Description of problem: I started GNOME from lightdm in F30. gnome-software started automatically in the background. ModemManager was denied sending messages to fwupd through dbus-daemon during the gnome-software startup. The first audit message of that denial was type=USER_AVC msg=audit(1555809438.592:290): pid=738 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.463 spid=750 tpid=3100 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Some errors about fwupd occurred in the journal. The starting of fwupd timed out after 25 seconds. fwupd was started about 15 seconds later. Apr 20 21:16:55 gnome-shell[2598]: GNOME Shell started at Sat Apr 20 2019 21:15:44 GMT-0400 (EDT) Apr 20 21:17:04 gnome-software[2855]: plugin appstream took 50.9 seconds to do setup Apr 20 21:17:04 gnome-software[2855]: enabled plugins: desktop-categories, fwupd, os-release, packagekit, packagekit-local, packagekit-offline, packagekit-proxy, packagekit-refresh, packagekit-upgrade, packagekit-url-to-app, shell-extensions, appstream, fedora-pkgdb-collections, desktop-menu-path, epiphany, flatpak, hardcoded-blacklist, hardcoded-featured, hardcoded-popular, modalias, packagekit-refine, rewrite-resource, odrs, packagekit-history, provenance, repos, systemd-updates, generic-updates, packagekit-refine-repos, provenance-license, icons, key-colors, key-colors-metadata Apr 20 21:17:04 gnome-software[2855]: disabled plugins: dummy Apr 20 21:17:05 dbus-daemon[738]: [system] Activating via systemd: service name='org.freedesktop.fwupd' unit='fwupd.service' requested by ':1.354' (uid=1000 pid=2855 comm="/usr/bin/gnome-software --gapplication-service " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023") Apr 20 21:17:05 systemd[1]: Starting Firmware update daemon... Apr 20 21:17:18 audit[738]: USER_AVC pid=738 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.463 spid=750 tpid=3100 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Apr 20 21:17:30 dbus-daemon[738]: [system] Failed to activate service 'org.freedesktop.fwupd': timed out (service_start_timeout=25000ms) Apr 20 21:17:30 gnome-software[2855]: can't reliably fixup error code 20 in domain g-dbus-error-quark Apr 20 21:17:30 gnome-software[2855]: not GsPlugin error g-io-error-quark:24: Error calling StartServiceByName for org.freedesktop.fwupd: Timeout was reached Apr 20 21:17:30 gnome-software[2855]: not handling error failed for action get-updates-historical: Error calling StartServiceByName for org.freedesktop.fwupd: GDBus.Error:org.freedesktop.DBus.Error.TimedOut: Failed to activate service 'org.freedesktop.fwupd': timed out (service_start_timeout=25000ms) Apr 20 21:17:30 gnome-software[2855]: not handling error failed for action refresh: Error calling StartServiceByName for org.freedesktop.fwupd: Timeout was reached Apr 20 21:17:30 PackageKit[2707]: uid 1000 is trying to obtain org.freedesktop.packagekit.system-sources-refresh auth (only_trusted:0) Apr 20 21:17:30 PackageKit[2707]: uid 1000 obtained auth for org.freedesktop.packagekit.system-sources-refresh Apr 20 21:17:36 gnome-shell[2598]: g_environ_setenv: assertion 'value != NULL' failed Apr 20 21:17:37 PackageKit[2707]: refresh-cache transaction /33399_eadaccbe from uid 1000 finished with success after 6529ms Apr 20 21:17:37 dbus-daemon[738]: [system] Activating via systemd: service name='org.freedesktop.Flatpak.SystemHelper' unit='flatpak-system-helper.service' requested by ':1.354' (uid=1000 pid=2855 comm="/usr/bin/gnome-software --gapplication-service " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023") Apr 20 21:17:37 systemd[1]: Starting flatpak system helper... Apr 20 21:17:37 dbus-daemon[738]: [system] Successfully activated service 'org.freedesktop.Flatpak.SystemHelper' Apr 20 21:17:37 systemd[1]: Started flatpak system helper. Apr 20 21:17:37 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=flatpak-system-helper comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Apr 20 21:17:40 gnome-software[2855]: [93B blob data] Apr 20 21:17:40 gnome-software[2855]: [93B blob data] Apr 20 21:17:40 gnome-software[2855]: [86B blob data] Apr 20 21:17:40 gnome-software[2855]: [86B