openQA testing of accountsservice-22.08.8-1.fc38 shows that GNOME fails to start with it installed - see all failed tests at https://openqa.fedoraproject.org/tests/overview?distri=fedora&version=38&build=Update-FEDORA-2022-87b11efb59&groupid=2 (plus even on KDE accounts-daemon.service fails to start, though it doesn't stop KDE working like it does GNOME). From the logs it's an SELinux permissions issue: Aug 28 07:42:43 fedora audit[621]: AVC avc: denied { mounton } for pid=621 comm="(s-daemon)" path="/run/systemd/unit-root/proc/621/loginuid" dev="proc" ino=17725 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=0 Aug 28 07:42:43 fedora systemd[621]: Failed to mount /run/systemd/unit-root/proc/621/loginuid to /run/systemd/unit-root/proc/621/loginuid: Permission denied Aug 28 07:42:43 fedora systemd[621]: accounts-daemon.service: Failed to set up mount namespacing: /run/systemd/unit-root/proc/621/loginuid: Permission denied Aug 28 07:42:43 fedora systemd[621]: accounts-daemon.service: Failed at step NAMESPACE spawning /usr/libexec/accounts-daemon: Permission denied so filing against selinux-policy, but CCing Kalev. I've asked Kevin to untag the update from Rawhide to prevent the next compose and future updates tests from breaking.
Reproduced, full audit log here: type=PROCTITLE msg=audit(29.8.2022 12:48:03.528:211) : proctitle=(s-daemon) type=PATH msg=audit(29.8.2022 12:48:03.528:211) : item=0 name=/proc/self/fd/4 inode=19282 dev=00:39 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:init_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(29.8.2022 12:48:03.528:211) : cwd=/ type=SYSCALL msg=audit(29.8.2022 12:48:03.528:211) : arch=x86_64 syscall=mount success=no exit=EACCES a0=0x562647bdd280 a1=0x7fff3d7c5ec0 a2=0x0 a3=MS_BIND|MS_REC items=1 ppid=1 pid=831 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(s-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(29.8.2022 12:48:03.528:211) : avc: denied { mounton } for pid=831 comm=(s-daemon) path=/run/systemd/unit-root/proc/831/loginuid dev="proc" ino=19282 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=0 and subsequently type=PROCTITLE msg=audit(29.8.2022 12:53:47.838:296) : proctitle=(s-daemon) type=PATH msg=audit(29.8.2022 12:53:47.838:296) : item=0 name=mail inode=10777 dev=00:1d mode=link,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(29.8.2022 12:53:47.838:296) : cwd=/ type=SYSCALL msg=audit(29.8.2022 12:53:47.838:296) : arch=x86_64 syscall=readlinkat success=yes exit=10 a0=0x5 a1=0x562647bf2740 a2=0x562647d3d6a0 a3=0x1000 items=1 ppid=1 pid=920 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(s-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(29.8.2022 12:53:47.838:296) : avc: denied { read } for pid=920 comm=(s-daemon) name=mail dev="vda3" ino=10777 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=lnk_file permissive=1
Thanks! When will there be a new build?
(In reply to Adam Williamson from comment #2) > Thanks! When will there be a new build? Tomorrow, is F38 sufficient?
It looks like the new version has been built for F37 too; it's not in an update yet but I assume it will be after Beta freeze is done. In that case we'd need it on F37 too, but not as urgently, since the Beta freeze will be in place for a while. Kalev, can you confirm? Thanks!
Yes, it would be good to have the fix in both F37 and rawhide, but neither is super urgent (rawhide build is untagged and the F37 build hasn't been submitted to Bodhi yet). Thanks for the quick fix, Zdenek!
I'd like to have it for Rawhide just so I still remember to get accountsservice re-tagged. We don't have a great process for keeping track of things we've untagged from Rawhide, really, so it's best to fix it up while nirik and I still remember about it :D
Working on the build now.
Fixed in the latest rawhide build.