Description of problem: After upgrading from f38 to f39, polkit stopped working: # journalctl -r -b | grep polkit.service Nov 09 09:48:57 lewis systemd[1]: Starting polkit.service - Authorization Manager... Nov 09 09:48:57 lewis systemd[1]: Failed to start polkit.service - Authorization Manager. Nov 09 09:48:57 lewis systemd[1]: polkit.service: Failed with result 'timeout'. Nov 09 09:48:11 lewis systemd[1]: polkit.service: start operation timed out. Terminating. Nov 09 09:46:41 lewis systemd[1]: Starting polkit.service - Authorization Manager... Version-Release number of selected component (if applicable): polkit-123-1.fc39.x86_64 How reproducible: Deterministic, on 2 different machines. Actual results: - The error messages above. - X11 fails to start. Expected results: Function. Additional info: No idea about the cause. I never touched nor changes polkit, but this error to me renders F39 completely unusable and gives sufficent reasons to downgrade to f38.
FWIW: Installing polkit-libs-122-3.fc38.1.x86_64 polkit-122-3.fc38.1.x86_64 on fc39 seems to fix this issue for me.
Hello, please try the newest polkit and upgraded selinux-policy. polkit-123 introduced new utilization of systemd's security sandboxing and changes to selinux-policy had to be made. Those changes should have been present on F39 since August. Investigating right now.
Can you please provide journal info? $ sudo journalctl -S today -u polkit.service and SElinux info: $ sudo ausearch -ts recent I presume it is going to be long, so please attach it as files. Thank you.
(In reply to Jan Rybar from comment #2) > Hello, please try the newest polkit and upgraded selinux-policy. Which packages do you want me to try? - polkit-123-1.fc39 is the newest, I can find. This is the version, which exposes the issues for me. - I have selinux-policy-39.1-1.fc39 installed. There is a newer version for f40 in koji, but *-39.1-1 is the newest for fc39
Another observation. As I wrote above, for testing, I temporarily installed polkit-122-3.fc38.1.fc38. When (re-) upgrading to polkit-libs-123-1.fc39, this happened: # dnf update --refresh ... (1/2): polkit-libs-123-1.fc39.x86_64.rpm 542 kB/s | 64 kB 00:00 (2/2): polkit-123-1.fc39.x86_64.rpm 1.2 MB/s | 153 kB 00:00 ... [Long wait] ... Job for polkit.service failed because a timeout was exceeded. See "systemctl status polkit.service" and "journalctl -xeu polkit.service" for details. ... Upgraded: polkit-123-1.fc39.x86_64 polkit-libs-123-1.fc39.x86_64 ..
Now, things are going to behave bizarre ;) After the dnf update from #5, the error is gone! To summarize: 1. After upgrading from f38 to f39, the error occurred. 2. Then downgrading to polkit-122-3.fc38.1 and rebooting caused to error to vanish. 3. Then "dnf update"-ing to polkit-123-1.fc39 exposed the "hanger" 4. After another reboot, the error seems to have gone. From this, my wild guess is, something might go wrong wrt. polkit during the f38->f39 dist-upgrade, but doesn't go wrong (despite the hanger) when normally "dnf update"-ing from *-122->*-123 on fc39.
Another observation: I upgraded another system from f38 to f39, intentionally not fooling around with different versions of rpms. This time, all errors went away upon the 3rd or 4th reboot. I interpret this, as something is fishy inside of systemd's and polkit's interaction. May-be systemd's services execution order, may-be rpm's installation scripts.
Without data from journal and audit I can only guess wildly, but I bet this is caused by a weird combination of outdated selinux-policy package at the time of installing newest polkit package. I just installed fresh f38, updated it and then upgraded to f38 and no issue like this has emerged. Did you update the system before dist-upgrading it?
(In reply to Jan Rybar from comment #8) > Without data from journal and audit I can only guess wildly, but I bet this > is caused by a weird combination of outdated selinux-policy package at the > time of installing newest polkit package. > I just installed fresh f38, updated it and then upgraded to f38 and no issue ... upgraded to f39 and no issue... > like this has emerged. > Did you update the system before dist-upgrading it?
(In reply to Jan Rybar from comment #9) > Without data from journal and audit I have some, but due to my experiments, no clean ones, yet. I'll post them, when I have some. > > Did you update the system before dist-upgrading it? Of course, I did. Particularities about my installations is me heavily using yp, autofs, nfs, lightdm+xfce and using some custom SELinux rules.
Created attachment 1998136 [details] journalctl -r -b > f38.log last time booting f38 before upgrade
Created attachment 1998137 [details] journalctl -r -b -u polkit > f38.polkit.log
Created attachment 1998138 [details] journalctl -r -b > f39.0.log Log from 1. time booting f39.
Created attachment 1998139 [details] journalctl -r -b -u polkit > f39.0.polkit.log
Created attachment 1998140 [details] journalctl -r -b > f39.1.log Log from 2. time booting fc39
Created attachment 1998141 [details] journalctl -r -b -u polkit > f39.1.polkit.log
Created attachment 1998142 [details] journalctl -r -b > f39.2.log Log from 3. time booting f39
Created attachment 1998143 [details] journalctl -r -b -u polkit > f39.2.polkit.log
I've add 4 log having been generated from 4 consecutive boots. f38.log, the last boot.log before upgrading. f39.0.log, boot.log from the 1st boot after upgrading f39.1.log, boot.log from the 2nd boot after upgrading f39.2.log, boot.log from the 3rd boot after upgrading. The 1st and 2nd boot failed, the 3rd one succeeded.
(In reply to Ralf Corsepius from comment #10) > (In reply to Jan Rybar from comment #9) > > Without data from journal and audit > I have some, but due to my experiments, no clean ones, yet. > > I'll post them, when I have some. > > > > Did you update the system before dist-upgrading it? > Of course, I did. > > Particularities about my installations is me heavily using yp, autofs, nfs, > lightdm+xfce and using some custom SELinux rules. I'm almost afraid to suggest it... Relabel with the latest SELinux policy command is `sudo fixfiles -B onboot`. But with a lot of customizations, I would be concerned about doing more harm than good.
(In reply to Ralf Corsepius from comment #1) > FWIW: Installing > polkit-libs-122-3.fc38.1.x86_64 > polkit-122-3.fc38.1.x86_64 > > on fc39 seems to fix this issue for me. I found *123 works for me, if I replace /usr/lib/systemd/system/polkit.service with *-122's /usr/lib/systemd/system/polkit.service. As the only difference between *122's and *123's /usr/lib/systemd/system/polkit.service is the "[Service]" section, I started to experiment with settings in *-122's /usr/lib/systemd/system/polkit.service. Result: Commenting out "IPAddressDeny=any" fixes my bootup problems. Obviously, "IPAddressDeny=any" breaks yp/nis.
Yeah, this little line seems to make a lot of mess, so it's been decided to remove it in upstream. https://gitlab.freedesktop.org/polkit/polkit/-/commit/597d3e0d2643c96cbb1c8282066f0b0bc8534b5c It's probably worth sending a backport to an update. Not that it's a common issue though. Thank you for your investigation! Stay tuned.
FEDORA-2023-cf201a2c64 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-cf201a2c64
FEDORA-2023-cf201a2c64 has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-cf201a2c64` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-cf201a2c64 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-cf201a2c64 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
This issue affects Fedora 38 too, when you fresh install using the network installer with the latest packages. GNOME desktop is crippled as a result.
dbus-broker-launch[899]: Invalid user-name in /usr/share/dubs-1/system.d/org.freedesktop.PolicyKit1.conf +16: user="polkitd"