT
It should be policy for blueman. I'm on XFCE so not related to Cinnamon. Most likely, when you disable the service, blueman is just not started, thus error is gone. But to have BT working, we need it started.
Comment 4 Raphael Groner 2017-09-22 06:26:13 EDT
Did you try bluetoothctl?
https://gist.github.com/0/c73e2557d875446b9603
Comment 5 Lukas Vrabec 2017-10-03 06:35:11 EDT
Could you please reproduce the scenario and then attach output of:
# ausearch -m USER_AVC,AVC -ts today 

Thanks,
Lukas.
Comment 6 Aleksandar Kostadinov 2017-10-03 09:28 EDT
Created attachment 1333664 [details]
ausearch -m USER_AVC,AVC -ts today

Attached, thank you.
Comment 7 Lukas Vrabec 2017-10-03 10:26:44 EDT
Could you add local policy module and then reproduce the scenario? 

# cat blueman_local.cil 
(allow blueman_t policykit_t (dbus (send_msg)))

# semodule -i blueman_local.cil

Thanks,
Lukas.
Comment 8 Aleksandar Kostadinov 2017-10-03 13:42 EDT
Created attachment 1333841 [details]
ausearch -m USER_AVC,AVC -ts today (re comment 7)

This one helped to some degree. The initial error message is now gone.

Blueman takes some time to be launched with the new policy and it asks twice for policykit password prompt. I think it is related to networking because I had a message prompt after the second polkit password prompt of

> g-io-error-quark: Timeout was reached (24)

I also see more messages in the log you asked me to attach (which you can find above).

On the bright side I was able to connect my android phone as audio source which is great!
Comment 9 Petr Menšík 2018-01-05 10:48:17 EST
Hi, I have similar symptoms after upgrade from f25 to f27. Fix from comment #7 worked as described in comment #8.

Second passphrase was related to 

I checked journalctl, it might be related or not.

