grsec: Software fails to install from Gnome Software, but is able to from terminal
Closed, WontfixPublic
Actions

Description

The attached screenshot shows a failure to install supertuxkart while the below terminal output succeeds.

todd@librem-13:~$ sudo apt-get update && sudo apt-get install supertuxkart
[sudo] password for todd: 
Get:1 http://repo.puri.sm/pureos green InRelease [8,031 B]
Get:2 http://repo.puri.sm/pureos green/main amd64 Packages [6,136 kB]
Get:7 http://repo.puri.sm/pureos green/main amd64 DEP-11 Metadata [1,875 kB]   
Get:8 http://repo.puri.sm/pureos green/main DEP-11 64x64 Icons [6,919 kB]      
Fetched 14.9 MB in 39s (380 kB/s)                                              
Reading package lists... Done
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  libenet7 supertuxkart-data
The following NEW packages will be installed:
  libenet7 supertuxkart supertuxkart-data
0 upgraded, 3 newly installed, 0 to remove and 10 not upgraded.
Need to get 491 MB of archives.
After this operation, 650 MB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 http://repo.puri.sm/pureos green/main amd64 libenet7 amd64 1.3.12+ds-2 [28.5 kB]
Get:2 http://repo.puri.sm/pureos green/main amd64 supertuxkart-data all 0.9.2+dfsg-2 [487 MB]
Get:3 http://repo.puri.sm/pureos green/main amd64 supertuxkart amd64 0.9.2+dfsg-2 [3,555 kB]
Fetched 491 MB in 24min 19s (336 kB/s)                                         
Selecting previously unselected package libenet7:amd64.
(Reading database ... 218348 files and directories currently installed.)
Preparing to unpack .../libenet7_1.3.12+ds-2_amd64.deb ...
Unpacking libenet7:amd64 (1.3.12+ds-2) ...
Selecting previously unselected package supertuxkart-data.
Preparing to unpack .../supertuxkart-data_0.9.2+dfsg-2_all.deb ...
Unpacking supertuxkart-data (0.9.2+dfsg-2) ...
Selecting previously unselected package supertuxkart.
Preparing to unpack .../supertuxkart_0.9.2+dfsg-2_amd64.deb ...
Unpacking supertuxkart (0.9.2+dfsg-2) ...
Processing triggers for mime-support (3.60) ...
Setting up supertuxkart-data (0.9.2+dfsg-2) ...
Processing triggers for desktop-file-utils (0.23-1) ...
Setting up libenet7:amd64 (1.3.12+ds-2) ...
Setting up supertuxkart (0.9.2+dfsg-2) ...
Processing triggers for man-db (2.7.6.1-2) ...
Processing triggers for gnome-menus (3.13.3-9) ...
Processing triggers for hicolor-icon-theme (0.15-1) ...
todd@librem-13:~$

Event Timeline

todd created this task.Mar 17 2017, 16:25

zlatan.todoric reassigned this task from zlatan.todoric to mak.Mar 17 2017, 17:22

zlatan.todoric added a subscriber: zlatan.todoric.

Hmm... Is policykit-1-gnome and policykit-1 installed? I'll have to look into that...

todd@librem-13:~$ dpkg -l policykit* | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name              Version      Architecture Description
+++-=================-============-============-=============================================================
ii  policykit-1       0.105-17     amd64        framework for managing administrative policies and privileges
ii  policykit-1-gnome 0.105-6      amd64        authentication agent for PolicyKit
todd@librem-13:~$

I can't reproduce this issue here, might be related to running a grsec kernel.
I'll try with that in an hour (and I also have a couple of other ideas, but grsec being the problem seems likely).

Stuff like https://bugs.freedesktop.org/show_bug.cgi?id=56628 exists (although we are running an older version of PolKit, before it started to pull in a full JavaScript engine into the core to run scripts for authorization rules).

EDIT: Kind of hard to test, since the grsec kernel doesn't even let me start a desktop environment (or display manager).

Please run sudo journalctl -f in a separate terminal while trying to perform the privileged action, and paste the output here. That might give us a hint on what is going on.

From my tests, it is grsec related. We will need to dig deeper into this before we put grsec as default.

Mar 18 14:22:49 librem-13 PackageKit[15452]: uid 1000 is trying to obtain org.freedesktop.packagekit.package-install auth (only_trusted:1)
Mar 18 14:22:49 librem-13 PackageKit[15452]: uid 1000 failed to obtain auth
Mar 18 14:22:49 librem-13 gnome-software-service.desktop[1176]: 21:22:49:0109 Gs  failed to call gs_plugin_app_install on packagekit: Failed to obtain authentication.
Mar 18 14:22:49 librem-13 gnome-software-service.desktop[1176]: 21:22:49:0154 Gs  failed to install etr.desktop: Failed to obtain authentication.

@todd Hmm, that's not much information... But it's pretty safe to say that grsec prevents some action executed by the polkit daemon or frontend service which leads to a successful grant of permissions.

mak renamed this task from Software fails to install from Gnome Software, but is able to from terminal to grsec: Software fails to install from Gnome Software, but is able to from terminal.Mar 18 2017, 19:36

mak added a project: PureOS Grsec.Mar 19 2017, 19:33

The following works
$ su -

export DISPLAY=:1
gnome-software

in grsec kernel, the "Authentication Required" window is not appearing when trying to install from normal user.

OK, what configuration change do we need within PureOS to have this be the default?

Todd, can you try adding your username to the following additional groups , this should solve the packagekit failing and will prompt for the authentication.

For example for my useraccount hema,

usermod -a -G grsec-proc hema
usermod -a -G grsec-tpe hema
groups hema

mak triaged this task as Low priority.Aug 11 2017, 16:02

Closing, as we won't use grsec anymore.

grsec: Software fails to install from Gnome Software, but is able to from terminalClosed, WontfixPublicActions

Description

Event Timeline

grsec: Software fails to install from Gnome Software, but is able to from terminal
Closed, WontfixPublic
Actions