Bug 2003778 - configured settings from gnome-initial-setup are not stored, when selinux is enforcing
Summary: configured settings from gnome-initial-setup are not stored, when selinux is ...
Keywords:
Status: CLOSED DUPLICATE of bug 1997310
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 35
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: F35FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2021-09-13 16:56 UTC by Kamil Páral
Modified: 2021-09-18 18:13 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-09-18 18:13:51 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
journal (275.53 KB, text/plain)
2021-09-13 16:57 UTC, Kamil Páral 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1949712 1 high CLOSED SELinux is preventing gnome-session-c from 'write' accesses on the sock_file dbus-7hye6voX3Y. 2021-10-17 22:59:13 UTC
Red Hat Bugzilla 1997310 1 high CLOSED gnome-initial-setup slow to start up, missing Online Accounts page when SELinux in enforcing mode 2021-09-18 19:04:03 UTC
Red Hat Bugzilla 2001057 1 high CLOSED F35 boots 3x slower than F34, large time gaps in systemd journal 2021-09-21 19:09:43 UTC

Description Kamil Páral 2021-09-13 16:56:27 UTC 
Description of problem:
When working with gnome-initial-setup in F35, I noticed that even though I kept "Location Services" and "Automatic Problem Reporting" enabled in gnome-initial-setup, they were then disabled in the actual OS. This only happens when selinux is enforcing, though. When permissive, the settings are correctly applied to the OS.

This might be related to bug 1997310, it might be even the same bug. I don't know, but I'm filing this separately, so that this particular problem is trackable.

Version-Release number of selected component (if applicable):
selinux-policy-34.16-1.fc35.noarch
gnome-initial-setup-41~beta-3.fc35.x86_64
Fedora-Workstation-Live-x86_64-35-20210912.n.0.iso

How reproducible:
always

Steps to Reproduce:
1. install Workstation Live
2. in initial setup, keep Location Services and Automatic Problem Reporting enabled
3. in the installed system, check them in gnome-control-center and find them disabled

4. repeat 1-3 again, but this time add "enforcing=0" before booting into gnome-initial-setup, and see the problem resolved
Comment 1 Kamil Páral 2021-09-13 16:57:52 UTC 
Created attachment 1822825 [details]
journal

I'm adding a journal, but I assume that most of the denials reported in bug 1997310 will be also relevant here.
Comment 2 Kamil Páral 2021-09-13 17:00:13 UTC 
Proposing as a Final blocker:
"If an initial setup utility is run or intended to be run after the first boot of the installed system, then it must start successfully and each page or panel of the initial setup utility should withstand a basic functionality test. "
https://fedoraproject.org/wiki/Fedora_35_Final_Release_Criteria#First_boot_experience
Comment 3 Zdenek Pytela 2021-09-14 06:49:37 UTC 
Some problems have already been resolved, I've added references to similar bugzillas. 

Sep 13 13:15:38 fedora audit[824]: AVC avc:  denied  { create } for  pid=824 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=0
resolved in selinux-policy-34.19-2

Sep 13 13:16:32 localhost-live audit[1369]: AVC avc:  denied  { read } for  pid=1369 comm="gdb" name="user" dev="tmpfs" ino=1329 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:xdm_var_run_t:s0 tclass=file permissive=0
abrt failures should not cause any problem; if it was a result of missing permissions for at-spi, it will be addressed by the next build

Sep 13 13:17:40 localhost-live audit[1015]: AVC avc:  denied  { sigkill } for  pid=1015 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0
yet to be troubleshooted

Sep 13 13:18:51 localhost-live audit[1654]: AVC avc:  denied  { execute } for  pid=1654 comm="dbus-daemon" name="gnome-keyring-daemon" dev="vda2" ino=3315 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gkeyringd_exec_t:s0 tclass=file permissive=0
solution on the way

Sep 13 13:16:31 localhost-live ibus-daemon[1282]: Error creating proxy: Error calling StartServiceByName for org.gtk.vfs.Daemon: Timeout was reached (g-io-error-quark, 24)
there are other errors like this which do not have a matching AVC denial
Comment 4 Michael Catanzaro 2021-09-14 12:34:34 UTC 
(In reply to Zdenek Pytela from comment #3)
> Sep 13 13:16:31 localhost-live ibus-daemon[1282]: Error creating proxy:
> Error calling StartServiceByName for org.gtk.vfs.Daemon: Timeout was reached
> (g-io-error-quark, 24)
> there are other errors like this which do not have a matching AVC denial

We need to figure out what's going on with all these D-Bus timeouts.

I think we should block release of F35 beta until we know what's going on with these. We're up to something like four or five related bugs now....
Comment 5 Zdenek Pytela 2021-09-15 08:44:57 UTC 
Current state is that with updated selinux-policy, the system seems to install and setup without a glitch, I'd like to have somebody to confirm though.
I believe this bz can be closed as a dup of bz#1997310, refer there for the latest information.
Comment 6 Geraldo Simião 2021-09-18 15:30:53 UTC 
I tested now the last build (Fedora-Workstation-Live-x86_64-35-20210918.n.0) and found that this bug is FIXED there.
All settings at initial setup still enabled after reboot.
Comment 7 Michael Catanzaro 2021-09-18 18:13:51 UTC 

*** This bug has been marked as a duplicate of bug 1997310 ***
Note You need to log in before you can comment on or make changes to this bug.