Page MenuHomePureOS Tracker

grsec: Software fails to install from Gnome Software, but is able to from terminal
Closed, WontfixPublic


The attached screenshot shows a failure to install supertuxkart while the below terminal output succeeds.

todd@librem-13:~$ sudo apt-get update && sudo apt-get install supertuxkart
[sudo] password for todd: 
Get:1 green InRelease [8,031 B]
Get:2 green/main amd64 Packages [6,136 kB]
Get:7 green/main amd64 DEP-11 Metadata [1,875 kB]   
Get:8 green/main DEP-11 64x64 Icons [6,919 kB]      
Fetched 14.9 MB in 39s (380 kB/s)                                              
Reading package lists... Done
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  libenet7 supertuxkart-data
The following NEW packages will be installed:
  libenet7 supertuxkart supertuxkart-data
0 upgraded, 3 newly installed, 0 to remove and 10 not upgraded.
Need to get 491 MB of archives.
After this operation, 650 MB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 green/main amd64 libenet7 amd64 1.3.12+ds-2 [28.5 kB]
Get:2 green/main amd64 supertuxkart-data all 0.9.2+dfsg-2 [487 MB]
Get:3 green/main amd64 supertuxkart amd64 0.9.2+dfsg-2 [3,555 kB]
Fetched 491 MB in 24min 19s (336 kB/s)                                         
Selecting previously unselected package libenet7:amd64.
(Reading database ... 218348 files and directories currently installed.)
Preparing to unpack .../libenet7_1.3.12+ds-2_amd64.deb ...
Unpacking libenet7:amd64 (1.3.12+ds-2) ...
Selecting previously unselected package supertuxkart-data.
Preparing to unpack .../supertuxkart-data_0.9.2+dfsg-2_all.deb ...
Unpacking supertuxkart-data (0.9.2+dfsg-2) ...
Selecting previously unselected package supertuxkart.
Preparing to unpack .../supertuxkart_0.9.2+dfsg-2_amd64.deb ...
Unpacking supertuxkart (0.9.2+dfsg-2) ...
Processing triggers for mime-support (3.60) ...
Setting up supertuxkart-data (0.9.2+dfsg-2) ...
Processing triggers for desktop-file-utils (0.23-1) ...
Setting up libenet7:amd64 (1.3.12+ds-2) ...
Setting up supertuxkart (0.9.2+dfsg-2) ...
Processing triggers for man-db ( ...
Processing triggers for gnome-menus (3.13.3-9) ...
Processing triggers for hicolor-icon-theme (0.15-1) ...

Event Timeline

todd created this task.Mar 17 2017, 16:25
zlatan.todoric added a subscriber: zlatan.todoric.
mak added a comment.Mar 18 2017, 09:50

Hmm... Is policykit-1-gnome and policykit-1 installed? I'll have to look into that...

todd added a comment.Mar 18 2017, 10:27
todd@librem-13:~$ dpkg -l policykit* | cat
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name              Version      Architecture Description
ii  policykit-1       0.105-17     amd64        framework for managing administrative policies and privileges
ii  policykit-1-gnome 0.105-6      amd64        authentication agent for PolicyKit
mak added a comment.EditedMar 18 2017, 11:14

I can't reproduce this issue here, might be related to running a grsec kernel.
I'll try with that in an hour (and I also have a couple of other ideas, but grsec being the problem seems likely).

Stuff like exists (although we are running an older version of PolKit, before it started to pull in a full JavaScript engine into the core to run scripts for authorization rules).

EDIT: Kind of hard to test, since the grsec kernel doesn't even let me start a desktop environment (or display manager).

mak added a comment.Mar 18 2017, 12:45

Please run sudo journalctl -f in a separate terminal while trying to perform the privileged action, and paste the output here. That might give us a hint on what is going on.

From my tests, it is grsec related. We will need to dig deeper into this before we put grsec as default.

todd added a comment.Mar 18 2017, 14:24

Mar 18 14:22:49 librem-13 PackageKit[15452]: uid 1000 is trying to obtain org.freedesktop.packagekit.package-install auth (only_trusted:1)
Mar 18 14:22:49 librem-13 PackageKit[15452]: uid 1000 failed to obtain auth
Mar 18 14:22:49 librem-13 gnome-software-service.desktop[1176]: 21:22:49:0109 Gs  failed to call gs_plugin_app_install on packagekit: Failed to obtain authentication.
Mar 18 14:22:49 librem-13 gnome-software-service.desktop[1176]: 21:22:49:0154 Gs  failed to install etr.desktop: Failed to obtain authentication.
mak added a comment.Mar 18 2017, 16:40

@todd Hmm, that's not much information... But it's pretty safe to say that grsec prevents some action executed by the polkit daemon or frontend service which leads to a successful grant of permissions.

mak renamed this task from Software fails to install from Gnome Software, but is able to from terminal to grsec: Software fails to install from Gnome Software, but is able to from terminal.Mar 18 2017, 19:36

The following works
$ su -

  1. export DISPLAY=:1
  2. gnome-software

in grsec kernel, the "Authentication Required" window is not appearing when trying to install from normal user.

todd added a comment.Apr 3 2017, 11:53

OK, what configuration change do we need within PureOS to have this be the default?

Todd, can you try adding your username to the following additional groups , this should solve the packagekit failing and will prompt for the authentication.

For example for my useraccount hema,

  1. usermod -a -G grsec-proc hema
  2. usermod -a -G grsec-tpe hema
  3. groups hema
mak triaged this task as Low priority.Aug 11 2017, 16:02
mak closed this task as Wontfix.Aug 19 2017, 09:53

Closing, as we won't use grsec anymore.