led 05 16:21:30 hostname blueman-mechani[2774]: gtk_icon_theme_get_for_screen: assertion 'GDK_IS_SCREEN (screen)' failed
led 05 16:21:30 hostname blueman.desktop[2528]: blueman-applet 16.21.30 WARNING  PluginManager:146 __load_plugin: Not loading PPPSupport because its conflict has higher priority
led 05 16:21:30 hostname blueman.desktop[2528]: blueman-applet 16.21.30 WARNING  PluginManager:146 __load_plugin: Not loading DhcpClient because its conflict has higher priority
led 05 16:21:30 hostname dbus-daemon[2000]: [session uid=100616 pid=2000] Activating via systemd: service name='org.bluez.obex' unit='dbus-org.bluez.obex.service' requested by ':1.78' (uid=100616 pid=2528 comm="python3 /usr/bin/blueman-applet " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023")
led 05 16:21:30 hostname dbus-daemon[2000]: [session uid=100616 pid=2000] Activation via systemd failed for unit 'dbus-org.bluez.obex.service': Unit dbus-org.bluez.obex.service not found.
led 05 16:21:30 hostname blueman.desktop[2528]: blueman-applet 16.21.30 ERROR    PluginManager:209 Run       : Function on_manager_state_changed on DiscvManager failed
led 05 16:21:30 hostname blueman.desktop[2528]: Traceback (most recent call last):
led 05 16:21:30 hostname blueman.desktop[2528]:   File "/usr/lib/python3.6/site-packages/blueman/main/PluginManager.py", line 206, in Run
led 05 16:21:30 hostname blueman.desktop[2528]:     ret = getattr(inst, func)(*args, **kwargs)
led 05 16:21:30 hostname blueman.desktop[2528]:   File "/usr/lib/python3.6/site-packages/blueman/plugins/applet/DiscvManager.py", line 47, in on_manager_state_changed
led 05 16:21:30 hostname blueman.desktop[2528]:     self.init_adapter()
led 05 16:21:30 hostname blueman.desktop[2528]:   File "/usr/lib/python3.6/site-packages/blueman/plugins/applet/DiscvManager.py", line 67, in init_adapter
led 05 16:21:30 hostname blueman.desktop[2528]:     self.adapter = self.parent.Manager.get_adapter()
led 05 16:21:30 hostname blueman.desktop[2528]:   File "/usr/lib/python3.6/site-packages/blueman/bluez/Manager.py", line 85, in get_adapter
led 05 16:21:30 hostname blueman.desktop[2528]:     raise DBusNoSuchAdapterError("No adapter(s) found")
led 05 16:21:30 hostname blueman.desktop[2528]: blueman.bluez.errors.DBusNoSuchAdapterError: No adapter(s) found
led 05 16:21:33 hostname audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
led 05 16:21:34 hostname audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-localed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
led 05 16:21:42 hostname gnome-shell[2086]: JS WARNING: [resource:///org/gnome/shell/ui/modalDialog.js 218]: reference to undefined property "GdkX11Screen"
led 05 16:21:42 hostname polkitd[1013]: Operator of unix-session:2 FAILED to authenticate to gain authorization for action org.blueman.network.setup for system-bus-name::1.95 [python3 /usr/bin/blueman-applet] (owned by unix-user:pemensik)
led 05 16:21:42 hostname audit[930]: USER_AVC pid=930 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.98 spid=1013 tpid=2774 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:blueman_t:s0 tclass=dbus permissive=0
                                                   exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
led 05 16:21:42 hostname realmd[1522]: quitting realmd service after timeout
led 05 16:21:42 hostname realmd[1522]: stopping service
led 05 16:21:42 hostname audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=realmd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
led 05 16:21:55 hostname gnome-shell[2086]: The property brightness doesn't seem to be a normal object property of [0x55da53c24960 StWidget] or a registered special property
led 05 16:21:55 hostname gnome-shell[2086]: The property vignette_sharpness doesn't seem to be a normal object property of [0x55da53c24960 StWidget] or a registered special property
led 05 16:21:55 hostname blueman-applet[2528]: GtkDialog mapped without a transient parent. This is discouraged.
led 05 16:21:59 hostname polkitd[1013]: Operator of unix-session:2 FAILED to authenticate to gain authorization for action org.blueman.rfkill.setstate for system-bus-name::1.95 [python3 /usr/bin/blueman-applet] (owned by unix-user:pemensik)
led 05 16:21:59 hostname audit[930]: USER_AVC pid=930 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.98 spid=1013 tpid=2774 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:blueman_t:s0 tclass=dbus permissive=0
                                                   exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
led 05 16:22:47 hostname dbus-daemon[2000]: [session uid=100616 pid=2000] Activating via systemd: service name='org.gnome.Terminal' unit='gnome-terminal-server.service' requested by ':1.104' (uid=100616 pid=3603 comm="gnome-terminal " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023")

Password requests might be related to blueman-mechanism.service. This is what I got from journalctl for it:
-- Reboot --
Jan 05 16:21:05 hostname systemd[1]: Starting Bluetooth management mechanism...
Jan 05 16:21:05 hostname blueman-mechanism[2774]: Unable to init server: Could not connect: Connection refused
Jan 05 16:21:05 hostname blueman-mechanism[2774]: Unable to init server: Nelze se připojit: Connection refused
Jan 05 16:21:05 hostname systemd[1]: Started Bluetooth management mechanism.
Jan 05 16:21:30 hostname blueman-mechani[2774]: gtk_icon_theme_get_for_screen: assertion 'GDK_IS_SCREEN (screen)' failed
Comment 10 Aleksandar Kostadinov 2018-01-05 16:17 EST
Created attachment 1377637 [details]
screenshot of error on XFCE startup
Comment 11 Fedora Update System 2018-02-20 06:16:30 EST
selinux-policy-3.13.1-283.26.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a9711c96b2
Comment 12 Fedora Update System 2018-02-20 13:20:03 EST
selinux-policy-3.13.1-283.26.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a9711c96b2
Comment 13 Fedora Update System 2018-02-27 12:22:31 EST
selinux-policy-3.13.1-283.26.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Aleksandar Kostadinov 2018-03-06 15:56:03 EST
Just updated to latet version and now Exception is:

g-io-error-quark: Timeout was reached (24)

--

selinux-policy-3.13.1-283.26.fc27.noarch
blueman-2.1-0.8.alpha2.fc27.x86_64

Note You need to log in before you can comment on or make changes to this bug.