Bug 2175711

Summary: gnome-initial-setup hangs when I try to add a Google account
Product: [Fedora] Fedora Reporter: Kamil Páral <kparal>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 38CC: aday, awilliam, dwalsh, gnome-sig, klember, lvrabec, mcatanza, mmalik, omosnacek, pkoncity, robatino, tiagomatos, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-06 17:22:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2083911, 2083912    
Attachments:
Description Flags
system journal none

Description Kamil Páral 2023-03-06 12:09:55 UTC 
Description of problem:
When I'm asked to add an online account and I click on Google, the initial setup window freezes and can't be used anymore. Waiting doesn't seem to help.

Tested with Fedora-Workstation-Live-x86_64-38-20230305.n.0.iso

I'll try to attach logs.


Version-Release number of selected component (if applicable):
gnome-initial-setup-44~beta-1.fc38.x86_64

How reproducible:
always

Steps to Reproduce:
1. install F38 Workstation, reboot
2. in the initial setup, click Google in Online Accounts step
3. freeze
Comment 1 Kamil Páral 2023-03-06 12:10:57 UTC 
Proposing a blocker:
https://fedoraproject.org/wiki/Fedora_38_Final_Release_Criteria#First_boot_experience
Comment 2 Kamil Páral 2023-03-06 12:14:59 UTC 
Created attachment 1948327 [details]
system journal

This should be the system journal during the boot with the frozen initial setup.
Comment 3 Allan Day 2023-03-06 12:28:15 UTC 
Additionally - clicking the policy link on the privacy page has no effect.

(I'm testing with the same nightly image as Kamil.)
Comment 4 Kalev Lember 2023-03-06 13:35:25 UTC 
I see avc denials in the log:

Mar 06 13:05:45 localhost-live audit[1796]: AVC avc:  denied  { create } for  pid=1796 comm="bwrap" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=user_namespace permissive=0
Mar 06 13:05:45 localhost-live gnome-initial-setup.desktop[1796]: bwrap: Creating new namespace failed: Permission denied

That to me suggests that selinux is blocking bubblewrap which makes webkit sandboxing not work and breaks gnome-online-accounts. Can you try please if changing selinux to permissive mode makes it work?
Comment 5 Michael Catanzaro 2023-03-06 17:08:47 UTC 
I agree with Kalev's assessment. Ideally WebKit should crash the main process rather than just hanging if bwrap fails, but regardless it's not a supportable situation. Reassigning to selinux-policy.
Comment 6 Adam Williamson 2023-03-06 17:21:43 UTC 
Isn't this a dupe of https://bugzilla.redhat.com/show_bug.cgi?id=2159230 ?
Comment 7 Adam Williamson 2023-03-06 17:22:45 UTC 
Yeah, pretty sure it is.

*** This bug has been marked as a duplicate of bug 2159230 ***