blob data] Apr 20 21:17:40 gnome-software[2855]: [86B blob data] Apr 20 21:17:41 klauncher[3156]: Connecting to deprecated signal QDBusConnectionInterface::serviceOwnerChanged(QString,QString,QString) Apr 20 21:17:43 dbus-daemon[738]: [system] Activating via systemd: service name='org.freedesktop.bolt' unit='bolt.service' requested by ':1.471' (uid=0 pid=3100 comm="/usr/libexec/fwupd/fwupd " label="system_u:system_r:fwupd_t:s0") Apr 20 21:17:43 systemd[1]: Starting Thunderbolt system service... Apr 20 21:17:44 gnome-software[2855]: [99B blob data] Apr 20 21:17:44 dbus-daemon[738]: [system] Activating via systemd: service name='org.freedesktop.fwupd' unit='fwupd.service' requested by ':1.354' (uid=1000 pid=2855 comm="/usr/bin/gnome-software --gapplication-service " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023") Apr 20 21:17:45 boltd[3167]: bolt 0.7 starting up. Apr 20 21:17:45 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=bolt comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Apr 20 21:17:45 boltd[3167]: config: loading user config Apr 20 21:17:45 dbus-daemon[738]: [system] Successfully activated service 'org.freedesktop.bolt' Apr 20 21:17:45 boltd[3167]: bouncer: initializing polkit Apr 20 21:17:45 boltd[3167]: udev: initializing udev Apr 20 21:17:45 boltd[3167]: store: loading domains Apr 20 21:17:45 boltd[3167]: store: loading devices Apr 20 21:17:45 boltd[3167]: power: force power support: no Apr 20 21:17:45 boltd[3167]: udev: enumerating devices Apr 20 21:17:45 systemd[1]: Started Thunderbolt system service. Apr 20 21:17:45 dbus-daemon[738]: [system] Successfully activated service 'org.freedesktop.fwupd' Apr 20 21:17:45 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fwupd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Apr 20 21:17:45 systemd[1]: Started Firmware update daemon. I'm using the targeted selinux-policy-3.14.3-31 in enforcing mode. The first time I saw these denials was on April 20 with that policy. I'm unsure if the denials are related to the selinux-policy-3.14.3-31 update or some change in ModemManager, gnome-software, or another package. Version-Release number of selected component (if applicable): ModemManager-0:1.10.0-1.fc30.i686 dbus-1:1.12.12-7.fc30.i686 gnome-software-0:3.32.1-2.fc30.i686 selinux-policy-0:3.14.3-31.fc30.noarch fwupd-0:1.2.7-3.fc30.i686 How reproducible: I got the send_msg denials from modemmanager to fwupd three times out of a few tries when starting GNOME and gnome-software. Steps to Reproduce: 1. Boot F30 with ModemManager, dbus-daemon, and lightdm enabled and fwupd disabled 2. In lightdm, log in to GNOME on X 3. sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today 4. journalctl -b The following steps weren't needed for me but might be on another system if the denials aren't seen when GNOME and gnome-software start. 5. make sure that ModemManager and dbus-daemon are running and fwupd isn't running 6. start gnome-software 7. sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today 8. journalctl -b Actual results: Denials of ModemManager sending messages to fwupd when gnome-software was started led to fwupd startup timing out after 25 seconds. Expected results: No denials of ModemManager sending messages to fwupd when gnome-software starts, and fwupd startup doesn't time out. Additional info: I allowed the send_msg action from ModemManager to fwupd by running sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts yesterday > ausearch_modemmana ger_yesterday.txt audit2allow -M my-modemmanager -i ausearch_modemmanager_yesterday.txt sudo semodule -i my-modemmanager.pp I didn't see any more denials when starting GNOME or gnome-software after adding that policy module which had the rule allow modemmanager_t fwupd_t:dbus send_msg;
commit dcd78fcfb435d67fdf4fe53c312a0d5751adcac2 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Tue Apr 23 12:58:28 2019 +0200 Allow fwupd_t and modemmanager_t domains to communicate over dbus BZ(1701791)
selinux-policy-3.14.3-32.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-98603a3cde
selinux-policy-3.14.3-32.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.