Bug 2122059

Summary:	GNOME fails to start with accountsservice-22.08.8-1.fc38
Product:	[Fedora] Fedora	Reporter:	Adam Williamson <awilliam>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED RAWHIDE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	urgent	Docs Contact:
Priority:	high
Version:	rawhide	CC:	dwalsh, grepl.miroslav, kevin, klember, lvrabec, mmalik, omosnacek, pkoncity, pmendezh, vmojzis, zpytela
Target Milestone:	---	Keywords:	Triaged
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:	openqa
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-09-19 14:08:42 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Adam Williamson 2022-08-28 23:00:15 UTC

openQA testing of accountsservice-22.08.8-1.fc38 shows that GNOME fails to start with it installed - see all failed tests at https://openqa.fedoraproject.org/tests/overview?distri=fedora&version=38&build=Update-FEDORA-2022-87b11efb59&groupid=2 (plus even on KDE accounts-daemon.service fails to start, though it doesn't stop KDE working like it does GNOME).

From the logs it's an SELinux permissions issue:

Aug 28 07:42:43 fedora audit[621]: AVC avc:  denied  { mounton } for  pid=621 comm="(s-daemon)" path="/run/systemd/unit-root/proc/621/loginuid" dev="proc" ino=17725 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=0
Aug 28 07:42:43 fedora systemd[621]: Failed to mount /run/systemd/unit-root/proc/621/loginuid to /run/systemd/unit-root/proc/621/loginuid: Permission denied
Aug 28 07:42:43 fedora systemd[621]: accounts-daemon.service: Failed to set up mount namespacing: /run/systemd/unit-root/proc/621/loginuid: Permission denied
Aug 28 07:42:43 fedora systemd[621]: accounts-daemon.service: Failed at step NAMESPACE spawning /usr/libexec/accounts-daemon: Permission denied

so filing against selinux-policy, but CCing Kalev. I've asked Kevin to untag the update from Rawhide to prevent the next compose and future updates tests from breaking.

Comment 1 Zdenek Pytela 2022-08-29 10:58:53 UTC

Reproduced, full audit log here:

type=PROCTITLE msg=audit(29.8.2022 12:48:03.528:211) : proctitle=(s-daemon)
type=PATH msg=audit(29.8.2022 12:48:03.528:211) : item=0 name=/proc/self/fd/4 inode=19282 dev=00:39 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:init_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(29.8.2022 12:48:03.528:211) : cwd=/
type=SYSCALL msg=audit(29.8.2022 12:48:03.528:211) : arch=x86_64 syscall=mount success=no exit=EACCES
a0=0x562647bdd280 a1=0x7fff3d7c5ec0 a2=0x0 a3=MS_BIND|MS_REC items=1 ppid=1 pid=831 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(s-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(29.8.2022 12:48:03.528:211) : avc:  denied  { mounton } for  pid=831 comm=(s-daemon) path=/run/systemd/unit-root/proc/831/loginuid dev="proc" ino=19282 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=0

and subsequently

type=PROCTITLE msg=audit(29.8.2022 12:53:47.838:296) : proctitle=(s-daemon)
type=PATH msg=audit(29.8.2022 12:53:47.838:296) : item=0 name=mail inode=10777 dev=00:1d mode=link,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(29.8.2022 12:53:47.838:296) : cwd=/
type=SYSCALL msg=audit(29.8.2022 12:53:47.838:296) : arch=x86_64 syscall=readlinkat success=yes exit=10 a0=0x5 a1=0x562647bf2740 a2=0x562647d3d6a0 a3=0x1000 items=1 ppid=1 pid=920 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(s-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(29.8.2022 12:53:47.838:296) : avc:  denied  { read } for  pid=920 comm=(s-daemon) name=mail dev="vda3" ino=10777 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=lnk_file permissive=1

Comment 2 Adam Williamson 2022-08-31 16:47:14 UTC

Thanks! When will there be a new build?

Comment 3 Zdenek Pytela 2022-08-31 18:06:45 UTC

(In reply to Adam Williamson from comment #2)
> Thanks! When will there be a new build?

Tomorrow, is F38 sufficient?

Comment 4 Adam Williamson 2022-09-01 05:41:05 UTC

It looks like the new version has been built for F37 too; it's not in an update yet but I assume it will be after Beta freeze is done. In that case we'd need it on F37 too, but not as urgently, since the Beta freeze will be in place for a while. Kalev, can you confirm? Thanks!

Comment 5 Kalev Lember 2022-09-01 08:24:45 UTC

Yes, it would be good to have the fix in both F37 and rawhide, but neither is super urgent (rawhide build is untagged and the F37 build hasn't been submitted to Bodhi yet). Thanks for the quick fix, Zdenek!

Comment 6 Adam Williamson 2022-09-01 15:54:03 UTC

I'd like to have it for Rawhide just so I still remember to get accountsservice re-tagged. We don't have a great process for keeping track of things we've untagged from Rawhide, really, so it's best to fix it up while nirik and I still remember about it :D

Comment 7 Zdenek Pytela 2022-09-02 12:02:26 UTC

Working on the build now.

Comment 8 Zdenek Pytela 2022-09-19 14:08:42 UTC

Fixed in the latest rawhide build.