mirror of
https://github.com/fleetdm/fleet
synced 2026-05-15 21:18:29 +00:00
0966e9e99c
for #32112 # Details This PR reverts some earlier work using `runuser` and `runcon` intended to allow Orbit to launch Fleet Desktop in the logged-in user's SELinux context. This didn't work for out-of-the-box SELinux enforcement setups, with a side-effect of each failed attempt to launch the desktop app creating a new kernel keyring that doesn't get cleaned up until Orbit quits (or GC runs, although I didn't see that happen in testing). While using `runuser` has some possible benefits over using `sudo` to launch processes, it also (when using `-l` to start a login shell) creates a new keyring. This is not an issue if the command to launch the process succeeds, but if it fails and retries over and over, we start amassing keyrings. It is the opinion of several other engineers (and now myself as well) that the real solution to various Fleet Desktop launching issues is to launch the desktop app as a user service using `systemctl --user` so that it automatically inherits the user's environment, context, etc. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. # Testing - [X] QA'd all new/changed functionality manually - [ ] ~Ubuntu with SELinux on~ this is a very uncommon setup - [x] Ubuntu with SELinux off - [X] Fedora with SELinux on - double checked that `getenforce` returned `Enforcing` this time - [X] Fedora with SELinux off - [ ] ~Debian with SELinux on~ this is a very uncommon setup - [X] Debian with SELinux off - [x] `runWithOutput` still works (tested with `go run ./tools/dialog/main.go --dialog=zenity` on all platforms) - [ ] ~`runWithStdin` still works~ (this isn't currently used by Linux) ## fleetd/orbit/Fleet Desktop - [X] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [X] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [X] Verified that fleetd runs on macOS, Linux and Windows - [ ] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) |
||
|---|---|---|
| .. | ||
| augeas | ||
| bitlocker | ||
| build | ||
| constant | ||
| cryptoinfo | ||
| dataflatten | ||
| dialog | ||
| execuser | ||
| go-paniclog | ||
| insecure | ||
| installer | ||
| kdialog | ||
| keystore | ||
| logging | ||
| luks | ||
| lvm | ||
| migration | ||
| osquery | ||
| osservice | ||
| packaging | ||
| platform | ||
| process | ||
| profiles | ||
| scripts | ||
| setup_experience | ||
| swiftdialog | ||
| table | ||
| token | ||
| update | ||
| user | ||
| useraction | ||
| windows | ||
| zenity | ||