Bug 2003778

Summary: configured settings from gnome-initial-setup are not stored, when selinux is enforcing
Product: [Fedora] Fedora Reporter: Kamil Páral <kparal>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 35CC: dwalsh, geraldo.simiao.kutz, grepl.miroslav, lvrabec, mcatanza, mmalik, omosnace, robatino, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-09-18 18:13:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1891955    
Attachments:
Description Flags
journal none

Description Kamil Páral 2021-09-13 16:56:27 UTC 
Description of problem:
When working with gnome-initial-setup in F35, I noticed that even though I kept "Location Services" and "Automatic Problem Reporting" enabled in gnome-initial-setup, they were then disabled in the actual OS. This only happens when selinux is enforcing, though. When permissive, the settings are correctly applied to the OS.

This might be related to bug 1997310, it might be even the same bug. I don't know, but I'm filing this separately, so that this particular problem is trackable.

Version-Release number of selected component (if applicable):
selinux-policy-34.16-1.fc35.noarch
gnome-initial-setup-41~beta-3.fc35.x86_64
Fedora-Workstation-Live-x86_64-35-20210912.n.0.iso

How reproducible:
always

Steps to Reproduce:
1. install Workstation Live
2. in initial setup, keep Location Services and Automatic Problem Reporting enabled
3. in the installed system, check them in gnome-control-center and find them disabled

4. repeat 1-3 again, but this time add "enforcing=0" before booting into gnome-initial-setup, and see the problem resolved
Comment 1 Kamil Páral 2021-09-13 16:57:52 UTC 
Created attachment 1822825 [details]
journal

I'm adding a journal, but I assume that most of the denials reported in bug 1997310 will be also relevant here.
Comment 2 Kamil Páral 2021-09-13 17:00:13 UTC 
Proposing as a Final blocker:
"If an initial setup utility is run or intended to be run after the first boot of the installed system, then it must start successfully and each page or panel of the initial setup utility should withstand a basic functionality test. "
https://fedoraproject.org/wiki/Fedora_35_Final_Release_Criteria#First_boot_experience
Comment 3 Zdenek Pytela 2021-09-14 06:49:37 UTC 
Some problems have already been resolved, I've added references to similar bugzillas. 

Sep 13 13:15:38 fedora audit[824]: AVC avc:  denied  { create } for  pid=824 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=0
resolved in selinux-policy-34.19-2

Sep 13 13:16:32 localhost-live audit[1369]: AVC avc:  denied  { read } for  pid=1369 comm="gdb" name="user" dev="tmpfs" ino=1329 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:xdm_var_run_t:s0 tclass=file permissive=0
abrt failures should not cause any problem; if it was a result of missing permissions for at-spi, it will be addressed by the next build

Sep 13 13:17:40 localhost-live audit[1015]: AVC avc:  denied  { sigkill } for  pid=1015 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0
yet to be troubleshooted

Sep 13 13:18:51 localhost-live audit[1654]: AVC avc:  denied  { execute } for  pid=1654 comm="dbus-daemon" name="gnome-keyring-daemon" dev="vda2" ino=3315 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gkeyringd_exec_t:s0 tclass=file permissive=0
solution on the way

Sep 13 13:16:31 localhost-live ibus-daemon[1282]: Error creating proxy: Error calling StartServiceByName for org.gtk.vfs.Daemon: Timeout was reached (g-io-error-quark, 24)
there are other errors like this which do not have a matching AVC denial
Comment 4 Michael Catanzaro 2021-09-14 12:34:34 UTC 
(In reply to Zdenek Pytela from comment #3)
> Sep 13 13:16:31 localhost-live ibus-daemon[1282]: Error creating proxy:
> Error calling StartServiceByName for org.gtk.vfs.Daemon: Timeout was reached
> (g-io-error-quark, 24)
> there are other errors like this which do not have a matching AVC denial

We need to figure out what's going on with all these D-Bus timeouts.

I think we should block release of F35 beta until we know what's going on with these. We're up to something like four or five related bugs now....
Comment 5 Zdenek Pytela 2021-09-15 08:44:57 UTC 
Current state is that with updated selinux-policy, the system seems to install and setup without a glitch, I'd like to have somebody to confirm though.
I believe this bz can be closed as a dup of bz#1997310, refer there for the latest information.
Comment 6 Geraldo Simião 2021-09-18 15:30:53 UTC 
I tested now the last build (Fedora-Workstation-Live-x86_64-35-20210918.n.0) and found that this bug is FIXED there.
All settings at initial setup still enabled after reboot.
Comment 7 Michael Catanzaro 2021-09-18 18:13:51 UTC 

*** This bug has been marked as a duplicate of bug 1997310 ***