grsec: Software fails to install from Gnome Software, but is able to from terminal
Closed, WontfixPublic

Description

The attached screenshot shows a failure to install supertuxkart while the below terminal output succeeds.

todd@librem-13:~$ sudo apt-get update && sudo apt-get install supertuxkart
[sudo] password for todd: 
Get:1 http://repo.puri.sm/pureos green InRelease [8,031 B]
Get:2 http://repo.puri.sm/pureos green/main amd64 Packages [6,136 kB]
Get:7 http://repo.puri.sm/pureos green/main amd64 DEP-11 Metadata [1,875 kB]   
Get:8 http://repo.puri.sm/pureos green/main DEP-11 64x64 Icons [6,919 kB]      
Fetched 14.9 MB in 39s (380 kB/s)                                              
Reading package lists... Done
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  libenet7 supertuxkart-data
The following NEW packages will be installed:
  libenet7 supertuxkart supertuxkart-data
0 upgraded, 3 newly installed, 0 to remove and 10 not upgraded.
Need to get 491 MB of archives.
After this operation, 650 MB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 http://repo.puri.sm/pureos green/main amd64 libenet7 amd64 1.3.12+ds-2 [28.5 kB]
Get:2 http://repo.puri.sm/pureos green/main amd64 supertuxkart-data all 0.9.2+dfsg-2 [487 MB]
Get:3 http://repo.puri.sm/pureos green/main amd64 supertuxkart amd64 0.9.2+dfsg-2 [3,555 kB]
Fetched 491 MB in 24min 19s (336 kB/s)                                         
Selecting previously unselected package libenet7:amd64.
(Reading database ... 218348 files and directories currently installed.)
Preparing to unpack .../libenet7_1.3.12+ds-2_amd64.deb ...
Unpacking libenet7:amd64 (1.3.12+ds-2) ...
Selecting previously unselected package supertuxkart-data.
Preparing to unpack .../supertuxkart-data_0.9.2+dfsg-2_all.deb ...
Unpacking supertuxkart-data (0.9.2+dfsg-2) ...
Selecting previously unselected package supertuxkart.
Preparing to unpack .../supertuxkart_0.9.2+dfsg-2_amd64.deb ...
Unpacking supertuxkart (0.9.2+dfsg-2) ...
Processing triggers for mime-support (3.60) ...
Setting up supertuxkart-data (0.9.2+dfsg-2) ...
Processing triggers for desktop-file-utils (0.23-1) ...
Setting up libenet7:amd64 (1.3.12+ds-2) ...
Setting up supertuxkart (0.9.2+dfsg-2) ...
Processing triggers for man-db (2.7.6.1-2) ...
Processing triggers for gnome-menus (3.13.3-9) ...
Processing triggers for hicolor-icon-theme (0.15-1) ...
todd@librem-13:~$
todd created this task.Mar 17 2017, 11:25 PM
zlatan.todoric added a subscriber: zlatan.todoric.
mak added a comment.Mar 18 2017, 4:50 PM

Hmm... Is policykit-1-gnome and policykit-1 installed? I'll have to look into that...

todd added a comment.Mar 18 2017, 5:27 PM
todd@librem-13:~$ dpkg -l policykit* | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name              Version      Architecture Description
+++-=================-============-============-=============================================================
ii  policykit-1       0.105-17     amd64        framework for managing administrative policies and privileges
ii  policykit-1-gnome 0.105-6      amd64        authentication agent for PolicyKit
todd@librem-13:~$
mak added a comment.EditedMar 18 2017, 6:14 PM

I can't reproduce this issue here, might be related to running a grsec kernel.
I'll try with that in an hour (and I also have a couple of other ideas, but grsec being the problem seems likely).

Stuff like https://bugs.freedesktop.org/show_bug.cgi?id=56628 exists (although we are running an older version of PolKit, before it started to pull in a full JavaScript engine into the core to run scripts for authorization rules).

EDIT: Kind of hard to test, since the grsec kernel doesn't even let me start a desktop environment (or display manager).

mak added a comment.Mar 18 2017, 7:45 PM

Please run sudo journalctl -f in a separate terminal while trying to perform the privileged action, and paste the output here. That might give us a hint on what is going on.

From my tests, it is grsec related. We will need to dig deeper into this before we put grsec as default.

todd added a comment.Mar 18 2017, 9:24 PM

Mar 18 14:22:49 librem-13 PackageKit[15452]: uid 1000 is trying to obtain org.freedesktop.packagekit.package-install auth (only_trusted:1)
Mar 18 14:22:49 librem-13 PackageKit[15452]: uid 1000 failed to obtain auth
Mar 18 14:22:49 librem-13 gnome-software-service.desktop[1176]: 21:22:49:0109 Gs  failed to call gs_plugin_app_install on packagekit: Failed to obtain authentication.
Mar 18 14:22:49 librem-13 gnome-software-service.desktop[1176]: 21:22:49:0154 Gs  failed to install etr.desktop: Failed to obtain authentication.
mak added a comment.Mar 18 2017, 11:40 PM

@todd Hmm, that's not much information... But it's pretty safe to say that grsec prevents some action executed by the polkit daemon or frontend service which leads to a successful grant of permissions.

mak changed the title from "Software fails to install from Gnome Software, but is able to from terminal" to "grsec: Software fails to install from Gnome Software, but is able to from terminal".Mar 19 2017, 2:36 AM

The following works
$ su -

  1. export DISPLAY=:1
  2. gnome-software

in grsec kernel, the "Authentication Required" window is not appearing when trying to install from normal user.

todd added a comment.Apr 3 2017, 6:53 PM

OK, what configuration change do we need within PureOS to have this be the default?

Todd, can you try adding your username to the following additional groups , this should solve the packagekit failing and will prompt for the authentication.

For example for my useraccount hema,

  1. usermod -a -G grsec-proc hema
  2. usermod -a -G grsec-tpe hema
  3. groups hema
mak triaged this task as "Low" priority.Aug 11 2017, 11:02 PM
mak closed this task as "Wontfix".Aug 19 2017, 4:53 PM

Closing, as we won't use grsec anymore.

Add Comment