PolicyKit failing to start with error: polkit.service: main process exited, code=exited, status=1/FAILURE

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7

Issue

  • Commands are failing or timing out (after 10 minutes) with dbus and polkit / PolicyKit errors, e.g.:

    dbus-daemon: dbus[996]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service'
    dbus[996]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service'
    systemd: Starting Authorization Manager...
    systemd: polkit.service: main process exited, code=exited, status=1/FAILURE
    systemd: Failed to start Authorization Manager.
    systemd: Unit polkit.service entered failed state.
    dbus-daemon: dbus[996]: [system] Failed to activate service 'org.freedesktop.PolicyKit1': timed out
    dbus[996]: [system] Failed to activate service 'org.freedesktop.PolicyKit1': timed out
    

Resolution

  1. Ensure the existence of a polkitd system user & group
    Copy/paste the following 2 compound-commands to a root terminal to check for and conditionally create the user/group

    getent group polkitd >/dev/null && echo -e "\e[1;32mpolkitd group already exists\e[0m" || { groupadd -r polkitd && echo -e "\e[1;33mAdded missing polkitd group\e[0m" || echo -e "\e[1;31mAdding polkitd group FAILED\e[0m"; }
    getent passwd polkitd >/dev/null && echo -e "\e[1;32mpolkitd user already exists\e[0m" || { useradd -r -g polkitd -d / -s /sbin/nologin -c "User for polkitd" polkitd && echo -e "\e[1;33mAdded missing polkitd user\e[0m" || echo -e "\e[1;31mAdding polkitd user FAILED\e[0m"; }
    
  2. Reset the permissions and user/group ownership for all files provided by the polkit and polkit-pkla-compat packages
    Copy/paste the following compound-command to a root terminal to check for and conditionally reset user/group perms & ownership

    rpm -Va polkit\* && echo -e "\e[1;32mpolkit* rpm verification passed\e[0m" || { echo -e "\e[1;33mResetting polkit* rpm user/group ownership & perms\e[0m"; rpm --setugids polkit polkit-pkla-compat; rpm --setperms polkit polkit-pkla-compat; }
    
  3. Reboot
    A reboot of the machine will be required to make sure that all changes take affect and that polkit has reconnected to the dbus

    shutdown -r now
    
  4. Open a support case if there are still issues

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

12 Comments

This does not persist after a reboot, but may be related to ipv6 being disabled.

(For me, ipv6 was not disabled) Two RHEL 7.5 server edition systems of mine had issues with polkit after upgrading from my satellite from RHEL 7.5 to RHEL 7.6

My own fix, I did a yum -y reinstall polkit which initially didn't resolve, then I did a yumdownloader polkit, and I did a yum -y reinstall polkit-[currentversion,64bit].rpm which cured my issues on those 2 systems.

Monitoring this for more issues with RHEL 7.6 and will dig further.

-RJ

I have this problem, I've tried these steps. The problem occurs intermittently and this solution does not stop the problem from occurring.

same here.

this command is badly broken, encoding wise.

like:

\e[1;32m \e[0m

I am with same issue. I reinstalled with Polkit package but no luck. Does anyone help me with this.

Same problem for me. I upgraded a bunch of machines from 7.4 to 7.6 and one of them has this exact problem. I've checked the entries in the password and group files and they are OK. They match other machines that have no problem. I verified the RPM packages, reinstalled polkit RPM, and rebooted the server. Nothing has fixed the issue.

In our case it had to do with dbus and automount and polkit stuff, but I wasn't able to fix it.

Eventually we reinstalled 2 boxes because of this.

Just like Tom Stocker mentioned, we had to manually adjust polkit's service target file to start before other services. I am curious why Red Hat couldn't have made polkit take precedence in this matter. Soo many systems that we've upgraded from 7.5 to 7.6 as a result of patching incurred this issue and only recently did we discover we had to manually edit (grrrr) polkit's service target file to accommodate something Red Hat ought to have resolved upon the upgrade of the polkit rpm. We did not have this issue before the upgrade to 7.6.

There's a bug on this anyone experiencing an issue with this, please submit a case with Red Hat because Red Hat scales priority based on customer interest, and if you add a rational impact (in a case), they'll respond in kind (even if you're not aware of it). Please see this solution for more details https://access.redhat.com/solutions/3900301

Here's the Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1531486 and it is worthwhile to read it

For what it's worth, patching firmware on the affected nodes seems to clear this problem. On our Dell servers, there are things in the firmware notes such as "Add support for RHEL7.6". I applied updates to BIOS, iDRAC, and Ethernet adapters and that seems to clear the problem. I can confirm that we do use NIS on these machines, and that is implicated in the linked bugzilla.