Created attachment 1936726 [details] journal Description of problem: As shown in the attached screencast,clicking button doesn't work after you click “google”/microsoft on the online account setup page. Version-Release number of selected component (if applicable): gnome-initial-setup-43.1-3.fc38.x86_64 How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Created attachment 1936727 [details] screencast
Proposed as a Blocker for 38-final by Fedora user lnie using the blocker tracking app because: seems affects: If an initial setup utility is run or intended to be run after the first boot of the installed system, then it must start successfully and each page or panel of the initial setup utility should withstand a basic functionality test.
Yeah, I saw this myself setting up a new system this weekend, as it happens. Was going to report it when I got back from vacation. It seems to be unrecoverable without rebooting.
So this actually turns out to be SELinux. If you boot with enforcing=0 it works fine. These denials are logged: ---- time->Thu Jan 19 10:53:47 2023 type=AVC msg=audit(1674154427.569:256): avc: denied { create } for pid=1821 comm="bwrap" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=user_namespace permissive=0 ---- time->Thu Jan 19 10:55:00 2023 type=AVC msg=audit(1674154500.826:237): avc: denied { create } for pid=1649 comm="bwrap" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=user_namespace permissive=1 ---- time->Thu Jan 19 10:55:00 2023 type=AVC msg=audit(1674154500.981:238): avc: denied { read } for pid=1678 comm=66757365206D61696E6C6F6F70 name="pipe-max-size" dev="proc" ino=24570 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1 ---- time->Thu Jan 19 10:55:00 2023 type=AVC msg=audit(1674154500.981:239): avc: denied { open } for pid=1678 comm=66757365206D61696E6C6F6F70 path="/proc/sys/fs/pipe-max-size" dev="proc" ino=24570 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1
These denials seem to be clear so can be addressed by the next build I suppose it is an after-ga change in some software as this was not reported previously.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle. Changing version to 38.
+4 in https://pagure.io/fedora-qa/blocker-review/issue/1023 , marking accepted.
The following denials need to be addressed: -- type=SYSCALL msg=audit(02/22/2023 11:45:06.084:176) : arch=x86_64 syscall=clone success=yes exit=1784 a0=0x3c020011 a1=0x0 a2=CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_PTRACE|CLONE_VFORK|CLONE_PARENT|CLONE_THREAD|CLONE_NEWNS|CLONE_PARENT_SETTID|CLONE_DETACHED|CLONE_UNTRACED|CLONE_CHILD_SETTID|CLONE_STOPPED|CLONE_NEWIPC|CLONE_NEWNET|CLONE_IO a3=0x557a57e0f2c0 items=0 ppid=1763 pid=1783 auid=unset uid=gnome-initial-setup gid=gnome-initial-setup euid=gnome-initial-setup suid=gnome-initial-setup fsuid=gnome-initial-setup egid=gnome-initial-setup sgid=gnome-initial-setup fsgid=gnome-initial-setup tty=tty1 ses=unset comm=bwrap exe=/usr/bin/bwrap subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(02/22/2023 11:45:06.084:176) : avc: denied { create } for pid=1783 comm=bwrap scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=user_namespace permissive=1 -- type=SYSCALL msg=audit(02/22/2023 11:45:06.207:177) : arch=x86_64 syscall=openat success=yes exit=11 a0=AT_FDCWD a1=0x7fb2544c2063 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=1816 auid=unset uid=gnome-initial-setup gid=gnome-initial-setup euid=gnome-initial-setup suid=gnome-initial-setup fsuid=gnome-initial-setup egid=gnome-initial-setup sgid=gnome-initial-setup fsgid=gnome-initial-setup tty=tty1 ses=unset comm=fuse mainloop exe=/usr/libexec/xdg-document-portal subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(02/22/2023 11:45:06.207:177) : avc: denied { open } for pid=1816 comm=fuse mainloop path=/proc/sys/fs/pipe-max-size dev="proc" ino=24766 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1 type=AVC msg=audit(02/22/2023 11:45:06.207:177) : avc: denied { read } for pid=1816 comm=fuse mainloop name=pipe-max-size dev="proc" ino=24766 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1 -- type=PROCTITLE msg=audit(02/22/2023 13:38:58.589:270) : proctitle=/usr/bin/spice-vdagent type=PATH msg=audit(02/22/2023 13:38:58.589:270) : item=0 name=/var/lib/alsa/conf.d nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=SYSCALL msg=audit(02/22/2023 13:38:58.589:270) : arch=x86_64 syscall=access success=no exit=ENOENT(No such file or directory) a0=0x55a8493b9a00 a1=R_OK a2=0x0 a3=0x7fd97a3cfac0 items=1 ppid=1 pid=1426 auid=unset uid=gnome-initial-setup gid=gnome-initial-setup euid=gnome-initial-setup suid=gnome-initial-setup fsuid=gnome-initial-setup egid=gnome-initial-setup sgid=gnome-initial-setup fsgid=gnome-initial-setup tty=(none) ses=unset comm=spice-vdagent exe=/usr/bin/spice-vdagent subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(02/22/2023 13:38:58.589:270) : avc: denied { search } for pid=1426 comm=spice-vdagent name=alsa dev="vda3" ino=145656 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_var_lib_t:s0 tclass=dir permissive=1 -- type=PROCTITLE msg=audit(02/22/2023 13:06:55.235:242) : proctitle=/usr/libexec/xdg-document-portal type=SYSCALL msg=audit(02/22/2023 13:06:55.235:242) : arch=x86_64 syscall=recvmsg success=yes exit=1 a0=0x8 a1=0x7fd0f7ffea50 a2=0x0 a3=0x7fd0f7fff990 items=0 ppid=1 pid=1788 auid=unset uid=gnome-initial-setup gid=gnome-initial-setup euid=gnome-initial-setup suid=gnome-initial-setup fsuid=gnome-initial-setup egid=gnome-initial-setup sgid=gnome-initial-setup fsgid=gnome-initial-setup tty=tty1 ses=unset comm=fuse mainloop exe=/usr/libexec/xdg-document-portal subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(02/22/2023 13:06:55.235:242) : avc: denied { read write } for pid=1788 comm=fuse mainloop path=/dev/fuse dev="devtmpfs" ino=167 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fuse_device_t:s0 tclass=chr_file permissive=1 -- type=USER_AVC msg=audit(02/22/2023 13:06:37.020:204) : pid=757 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0 tclass=dbus permissive=1 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' --
Since we're in Beta freeze now, proposing as a Beta FE; this is something that can't be fixed with an update and which folks are quite likely to run into and get a bad first impression.
Zdenek, it'd be awesome if you can make sure the update to fix this is 'safe' (only relaxes policy rules).
Discussed in ticket: https://pagure.io/fedora-qa/blocker-review/issue/1023 The decision to classify this bug as an FreezeException was made: "This is something that can't be fixed with an update and which folks are quite likely to run into and get a bad first impression."
FEDORA-2023-eaebcb91e7 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-eaebcb91e7
FEDORA-2023-eaebcb91e7 has been pushed to the Fedora 38 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-eaebcb91e7 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
*** Bug 2175711 has been marked as a duplicate of this bug. ***
As far as I can tell the installation with Fedora-Workstation-Live-x86_64-38-20230308.n.0.iso goes well.
FEDORA-2023-eaebcb91e7 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.
Tested with F38 Beta Workstation Live, confirmed, problem fixed. I added a Google account in the initial setup without issues.