Description of problem: %systemd_user_postun_with_restart spews errors and doesn't work Version-Release number of selected component (if applicable): systemd-rpm-macros-249.12-5.fc35.noarch How reproducible: Always Steps to Reproduce: See https://paste.sr.ht/~gotmax23/4c65f75a120cb8563eac191a48d5df92bba7429c for the steps to reproduce. Actual results: Failed to start transient service unit: Connection reset by peer Failed to set unit properties on syncthing.service: Transport endpoint is not connected Service doesn't restart Expected results: The service should restart and the macro shouldn't print a bunch of error messages. Additional info: There were similar issues with this macro in the past: https://bugzilla.redhat.com/show_bug.cgi?id=2020374 https://bugzilla.redhat.com/show_bug.cgi?id=2020415
Please don't use pastebins for bug reports: those pages are dropped after some time, and then the bug report will be completely useless. I suppose this could be related to selinux. Can you attach the output from 'journalctl -b' from around the upgrade?
> Please don't use pastebins for bug reports: those pages are dropped after some time, and then the bug report will be completely useless. I purposely used a pastebin that doesn't delete anything :). I don't like that either. > I suppose this could be related to selinux. Yes, it works fine when selinux is set to Permissive. > Can you attach the output from 'journalctl -b' from around the upgrade? Sure.
Created attachment 1892237 [details] Journalctl Log
Unfortunately I don't see any avcs in the log. But anyway, if it works with Permissive, it's a question of a policy update.
It's possible that certain SELinux denials are hidden. The following command removes the dontaudit rules from active policy: # semodule -DB Re-run the Steps to Reproduce. Please collect the SELinux denials that appeared in last 10 minutes: # ausearch -m avc -m user_avc -m selinux_err -i -ts recent Attach them here. Thank you.
The following command returns the dontaudit rules back to active policy: # semodule -B
Created attachment 1892300 [details] ausearch output without dontaudit
> It's possible that certain SELinux denials are hidden. Yes, that seems to be the case. I was surprised to see no denials in the audit log when I first checked.
Relevant part of https://paste.sr.ht/~gotmax23/4c65f75a120cb8563eac191a48d5df92bba7429c Running scriptlet: syncthing-1.20.2-1.fc35.x86_64 2/2 Failed to start transient service unit: Connection reset by peer Failed to set unit properties on syncthing.service: Transport endpoint is not connected Above-mentioned error messages indicate that the following SELinux denials can cause the problem: ---- type=AVC msg=audit(06/23/2022 15:31:28.730:2712) : avc: denied { read write } for pid=871 comm=dbus-broker path=socket:[2405808] dev="sockfs" ino=2405808 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ---- type=AVC msg=audit(06/23/2022 15:31:28.740:2713) : avc: denied { read write } for pid=871 comm=dbus-broker path=socket:[2407739] dev="sockfs" ino=2407739 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ---- Here is a policy module which can solve the problem: # cat testpolicy.cil ( allow system_dbusd_t rpm_script_t ( unix_stream_socket ( read write ))) # semodule -i testpolicy.cil # Let me know if the situation improved. To remove the policy module, please use the following command: # semodule -r testpolicy
I was able to get it work with $ cat testpolicy.cil ( allow system_dbusd_t rpm_script_t ( unix_stream_socket ( read write ))) ( allow init_t rpm_script_t ( unix_stream_socket ( read write )))
This also affected the recent GNOME updates in F36: (...) Cleanup : gnome-remote-desktop-42.2-2.fc36.x86_64 33/50 Running scriptlet: gnome-remote-desktop-42.2-2.fc36.x86_64 33/50 Failed to start transient service unit: Connection reset by peer Failed to set unit properties on gnome-remote-desktop.service: Transport endpoint is not connected (...) Cleanup : tracker-3.3.1-1.fc36.x86_64 45/50 Running scriptlet: tracker-3.3.1-1.fc36.x86_64 45/50 Failed to start transient service unit: Connection reset by peer Failed to set unit properties on tracker-xdg-portal-3.service: Transport endpoint is not connected (...)
*** Bug 2106722 has been marked as a duplicate of this bug. ***
FEDORA-2022-b6f216be9a has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-b6f216be9a
FEDORA-2022-b6f216be9a has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-b6f216be9a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-b6f216be9a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-b6f216be9a has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.