Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1928365 - D-Bus System Message Bus fails to start due to SELinux policy
Summary: D-Bus System Message Bus fails to start due to SELinux policy
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 35
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 2038475 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-13 12:36 UTC by Matti Linnanvuori
Modified: 2022-09-21 15:44 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-35.18-1.fc35
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-06-23 03:13:42 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1135 0 None open Allow system dbus daemon watch generic directories in /var/lib 2022-04-08 12:04:14 UTC

Description Matti Linnanvuori 2021-02-13 12:36:41 UTC
Description of problem:
D-Bus System Message Bus fails to start due to SELinux policy

Version-Release number of selected component (if applicable):
3.14.7-18.fc34

How reproducible:
always

Steps to Reproduce:
1. Install snapd.
2. Upgrade to the latest Rawhide Workstation.
3. Boot the computer

Actual results:
D-Bus System Message Bus fails to start.

Expected results:
D-Bus System Message Bus starts.

Additional info:
Feb 11 21:24:23 localhost.localdomain systemd[1]: Starting D-Bus System Message Bus...
░░ Subject: A start job for unit dbus-broker.service has begun execution
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit dbus-broker.service has begun execution.
░░ 
░░ The job identifier is 7552.
Feb 11 21:24:23 localhost.localdomain audit: BPF prog-id=104 op=UNLOAD
Feb 11 21:24:23 localhost.localdomain audit[1463]: AVC avc:  denied  { watch } for  pid=1463 comm="dbus-broker-lau" path="/var/lib/snapd/dbus-1/system-services" dev="dm-0" ino=351756 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c10>
Feb 11 21:24:23 localhost.localdomain dbus-broker-launch[1463]: ERROR dirwatch_add @ ../src/util/dirwatch.c +122: Permission denied
Feb 11 21:24:23 localhost.localdomain dbus-broker-launch[1463]:       launcher_load_service_dir @ ../src/launch/launcher.c +763
Feb 11 21:24:23 localhost.localdomain dbus-broker-launch[1463]:       launcher_load_services @ ../src/launch/launcher.c +978
Feb 11 21:24:23 localhost.localdomain dbus-broker-launch[1463]:       launcher_run @ ../src/launch/launcher.c +1306
Feb 11 21:24:23 localhost.localdomain dbus-broker-launch[1463]:       run @ ../src/launch/main.c +152
Feb 11 21:24:23 localhost.localdomain dbus-broker-launch[1463]:       main @ ../src/launch/main.c +178
Feb 11 21:24:23 localhost.localdomain dbus-broker-launch[1463]: Exiting due to fatal error: -13
Feb 11 21:24:23 localhost.localdomain systemd[1]: dbus-broker.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ An ExecStart= process belonging to unit dbus-broker.service has exited.
░░ 
░░ The process' exit code is 'exited' and its exit status is 1.
Feb 11 21:24:23 localhost.localdomain systemd[1]: dbus-broker.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ The unit dbus-broker.service has entered the 'failed' state with result 'exit-code'.
Feb 11 21:24:23 localhost.localdomain systemd[1]: Failed to start D-Bus System Message Bus.
░░ Subject: A start job for unit dbus-broker.service has failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit dbus-broker.service has finished with a failure.
░░ 
░░ The job identifier is 7552 and the job result is failed.
Feb 11 21:24:23 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-broker comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? re>
Feb 11 21:24:23 localhost.localdomain systemd[1]: dbus-broker.service: Start request repeated too quickly.
Feb 11 21:24:23 localhost.localdomain systemd[1]: dbus-broker.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ The unit dbus-broker.service has entered the 'failed' state with result 'exit-code'.
Feb 11 21:24:23 localhost.localdomain systemd[1]: Failed to start D-Bus System Message Bus.
░░ Subject: A start job for unit dbus-broker.service has failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit dbus-broker.service has finished with a failure.
░░ 
░░ The job identifier is 7655 and the job result is failed.

Comment 1 Ben Cotton 2021-08-10 13:40:02 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 35 development cycle.
Changing version to 35.

Comment 2 Zdenek Pytela 2022-01-26 17:22:27 UTC
I suppose this bug is fixed in current releases. If not, please create a new one and include AVC denials.

Comment 3 Yaniv Kaul 2022-04-08 10:41:15 UTC
Re-opening, as I think it just happened to me as well, on Fedora 36 beta.
AVC:
AVC avc:  denied  { watch } for  pid=1096 comm="dbus-broker-lau" path="/var/lib/snapd/dbus-1/system-services" dev="dm-1" ino=1695749 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1

I'm running with the following selinux-policy (changelog):* Tue Apr 05 2022 Zdenek Pytela <zpytela> - 36.6-1
- Add support for systemd-network-generator
- Add the io_uring class
- Allow nm-dispatcher dhclient plugin append to init stream sockets
- Relax the naming pattern for systemd private shared libraries
- Allow nm-dispatcher iscsid plugin append to init socket
- Add the init_append_stream_sockets() interface
- Allow nm-dispatcher dnssec-trigger script to execute pidof
- Add support for nm-dispatcher dnssec-trigger scripts
- Allow chronyd talk with unconfined user over unix domain dgram socket
- Allow fenced read kerberos key tables
- Add support for nm-dispatcher ddclient scripts
- Add systemd_getattr_generic_unit_files() interface
- Allow fprintd read and write hardware state information
- Allow exim watch generic certificate directories
- Remove duplicate fc entries for corosync and corosync-notifyd
- Label corosync-cfgtool with cluster_exec_t
- Allow qemu-kvm create and use netlink rdma sockets
- Allow logrotate a domain transition to cluster administrative domain


And snapd-selinux:* Wed Apr 06 2022 Maciek Borzecki <maciek.borzecki> - 2.55.2-1
- Release 2.55.2 to Fedora


Remvoing snapd and friends cleared the issue altogether.

