Now the new installer flow - with changes to gnome-initial-setup - has landed in Rawhide and F39, we noticed one issue. Part of the new flow is that gnome-initial-setup, in the "prelogin" mode that runs after install but before any user account exists, shows its "Time Zone" panel (as the installer no longer offers this setting). However, it always fails to geolocate and suggest a location, always requiring the user to search for one. This seems to be due to an SELinux denial: time->Wed Aug 23 17:30:17 2023 type=AVC msg=audit(1692837017.048:101): avc: denied { search } for pid=1479 comm="geoclue" name="1657" dev="proc" ino=25500 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:gnome_initial_setup_t:s0-s0:c0.c1023 tclass=dir permissive=0 Proposing as a Beta FE for F39 as it would be good to have this resolved before Beta release, it's rather annoying for users (and openQA). Reproducible: Always Steps to Reproduce: 1. Get a current Rawhide Workstation live image, e.g. https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20230823.n.0/compose/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-Rawhide-20230823.n.0.iso 2. Install from it 3. Boot the installed system and proceed through g-i-s to the TIme Zone page Actual Results: It never prefills a location via geolocation, it always says "Please search for a nearby city" Expected Results: It should prefill a suggested location via geolocation so long as the system is on the public Internet
I did my best to troubleshoot the selinux-policy part of the issue, but I am afraid it is now necessary to create a new policy package and test the installation again with it. Is rawhide package sufficient for the moment? BTW, the installation screens contain both F39 and F40 references.
yeah, Rawhide package is fine for testing. Thanks!
A Rawhide build is fine **for testing**, I said. We can't close the bug until it's fixed on 39, though.
Zdenek we have another problem with policy. The gnome-initial-setup user changed home directories from /var/run/gnome-initial-setup to /var/lib/gnome-initial-setup because it now needs to be around across reboots. xdm_t needs to be able to access /var/lib/gnome-initial-setup (in particular it needs to be able to chown the directory and subdirectories) Can you help with that too?
audit2allow says: allow xdm_t var_lib_t:file setattr; so I guess there needs to be a gnome_initial_setup_var_lib_t to match /var/lib/gnome-initial-setup and then give it similar rules to gnome_initial_setup_var_run_t
actually the more I think about this, it was an error on my part to change the home directory to /var/lib. The lion's share of the data in the gnome-initial-setup home directory really is transient and should go away on reboot. There's just one file that should be put in /var/lib/gnome-initial-setup. I think we can get away with no more policy changes if I rework things a bit.
+3 in https://pagure.io/fedora-qa/blocker-review/issue/1185 , marking accepted. Let's say the FE here applies to the problem in general, not the SELinux denials: if we can fix it by changing g-i-s, let's just reassign the bug to g-i-s and consider the FE still valid for a fix there.
(In reply to Ray Strode [halfline] from comment #4) > Zdenek we have another problem with policy. The gnome-initial-setup user > changed home directories from /var/run/gnome-initial-setup to > /var/lib/gnome-initial-setup because it now needs to be around across > reboots. > > xdm_t needs to be able to access /var/lib/gnome-initial-setup (in particular > it needs to be able to chown the directory and subdirectories) > > Can you help with that too? Sure, adding a new type for that directory was already a part of the previous commit. Did you use the latest rawhide build?
Using https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20230828.n.0/compose/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-Rawhide-20230828.n.0.iso with selinux-policy-38.26-1.fc40.noarch I cannot see the issue described in #c1, neither do I see any related AVC in audit logs. I see though incorrect labels in /var/lib/gnome-initial-setup, digging further.
FEDORA-2023-b5926774b7 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-b5926774b7
FEDORA-2023-b5926774b7 has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-b5926774b7` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-b5926774b7 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Testing with current Rawhide there are no longer any SELinux denials, so I think we can say that part is fixed. geolocation still doesn't work, but it now seems to be due to something else, so I will file a new bug.
FEDORA-2023-b5926774b7 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.