homectl passwd ...: Operation on home ... failed: Access denied #2846
Description
homectl passwd ... (and, probably, other .identity* related operations) stops working after issuing restorecon ... for a new user, because of access to .identity-blob on Fedora Linux 42.1.1 (Silverblue).
Steps:
$ sudo homectl create -P t
...
$ sudo homectl with t -- ls -dlZ .identity .identity-blob
...
-rw-------. 1 t t system_u:object_r:unlabeled_t:s0 711 Aug 24 20:45 .identity
drwx------. 1 t t system_u:object_r:unlabeled_t:s0 0 Aug 24 20:45 .identity-blob
$ sudo homectl with t -- restorecon -vFR /home/t
...
Relabeled /var/home/t from system_u:object_r:unlabeled_t:s0 to unconfined_u:object_r:user_home_dir_t:s0
Relabeled /var/home/t/.bash_logout from system_u:object_r:unlabeled_t:s0 to unconfined_u:object_r:user_home_t:s0
Relabeled /var/home/t/.bash_profile from system_u:object_r:unlabeled_t:s0 to unconfined_u:object_r:user_home_t:s0
Relabeled /var/home/t/.bashrc from system_u:object_r:unlabeled_t:s0 to unconfined_u:object_r:user_home_t:s0
Relabeled /var/home/t/.mozilla from system_u:object_r:unlabeled_t:s0 to unconfined_u:object_r:mozilla_home_t:s0
Relabeled /var/home/t/.mozilla/extensions from system_u:object_r:unlabeled_t:s0 to unconfined_u:object_r:mozilla_home_t:s0
Relabeled /var/home/t/.mozilla/plugins from system_u:object_r:unlabeled_t:s0 to unconfined_u:object_r:mozilla_home_t:s0
Relabeled /var/home/t/.identity from system_u:object_r:unlabeled_t:s0 to unconfined_u:object_r:systemd_homed_record_t:s0
Relabeled /var/home/t/.identity-blob from system_u:object_r:unlabeled_t:s0 to unconfined_u:object_r:systemd_homed_record_t:s0
$ sudo homectl with t -- ls -dlZ .identity .identity-blob
...
-rw-------. 1 t t unconfined_u:object_r:systemd_homed_record_t:s0 711 Aug 24 20:45 .identity
drwx------. 1 t t unconfined_u:object_r:systemd_homed_record_t:s0 0 Aug 24 20:45 .identity-blob
$ sudo homectl passwd t
...
Operation on home t failed: Access denied
$ journalctl
Aug 24 20:56:00 fedora systemd-homework[16249]: Mounting file system completed.
Aug 24 20:56:00 fedora systemd-homework[16249]: Read embedded .identity file.
Aug 24 20:56:00 fedora systemd-homework[16249]: Provided password unlocks user record.
Aug 24 20:56:00 fedora systemd-homework[16249]: Reconciling header user identity completed (host version was newer).
Aug 24 20:56:00 fedora systemd-homework[16249]: Reconciling embedded user identity completed (host version was newer).
Aug 24 20:56:04 fedora systemd-homework[16249]: Updated LUKS key slot 0.
Aug 24 20:56:04 fedora systemd-homework[16249]: Wrote LUKS header user record.
Aug 24 20:56:04 fedora systemd-homework[16249]: Wrote embedded .identity file.
Aug 24 20:56:04 fedora audit[16249]: AVC avc: denied { rmdir } for pid=16249 comm="systemd-homewor" name=".identity-blob" dev="dm-0" ino=266 scontext=system_u:system_r:systemd_homework_t:s0 tcontext=unconfined_u:object_r:systemd_homed_record_t:s0 tclass=dir permissive=0
Aug 24 20:56:04 fedora systemd-homework[16249]: Failed to replace embedded blobs with system blobs: Permission denied
Aug 24 20:56:04 fedora systemd-homework[16249]: Discarded unused 35.9M.
...
Aug 24 20:56:04 fedora systemd-homed[956]: Change operation failed: Permission denied
Aug 24 20:56:04 fedora systemd-homed[956]: t: changing state passwd → inactive