Bug 1928548
| Summary: | SELinux is preventing gnome-shell from 'watch' accesses on the directory /var/lib/flatpak. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mikhail <mikhail.v.gavrilov> |
| Component: | flatpak | Assignee: | David King <amigadave> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | amigadave, awilliam, decathorpe, dwalsh, ego.cordatus, grepl.miroslav, guo888xiao, jorti, klember, kparal, lvrabec, michael.scheiffler, mmalik, nberrehouc, nixuser, omosnace, otto.liljalaakso, pawel, plautrba, proletarius101, ranjan.de, vmojzis, vondruch, v, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:f2a885de5f2e8f71d7c7bd89d6f13a138fea7f9b7a55bc0e0a31631125e8b819;VARIANT_ID=workstation; | ||
| Fixed In Version: | flatpak-1.10.2-3.fc35 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-04-19 14:34:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** Bug 1933307 has been marked as a duplicate of this bug. *** Similar problem has been detected: Happens during boot of current Fedora 34 Workstation. hashmarkername: setroubleshoot kernel: 5.11.6-300.fc34.x86_64 package: selinux-policy-targeted-3.14.7-25.fc34.noarch reason: SELinux is preventing gnome-shell from 'watch' accesses on the directory /var/lib/flatpak/exports/share/applications. type: libreport Similar problem has been detected: Happened on boot and initial login to GNOME on current F34 with all updates from u-t, including GNOME 40. hashmarkername: setroubleshoot kernel: 5.11.8-300.fc34.x86_64 package: selinux-policy-targeted-3.14.7-26.fc34.noarch reason: SELinux is preventing gnome-shell from 'watch' accesses on the directory /var/lib/flatpak/exports/share/applications. type: libreport Similar problem has been detected: After upgrade from F33 to F34 Beta. hashmarkername: setroubleshoot kernel: 5.11.9-300.fc34.x86_64 package: selinux-policy-targeted-3.14.7-27.fc34.noarch reason: SELinux is preventing gnome-shell from 'watch' accesses on the dossier /var/lib/flatpak/exports/share/applications. type: libreport Similar problem has been detected: After login hashmarkername: setroubleshoot kernel: 5.11.9-300.fc34.x86_64 package: selinux-policy-targeted-3.14.7-28.fc34.noarch reason: SELinux is preventing gnome-shell from 'watch' accesses on the directory /var/lib/flatpak. type: libreport *** Bug 1945275 has been marked as a duplicate of this bug. *** *** Bug 1945277 has been marked as a duplicate of this bug. *** *** Bug 1941853 has been marked as a duplicate of this bug. *** Note the problem is the same as in bz#1916652, just this bz is for rawhide. Similar problem has been detected: After upgrading from F33 to F34. hashmarkername: setroubleshoot kernel: 5.11.11-300.fc34.x86_64 package: selinux-policy-targeted-3.14.7-29.fc34.noarch reason: SELinux is preventing gnome-shell from 'write' accesses on the sock_file dbus-5WrHm0gEYL. type: libreport *** Bug 1945295 has been marked as a duplicate of this bug. *** *** Bug 1945294 has been marked as a duplicate of this bug. *** *** Bug 1945276 has been marked as a duplicate of this bug. *** *** Bug 1945268 has been marked as a duplicate of this bug. *** Similar problem has been detected: I am using Fedora 34 on Imac with Nvidia. Earlier I used Fedora 33. With both 33 and 34, every time I boot up my computer, a number of these SELinux messages appear. Tried following the troubleshoot advice, but not able to locate the file. Otherise the OS runs fine. hashmarkername: setroubleshoot kernel: 5.11.11-300.fc34.x86_64 package: selinux-policy-targeted-3.14.7-29.fc34.noarch reason: SELinux is preventing gnome-shell from 'write' accesses on the sock_file dbus-ILletn1kQv. type: libreport Similar problem has been detected: Upgraded to fedora 34 hashmarkername: setroubleshoot kernel: 5.11.11-300.fc34.x86_64 package: selinux-policy-targeted-3.14.7-29.fc34.noarch reason: SELinux is preventing gnome-shell from 'write' accesses on the sock_file dbus-vBNWQ7JXE1. type: libreport *** Bug 1945982 has been marked as a duplicate of this bug. *** *** Bug 1945981 has been marked as a duplicate of this bug. *** *** Bug 1949222 has been marked as a duplicate of this bug. *** *** Bug 1949221 has been marked as a duplicate of this bug. *** *** Bug 1949220 has been marked as a duplicate of this bug. *** *** Bug 1949219 has been marked as a duplicate of this bug. *** Similar problem has been detected: This AVC