Bug 1871337
| Summary: | SELinux: Context system_u:object_r:flatpak_helper_exec_t:s0 is not valid (left unmapped). | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matti Linnanvuori <mattilinnanvuori> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | high | ||
| Version: | 36 | CC: | alexl, bugzilla, debarshir, dowdle, dwalsh, grepl.miroslav, lhw, lvrabec, mmalik, plautrba, twaugh, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Reopened, Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-04-19 19:11:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Matti Linnanvuori
2020-08-22 14:17:54 UTC
Hi, Such an error can appear if there is a problem with the flatpak selinux policy module. Have you uninstalled it recently? # rpm -q flatpak-selinux # semodule -lfull|grep flatpak # ll /var/lib/selinux/targeted/active/modules/200/flatpak/ Apparently I did not uninstall flatpak-selinux: grep flatpak-selinux /var/log/dnf.rpm.log 2020-06-22T05:52:23Z SUBDEBUG Upgrade: flatpak-selinux-1.7.3-1.fc33.noarch 2020-06-22T05:59:50Z SUBDEBUG Upgraded: flatpak-selinux-1.7.2-1.fc33.noarch 2020-06-27T08:14:57Z SUBDEBUG Upgrade: flatpak-selinux-1.8.0-1.fc33.noarch 2020-06-27T08:19:51Z SUBDEBUG Upgraded: flatpak-selinux-1.7.3-1.fc33.noarch 2020-07-06T09:55:19Z SUBDEBUG Upgrade: flatpak-selinux-1.8.1-1.fc33.noarch 2020-07-06T09:58:51Z SUBDEBUG Upgraded: flatpak-selinux-1.8.0-1.fc33.noarch 2020-08-03T16:14:56Z SUBDEBUG Upgrade: flatpak-selinux-1.8.1-2.fc33.noarch 2020-08-03T16:27:32Z SUBDEBUG Upgraded: flatpak-selinux-1.8.1-1.fc33.noarch 2020-08-25T03:59:52Z SUBDEBUG Upgrade: flatpak-selinux-1.8.2-1.fc34.noarch 2020-08-25T04:10:39Z SUBDEBUG Upgraded: flatpak-selinux-1.8.1-2.fc33.noarch rpm -q flatpak-selinux flatpak-selinux-1.8.2-1.fc34.noarch sudo semodule -lfull|grep flatpak 200 flatpak pp sudo ls -l /var/lib/selinux/targeted/active/modules/200/flatpak/ total 20 -rw-------. 1 root root 2535 Aug 30 09:52 cil -rw-------. 1 root root 11894 Aug 30 09:52 hll -rw-------. 1 root root 2 Aug 30 09:52 lang_ext This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle. Changing version to 34. This affects F35 since selinux-policy-targeted-35.10-1.fc35.noarch. Changing priority to High since this now means automatic flatpak upgrading may stop working.
I was seeing AVCs like this:
type=AVC msg=audit(1642590463.412:615): avc: denied { execute } for pid=25890 comm="(m-helper)" name="flatpak-system-helper" dev="dm-1" ino=1060919 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:flatpak_helper_exec_t:s0"
Upgrading flatpak didn't help:
# dnf update --enablerepo=updates-testing flatpak
Last metadata expiration check: 0:00:49 ago on Wed 19 Jan 2022 11:08:04 GMT.
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Upgrading:
flatpak x86_64 1.12.4-1.fc35 updates-testing 1.5 M
flatpak-selinux noarch 1.12.4-1.fc35 updates-testing 22 k
flatpak-session-helper x86_64 1.12.4-1.fc35 updates-testing 43 k
Transaction Summary
================================================================================
Upgrade 3 Packages
Total download size: 1.6 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): flatpak-selinux-1.12.4-1.fc35.noarch.rpm 157 kB/s | 22 kB 00:00
(2/3): flatpak-session-helper-1.12.4-1.fc35.x86 286 kB/s | 43 kB 00:00
(3/3): flatpak-1.12.4-1.fc35.x86_64.rpm 4.1 MB/s | 1.5 MB 00:00
--------------------------------------------------------------------------------
Total 2.2 MB/s | 1.6 MB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : flatpak-session-helper-1.12.4-1.fc35.x86_64 1/6
Upgrading : flatpak-selinux-1.12.4-1.fc35.noarch 2/6
Running scriptlet: flatpak-selinux-1.12.4-1.fc35.noarch 2/6
Problems processing filecon rules
Failed post db handling
Post process failed
/usr/sbin/semodule: Failed!
