Description of problem: If you enable 3rd party repos in gnome-initial setup, click Next, but then change your mind, return to the previous screen using Previous, disable the repos, and finish the setup, the repos in the final system are... enabled. Which they obviously shouldn't be :-) Version-Release number of selected component (if applicable): fedora-third-party-0.8-1.fc35.noarch gnome-initial-setup-41.0-1.fc35.x86_64 How reproducible: always Steps to Reproduce: 1. install F35 Workstation 2. reboot into gnome-initial-setup 3. enable the 3rd party repos toggle, click Next 4. click Previous, disable the 3rd party repos toggle 5. finish gnome-initial-setup 6. check "dnf repolist" and "flatpak remotes", 3rd party repos are enabled but shouldn't be
Created attachment 1837227 [details] journal
Created attachment 1837228 [details] rpm -qa
I don't think this is blocker material, but perhaps we want to squeeze a fix in time before F35 Final release, so nominating for a freeze exception.
This is a selinux-policy problem, probably: === Oct 26 15:54:03 fedora pkexec[1569]: gnome-initial-setup: Executing command [USER=root] [TTY=unknown] [CWD=/run/gnome-initial-setup/] [COMMAND=/usr/bin/fedora-third-party disable] Oct 26 15:54:03 fedora audit[1572]: AVC avc: denied { write } for pid=1572 comm="flatpak" name="system_bus_socket" dev="tmpfs" ino=1117 scontext=system_u:system_r:fedoratp_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0 Oct 26 15:54:03 fedora audit[1574]: AVC avc: denied { write } for pid=1574 comm="flatpak" name="system_bus_socket" dev="tmpfs" ino=1117 scontext=system_u:system_r:fedoratp_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0 Oct 26 15:54:03 fedora audit[1574]: AVC avc: denied { dac_override } for pid=1574 comm="flatpak" capability=1 scontext=system_u:system_r:fedoratp_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fedoratp_t:s0-s0:c0.c1023 tclass=capability permissive=0 Oct 26 15:54:03 fedora python3[1569]: detected unhandled Python exception in '/usr/bin/fedora-third-party' === As I understand it, flatpak is trying to rely on the "root superpower" of being able to delete files that would not be otherwise deletable by permissions. (Some argument that flatpak shouldn't be relying on dac_override to clean things up but a flatpak change would be more intrusive.) Unless there are further slips, I'm a little skeptical of this being freeze exception material. But I'll try to track down exactly what permissions are needed to get 'fedora-third-party disable' to work.
As a quick pass, I needed two changes: * Change fedora-third-party to run 'flatpak remote-delete with --system', otherwise it tries to root around in /root/.local/share/flatpak to see if there is a flathub repository there and gets a selinux denial * Add 'allow fedoratp_t var_lib_t:lnk_file unlink' to the selinux policy That was sufficient to get 'runcon system_u:system_r:fedoratp_t:s0-s0:c0.c1023 fedora-third-party disable' to work. I haven't tried setting this up as a full test from gnome-initial-setup.
These 2 problems seem to be clear and the permissions can safely be allowed: allow fedoratp_t system_dbusd_var_lib_t:lnk_file read; allow fedoratp_t system_dbusd_var_run_t:sock_file write; Apart from that, flatpak creates /root/.local/ which is when dac_override pops up because: # ls -ld /root dr-xr-x---. 1 root root 3610 Oct 21 17:31 /root It also needs to read and rename /root/tmp.XXXXXX. Both issues can be handled somehow, e. g. when /root/.local/ already existed and flatpak used the temporary file there. ---- type=PROCTITLE msg=audit(10/26/2021 15:39:47.762:265) : proctitle=flatpak remote-delete flathub type=PATH msg=audit(10/26/2021 15:39:47.762:265) : item=1 name=/root/.local inode=155623 dev=00:1f mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(10/26/2021 15:39:47.762:265) : item=0 name=/root/ inode=264 dev=00:1f mode=dir,550 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(10/26/2021 15:39:47.762:265) : cwd=/root type=SYSCALL msg=audit(10/26/2021 15:39:47.762:265) : arch=x86_64 syscall=mkdirat success=yes exit=0 a0=0xffffff9c a1=0x7ffcf3c27820 a2=0777 a3=0x100 items=2 ppid=1576 pid=1587 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty1 ses=unset comm=flatpak exe=/usr/bin/flatpak subj=system_u:system_r:fedoratp_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(10/26/2021 15:39:47.762:265) : avc: denied { create } for pid=1587 comm=flatpak name=.local scontext=system_u:system_r:fedoratp_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=1 type=AVC msg=audit(10/26/2021 15:39:47.762:265) : avc: denied { add_name } for pid=1587 comm=flatpak name=.local scontext=system_u:system_r:fedoratp_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=1 type=AVC msg=audit(10/26/2021 15:39:47.762:265) : avc: denied { write } for pid=1587 comm=flatpak name=root dev="vda2" ino=264 scontext=system_u:system_r:fedoratp_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=1 type=AVC msg=audit(10/26/2021 15:39:47.762:265) : avc: denied { dac_override } for pid=1587 comm=flatpak capability=dac_override scontext=system_u:system_r:fedoratp_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fedoratp_t:s0-s0:c0.c1023 tclass=capability permissive=1 ---- ---- type=PROCTITLE msg=audit(10/26/2021 15:39:47.762:270) : proctitle=flatpak remote-delete flathub type=PATH msg=audit(10/26/2021 15:39:47.762:270) : item=3 name=config inode=155627 dev=00:1f mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(10/26/2021 15:39:47.762:270) : item=2 name=./tmp.BvmsM8 inode=155627 dev=00:1f mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(10/26/2021 15:39:47.762:270) : item=1 name=./ inode=155626 dev=00:1f mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(10/26/2021 15:39:47.762:270) : item=0 name=/root inode=155626 dev=00:1f mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(10/26/2021 15:39:47.762:270) : cwd=/root type=SYSCALL msg=audit(10/26/2021 15:39:47.762:270) : arch=x86_64 syscall=renameat success=yes exit=0 a0=0xd a1=0x7ffcf3c27690 a2=0xd a3=0x7fa1e42e8c2d items=4 ppid=1576 pid=1587 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty1 ses=unset comm=flatpak exe=/usr/bin/flatpak subj=system_u:system_r:fedoratp_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(10/26/2021 15:39:47.762:270) : avc: denied { rename } for pid=1587 comm=flatpak name=tmp.BvmsM8 dev="vda2" ino=155627 scontext=system_u:system_r:fedoratp_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1 type=AVC msg=audit(10/26/2021 15:39:47.762:270) : avc: denied { remove_name } for pid=1587 comm=flatpak name=tmp.BvmsM8 dev="vda2" ino=155627 scontext=system_u:system_r:fedoratp_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=1 ----
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/935
FEDORA-2021-64eb16151d has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-64eb16151d
FEDORA-2021-64eb16151d has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-64eb16151d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-64eb16151d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-64eb16151d has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.