denial happens every time I log into GNOME / Xorg session after upgrading to Fedora 34 from Workstation 33. If that matters, I'm using the proprietary NVidia driver, and I even did a full system relabel after the upgrade for good measure. hashmarkername: setroubleshoot kernel: 5.11.13-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing gnome-shell from 'watch' accesses on the directory /var/lib/flatpak/exports/share/applications. type: libreport Similar problem has been detected: Happens every time I log in. The second (random string) part of 'dbug-PUMqu5ktAf' is different every time. hashmarkername: setroubleshoot kernel: 5.11.13-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing gnome-shell from 'write' accesses on the sock_file dbus-PUMqu5ktAf. type: libreport Is bug 1941853 really a duplicate of this? These two look so different: this: SELinux is preventing gnome-shell from 'watch' accesses on the directory /var/lib/flatpak/exports/share/applications that: SELinux is preventing /usr/bin/gnome-shell from 'write' accesses on the sock_file /tmp/dbus-28iHchP5PL Similar problem has been detected: Booted fc34 WS and logged in. hashmarkername: setroubleshoot kernel: 5.11.14-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing gnome-shell from 'write' accesses on the sock_file dbus-fGwdvY3I84. type: libreport Similar problem has been detected: I switched between users in GNOME Workstation. hashmarkername: setroubleshoot kernel: 5.11.14-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing gnome-shell from 'write' accesses on the sock_file dbus-wdRLZ42k7D. type: libreport I believe the last two reports are a completely separate issue. The original report that's "SELinux is preventing gnome-shell from 'watch' accesses on the directory /var/lib/flatpak." should be fixed in flatpak-1.10.2-3.fc35 build, but the dbus sock_file issue still needs addressing somewhere. Let's close this ticket as the original issue is fixed. (In reply to Kalev Lember from comment #28) > I believe the last two reports are a completely separate issue. The original > report that's "SELinux is preventing gnome-shell from 'watch' accesses on > the directory /var/lib/flatpak." should be fixed in flatpak-1.10.2-3.fc35 > build, but the dbus sock_file issue still needs addressing somewhere. > > Let's close this ticket as the original issue is fixed. Tested, the "SELinux is preventing gnome-shell from 'write' accesses on the sock_file dbus-PUMqu5ktAf" denial still happens with the flatpak version you list. I will reopen bug 1941853, to me it looks like it was marked as duplicate of this issue in mistake. |
Description of problem: SELinux is preventing gnome-shell from 'watch' accesses on the directory /var/lib/flatpak. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow gnome-shell to have watch access on the flatpak directory Then you need to change the label on /var/lib/flatpak Do # semanage fcontext -a -t FILE_TYPE '/var/lib/flatpak' where FILE_TYPE is one of the following: etc_t, usr_t, xdm_var_lib_t. Then execute: restorecon -v '/var/lib/flatpak' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that gnome-shell should be allowed watch access on the flatpak directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell # semodule -X 300 -i my-gnomeshell.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/flatpak [ dir ] Source gnome-shell Source Path gnome-shell Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages flatpak-1.10.1-3.fc35.x86_64 SELinux Policy RPM selinux-policy-targeted-3.14.8-1.fc35.noarch Local Policy RPM selinux-policy-targeted-3.14.8-1.fc35.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.11.0-0.rc7.20210212git291009f656 e8.151.fc35.x86_64 #1 SMP Fri Feb 12 13:02:28 UTC 2021 x86_64 x86_64 Alert Count 3 First Seen 2021-02-15 01:01:37 +05 Last Seen 2021-02-15 01:04:21 +05 Local ID f2a44485-cdd8-46ab-b27a-1141d4f06ab9 Raw Audit Messages type=AVC msg=audit(1613333061.735:549): avc: denied { watch } for pid=1580 comm="gnome-shell" path="/var/lib/flatpak" dev="nvme0n1p2" ino=203546441 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1 Hash: gnome-shell,xdm_t,var_lib_t,dir,watch Version-Release number of selected component: selinux-policy-targeted-3.14.8-1.fc35.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.11.0-0.rc7.20210212git291009f656e8.151.fc35.x86_64 type: libreport