Bug 2159230 - gnome-initial-setup hangs if you try to set up an online account (due to SELinux denial)
Summary: gnome-initial-setup hangs if you try to set up an online account (due to SELi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 38
Hardware: Unspecified
OS: Linux
high
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedBlocker AcceptedFreezeException
: 2175711 (view as bug list)
Depends On:
Blocks: F38BetaFreezeException F38FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2023-01-09 09:01 UTC by lnie
Modified: 2023-03-10 08:43 UTC (History)
14 users (show)

Fixed In Version: selinux-policy-38.8-2.fc38
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-03-09 22:53:15 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
journal (638.58 KB, text/plain)
2023-01-09 09:01 UTC, lnie
no flags Details
screencast (266.32 KB, video/webm)
2023-01-09 09:03 UTC, lnie
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1617 0 None Merged Confine gnome-initial-setup 2023-03-03 17:01:27 UTC

Description lnie 2023-01-09 09:01:51 UTC
Created attachment 1936726 [details]
journal

Description of problem:
As shown in the attached screencast,clicking button doesn't work after you click “google”/microsoft on the online account setup page.

 

Version-Release number of selected component (if applicable):
gnome-initial-setup-43.1-3.fc38.x86_64

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 lnie 2023-01-09 09:03:01 UTC
Created attachment 1936727 [details]
screencast

Comment 2 Fedora Blocker Bugs Application 2023-01-09 09:09:50 UTC
Proposed as a Blocker for 38-final by Fedora user lnie using the blocker tracking app because:

 seems affects:
If an initial setup utility is run or intended to be run after the first boot of the installed system, then it must start successfully and each page or panel of the initial setup utility should withstand a basic functionality test.

Comment 3 Adam Williamson 2023-01-11 00:38:07 UTC
Yeah, I saw this myself setting up a new system this weekend, as it happens. Was going to report it when I got back from vacation. It seems to be unrecoverable without rebooting.

Comment 4 Adam Williamson 2023-01-19 18:57:06 UTC
So this actually turns out to be SELinux. If you boot with enforcing=0 it works fine. These denials are logged:

----
time->Thu Jan 19 10:53:47 2023
type=AVC msg=audit(1674154427.569:256): avc:  denied  { create } for  pid=1821 comm="bwrap" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=user_namespace permissive=0
----
time->Thu Jan 19 10:55:00 2023
type=AVC msg=audit(1674154500.826:237): avc:  denied  { create } for  pid=1649 comm="bwrap" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=user_namespace permissive=1
----
time->Thu Jan 19 10:55:00 2023
type=AVC msg=audit(1674154500.981:238): avc:  denied  { read } for  pid=1678 comm=66757365206D61696E6C6F6F70 name="pipe-max-size" dev="proc" ino=24570 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1
----
time->Thu Jan 19 10:55:00 2023
type=AVC msg=audit(1674154500.981:239): avc:  denied  { open } for  pid=1678 comm=66757365206D61696E6C6F6F70 path="/proc/sys/fs/pipe-max-size" dev="proc" ino=24570 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1

Comment 5 Zdenek Pytela 2023-01-20 18:26:41 UTC
These denials seem to be clear so can be addressed by the next build

I suppose it is an after-ga change in some software as this was not reported previously.

Comment 6 Ben Cotton 2023-02-07 15:12:46 UTC
This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle.
Changing version to 38.

Comment 7 Adam Williamson 2023-02-20 16:37:56 UTC
+4 in https://pagure.io/fedora-qa/blocker-review/issue/1023 , marking accepted.