The updates I've installed prior to this reboot (seem irrelevant to me!):
2022-04-08T12:22:56+0300 DEBUG Completion plugin: Generating completion cache...
2022-04-08T12:22:56+0300 DEBUG Upgraded: NetworkManager-1:1.37.90-1.fc36.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: NetworkManager-adsl-1:1.37.90-1.fc36.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: NetworkManager-config-connectivity-fedora-1:1.37.90-1.fc36.noarch
2022-04-08T12:22:56+0300 DEBUG Upgraded: NetworkManager-initscripts-ifcfg-rh-1:1.37.90-1.fc36.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: NetworkManager-initscripts-updown-1:1.37.90-1.fc36.noarch
2022-04-08T12:22:56+0300 DEBUG Upgraded: NetworkManager-libnm-1:1.37.90-1.fc36.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: NetworkManager-team-1:1.37.90-1.fc36.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: NetworkManager-wifi-1:1.37.90-1.fc36.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: ansible-5.6.0-1.fc36.noarch
2022-04-08T12:22:56+0300 DEBUG Upgraded: code-1.66.1-1649257913.el7.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: container-selinux-2:2.181.0-2.fc36.noarch
2022-04-08T12:22:56+0300 DEBUG Upgraded: cups-filters-1.28.14-1.fc36.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: cups-filters-braille-1.28.14-1.fc36.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: cups-filters-libs-1.28.14-1.fc36.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: distribution-gpg-keys-1.68-1.fc36.noarch
2022-04-08T12:22:56+0300 DEBUG Upgraded: edk2-ovmf-20220221gitb24306f15daa-3.fc36.noarch
2022-04-08T12:22:56+0300 DEBUG Upgraded: fedora-third-party-0.10-1.fc36.noarch
2022-04-08T12:22:56+0300 DEBUG Upgraded: gnome-connections-42.1.1-1.fc36.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: kexec-tools-2.0.23-6.fc36.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: libffado-2.4.5-2.fc36.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: libgpg-error-1.45-1.fc36.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: libgpg-error-devel-1.45-1.fc36.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: libspnav-1.0-1.fc36.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: perl-CPAN-2.33-1.fc36.noarch
2022-04-08T12:22:56+0300 DEBUG Upgraded: python3-jmespath-1.0.0-2.fc36.noarch
2022-04-08T12:22:56+0300 DEBUG Upgraded: python3-sqlalchemy-1.4.35-1.fc36.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: vim-common-2:8.2.4701-1.fc36.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: vim-data-2:8.2.4701-1.fc36.noarch
2022-04-08T12:22:56+0300 DEBUG Upgraded: vim-enhanced-2:8.2.4701-1.fc36.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: vim-filesystem-2:8.2.4701-1.fc36.noarch
2022-04-08T12:22:56+0300 DEBUG Upgraded: vim-minimal-2:8.2.4701-1.fc36.x86_64
2022-04-08T12:22:56+0300 DEBUG Upgraded: wavpack-5.4.0-5.fc36.x86_64

But perhaps it was a previous update (which I don't recall rebooting in between), with:
2022-04-07T13:57:17+0300 DEBUG Upgraded: selinux-policy-36.6-1.fc36.noarch
2022-04-07T13:57:17+0300 DEBUG Upgraded: selinux-policy-devel-36.6-1.fc36.noarch
2022-04-07T13:57:17+0300 DEBUG Upgraded: selinux-policy-minimum-36.6-1.fc36.noarch
2022-04-07T13:57:17+0300 DEBUG Upgraded: selinux-policy-targeted-36.6-1.fc36.noarch
2022-04-07T13:57:17+0300 DEBUG Upgraded: smartmontools-1:7.3-2.fc36.x86_64
2022-04-07T13:57:17+0300 DEBUG Upgraded: smartmontools-selinux-1:7.3-2.fc36.noarch
2022-04-07T13:57:17+0300 DEBUG Upgraded: snap-confine-2.55.2-1.fc36.x86_64
2022-04-07T13:57:17+0300 DEBUG Upgraded: snapd-2.55.2-1.fc36.x86_64
2022-04-07T13:57:17+0300 DEBUG Upgraded: snapd-selinux-2.55.2-1.fc36.noarch

Comment 4 Fedora Update System 2022-06-07 09:25:19 UTC
FEDORA-2022-9e53cb5027 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-9e53cb5027

Comment 5 Fedora Update System 2022-06-08 01:20:12 UTC
FEDORA-2022-9e53cb5027 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-9e53cb5027`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-9e53cb5027

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2022-06-23 03:13:42 UTC
FEDORA-2022-9e53cb5027 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 7 Zdenek Pytela 2022-09-21 15:44:52 UTC
*** Bug 2038475 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.