Running scriptlet: flatpak-1.12.4-1.fc35.x86_64 3/6
Upgrading : flatpak-1.12.4-1.fc35.x86_64 3/6
error: lsetfilecon: (/usr/libexec/flatpak-system-helper;61e7f147, system_u:object_r:flatpak_helper_exec_t:s0) Invalid argument
error: Plugin selinux: hook fsm_file_prepare failed
Error unpacking rpm package flatpak-1.12.4-1.fc35.x86_64
Cleanup : flatpak-selinux-1.12.3-1.fc35.noarch 4/6
error: unpacking of archive failed on file /usr/libexec/flatpak-system-helper;61e7f147: cpio: (error 0x2)
error: flatpak-1.12.4-1.fc35.x86_64: install failed
error: flatpak-1.12.3-1.fc35.x86_64: erase skipped
Running scriptlet: flatpak-selinux-1.12.3-1.fc35.noarch 4/6
Cleanup : flatpak-session-helper-1.12.3-1.fc35.x86_64 5/6
Running scriptlet: flatpak-session-helper-1.12.3-1.fc35.x86_64 5/6
Verifying : flatpak-1.12.4-1.fc35.x86_64 1/6
Verifying : flatpak-1.12.3-1.fc35.x86_64 2/6
Verifying : flatpak-selinux-1.12.4-1.fc35.noarch 3/6
Verifying : flatpak-selinux-1.12.3-1.fc35.noarch 4/6
Verifying : flatpak-session-helper-1.12.4-1.fc35.x86_64 5/6
Verifying : flatpak-session-helper-1.12.3-1.fc35.x86_64 6/6
Upgraded:
flatpak-selinux-1.12.4-1.fc35.noarch
flatpak-session-helper-1.12.4-1.fc35.x86_64
Failed:
flatpak-1.12.3-1.fc35.x86_64 flatpak-1.12.4-1.fc35.x86_64
Error: Transaction failed
Does the flatpak policy module contain any mention of "lockdown" string? No, not that I see in flatpak-1.12-4/selinux. Please update to selinux-policy-35.11-1 and let me know if the problems persist. I'm getting this issue, as well as one with crun: Installing : crun-1.4.1-1.fc35.x86_64 1/1 error: lsetfilecon: (/usr/bin/crun;61e924df, system_u:object_r:container_runtime_exec_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed and osbuild: Installing : osbuild-46-1.20220119145423018138.main.1.g597759c.fc35.noarch 1/1 error: lsetfilecon: (/usr/bin/osbuild;61e92353, system_u:object_r:osbuild_exec_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed I just tried installing selinux-policy-35.11-1 from koiji and got: Upgrading : selinux-policy-35.11-1.fc35.noarch 1/8 Running scriptlet: selinux-policy-35.11-1.fc35.noarch 1/8 Problems processing filecon rules Failed post db handling Post process failed /usr/sbin/semodule: Failed! Hmm, once selinux-policy-35.11-1 was installed things seems to work again though. selinux-policy-targeted-35.11-1 works for me too. (In reply to Alexander Larsson from comment #9) > Hmm, once selinux-policy-35.11-1 was installed things seems to work again > though. (In reply to Tim Waugh from comment #10) > selinux-policy-targeted-35.11-1 works for me too. Thanks for the testing! Clopsing based on previous comments. This problem has returned in Rawhide. This is a clean install from Fedora-Workstation-Live-x86_64-Rawhide-20220201.n.1.iso which has:
flatpak-selinux-1.12.4-2.fc36.noarch
selinux-policy-36.1-1.fc36.noarch
But the problem remains once updated to selinux-policy-36.1-1.fc36.noarch.
[ 48.798067] kernel: SELinux: Context system_u:object_r:flatpak_helper_exec_t:s0 is not valid (left unmapped).
[ 48.377025] audit[2517]: AVC avc: denied { execute } for pid=2517 comm="(m-helper)" name="flatpak-system-helper" dev="nvme0n1p5" ino=45546 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="system_u:object_r:flatpak_helper_exec_t:s0"
[ 48.378380] audit[2517]: AVC avc: denied { execute_no_trans } for pid=2517 comm="(m-helper)" path="/usr/libexec/flatpak-system-helper" dev="nvme0n1p5" ino=45546 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="system_u:object_r:flatpak_helper_exec_t:s0"
[ 48.384703] audit[2517]: AVC avc: denied { map } for pid=2517 comm="flatpak-system-" path="/usr/libexec/flatpak-system-helper" dev="nvme0n1p5" ino=45546 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="system_u:object_r:flatpak_helper_exec_t:s0"
$
$ sudo semodule -lfull|grep flatpak
200 flatpak pp
$ sudo ls -lZ /var/lib/selinux/targeted/active/modules/200/flatpak/
total 20
-rw-------. 1 root root unconfined_u:object_r:semanage_store_t:s0 2588 Feb 7 18:34 cil
-rw-------. 1 root root unconfined_u:object_r:semanage_store_t:s0 12089 Feb 7 18:34 hll
-rw-------. 1 root root unconfined_u:object_r:semanage_store_t:s0 2 Feb 7 18:34 lang_ext
This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle. Changing version to 36. I upgrade F35 to F36 this morning and now all dnf operations are giving me failure with these errors. Example: Running transaction Preparing : 1/1 Upgrading : conmon-2:2.1.0-2.fc36.x86_64 1/2 error: lsetfilecon: (/usr/bin/conmon;624e495d, system_u:object_r:conmon_exec_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed I have selinux-policy-36.5-1.fc36.noarch installed. How does one fix this? semodule -X 200 -r container snappy flatpak dnf reinstall container-selinux flatpak-selinux The issue as reported has been resolved. There are some additional problems, you can monitor bz#2056303 for the latest development. |