Comment 8 Zdenek Pytela 2023-02-23 08:44:28 UTC
The following denials need to be addressed:
--
type=SYSCALL msg=audit(02/22/2023 11:45:06.084:176) : arch=x86_64 syscall=clone success=yes exit=1784 a0=0x3c020011 a1=0x0 a2=CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_PTRACE|CLONE_VFORK|CLONE_PARENT|CLONE_THREAD|CLONE_NEWNS|CLONE_PARENT_SETTID|CLONE_DETACHED|CLONE_UNTRACED|CLONE_CHILD_SETTID|CLONE_STOPPED|CLONE_NEWIPC|CLONE_NEWNET|CLONE_IO a3=0x557a57e0f2c0 items=0 ppid=1763 pid=1783 auid=unset uid=gnome-initial-setup gid=gnome-initial-setup euid=gnome-initial-setup suid=gnome-initial-setup fsuid=gnome-initial-setup egid=gnome-initial-setup sgid=gnome-initial-setup fsgid=gnome-initial-setup tty=tty1 ses=unset comm=bwrap exe=/usr/bin/bwrap subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/22/2023 11:45:06.084:176) : avc:  denied  { create } for  pid=1783 comm=bwrap scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=user_namespace permissive=1
--
type=SYSCALL msg=audit(02/22/2023 11:45:06.207:177) : arch=x86_64 syscall=openat success=yes exit=11 a0=AT_FDCWD a1=0x7fb2544c2063 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=1816 auid=unset uid=gnome-initial-setup gid=gnome-initial-setup euid=gnome-initial-setup suid=gnome-initial-setup fsuid=gnome-initial-setup egid=gnome-initial-setup sgid=gnome-initial-setup fsgid=gnome-initial-setup tty=tty1 ses=unset comm=fuse mainloop exe=/usr/libexec/xdg-document-portal subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/22/2023 11:45:06.207:177) : avc:  denied  { open } for  pid=1816 comm=fuse mainloop path=/proc/sys/fs/pipe-max-size dev="proc" ino=24766 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1
type=AVC msg=audit(02/22/2023 11:45:06.207:177) : avc:  denied  { read } for  pid=1816 comm=fuse mainloop name=pipe-max-size dev="proc" ino=24766 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1
--
type=PROCTITLE msg=audit(02/22/2023 13:38:58.589:270) : proctitle=/usr/bin/spice-vdagent
type=PATH msg=audit(02/22/2023 13:38:58.589:270) : item=0 name=/var/lib/alsa/conf.d nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(02/22/2023 13:38:58.589:270) : arch=x86_64 syscall=access success=no exit=ENOENT(No such file or directory) a0=0x55a8493b9a00 a1=R_OK a2=0x0 a3=0x7fd97a3cfac0 items=1 ppid=1 pid=1426 auid=unset uid=gnome-initial-setup gid=gnome-initial-setup euid=gnome-initial-setup suid=gnome-initial-setup fsuid=gnome-initial-setup egid=gnome-initial-setup sgid=gnome-initial-setup fsgid=gnome-initial-setup tty=(none) ses=unset comm=spice-vdagent exe=/usr/bin/spice-vdagent subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/22/2023 13:38:58.589:270) : avc:  denied  { search } for  pid=1426 comm=spice-vdagent name=alsa dev="vda3" ino=145656 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_var_lib_t:s0 tclass=dir permissive=1
--
type=PROCTITLE msg=audit(02/22/2023 13:06:55.235:242) : proctitle=/usr/libexec/xdg-document-portal
type=SYSCALL msg=audit(02/22/2023 13:06:55.235:242) : arch=x86_64 syscall=recvmsg success=yes exit=1 a0=0x8 a1=0x7fd0f7ffea50 a2=0x0 a3=0x7fd0f7fff990 items=0 ppid=1 pid=1788 auid=unset uid=gnome-initial-setup gid=gnome-initial-setup euid=gnome-initial-setup suid=gnome-initial-setup fsuid=gnome-initial-setup egid=gnome-initial-setup sgid=gnome-initial-setup fsgid=gnome-initial-setup tty=tty1 ses=unset comm=fuse mainloop exe=/usr/libexec/xdg-document-portal subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/22/2023 13:06:55.235:242) : avc:  denied  { read write } for  pid=1788 comm=fuse mainloop path=/dev/fuse dev="devtmpfs" ino=167 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fuse_device_t:s0 tclass=chr_file permissive=1
--
type=USER_AVC msg=audit(02/22/2023 13:06:37.020:204) : pid=757 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=dbus permissive=1 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?'
--

Comment 9 Adam Williamson 2023-02-23 17:02:12 UTC
Since we're in Beta freeze now, proposing as a Beta FE; this is something that can't be fixed with an update and which folks are quite likely to run into and get a bad first impression.

Comment 10 Adam Williamson 2023-02-23 17:03:24 UTC
Zdenek, it'd be awesome if you can make sure the update to fix this is 'safe' (only relaxes policy rules).

Comment 11 František Zatloukal 2023-02-28 10:14:24 UTC
Discussed in ticket: https://pagure.io/fedora-qa/blocker-review/issue/1023

The decision to classify this bug as an FreezeException was made:

"This is something that can't be fixed with an update and which folks are quite likely to run into and get a bad first impression."

Comment 12 Fedora Update System 2023-03-04 19:54:12 UTC
FEDORA-2023-eaebcb91e7 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-eaebcb91e7

Comment 13 Fedora Update System 2023-03-05 03:10:24 UTC
FEDORA-2023-eaebcb91e7 has been pushed to the Fedora 38 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-eaebcb91e7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 14 Adam Williamson 2023-03-06 17:22:45 UTC
*** Bug 2175711 has been marked as a duplicate of this bug. ***

Comment 15 Zdenek Pytela 2023-03-09 09:43:06 UTC
As far as I can tell the installation with Fedora-Workstation-Live-x86_64-38-20230308.n.0.iso goes well.

Comment 16 Fedora Update System 2023-03-09 22:53:15 UTC
FEDORA-2023-eaebcb91e7 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 17 Kamil Páral 2023-03-10 08:43:30 UTC
Tested with F38 Beta Workstation Live, confirmed, problem fixed. I added a Google account in the initial setup without issues.


Note You need to log in before you can comment on or make changes to this bug.