Bug 1947214
Summary: | SELinux denials for flatpak exports (e.g. SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache ) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
Component: | flatpak | Assignee: | Kalev Lember <klember> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 34 | CC: | amigadave, brianwitt, bugzilla, dustymabe, fede, jan.public, klember, otto.liljalaakso, robatino, sgallagh, Simon.Gerhards, tony, voj-tech, zpytela |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | RejectedBlocker AcceptedFreezeException | ||
Fixed In Version: | flatpak-1.10.2-3.fc34 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-04-17 22:12:07 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1829025 |
Description
Adam Williamson
2021-04-07 23:19:05 UTC
-3 in https://pagure.io/fedora-qa/blocker-review/issue/337 , marking rejected blocker. Note this could still be accepted as a freeze exception issue if proposed and there seems to be some realistic prospect of it actually getting fixed (though it would be questionable as an FE if it's true you can't hit it without install a flatpak). *** Bug 1935747 has been marked as a duplicate of this bug. *** *** Bug 1933905 has been marked as a duplicate of this bug. *** Note we're slipping at this point, so it'd be great if we could figure at a fix for this ahead of next week's attempt. As a workaround, we could remove /usr/lib/systemd/system-environment-generators/60-flatpak-system-only from the flatpak package in F33 and F34. This is only needed to support parental controls for flatpak apps in gnome-initial-setup, and we haven't enabled parental controls (malcontent) support in flatpak yet. We are planning on doing that for F35 though, so we'll definitely need a selinux policy solution at that point. I put a longer comment in https://github.com/flatpak/flatpak/issues/4128#issuecomment-818019245 explaining what's going on. zpytela is trying to come up with a selinux policy solution for this, but if needed, we can also go for the workaround solution for F33 and F34 without any adverse effects as per my understanding of the issue. Based on Kalev's findings, I verified
mkdir -p /etc/systemd/system-environment-generators
> /etc/systemd/system-environment-generators/60-flatpak-system-only
helps with the issue and no denial appears.
David, do you think /usr/lib/systemd/system-environment-generators/60-flatpak-system-only can be dropped from the specfile for Fedora (all supported versions)?
Thanks, Zdenek! I went ahead and did that in https://src.fedoraproject.org/rpms/flatpak/c/89da895a6498469bd458c8913c23c073ce047e47 Proposing it as a Freeze Exception for F34: Would be nice to get this sorted out for Silverblue where we ship preinstalled flatpaks, and also so that people don't get selinux denials when they install flatpaks in Workstatation out of the box (when they haven't installed system updates yet). Here are my findings. tl;dr: after updating flatpak from 1.8 to 1.10, multiple AVC denials start to appear, firing setroubleshoot for each of them which consumes a lot of resources. This applies to F33+. The problem seems to break down to 3 smaller ones: 1. gnome/xdm/sddm type=AVC msg=audit(1610956904.439:809): avc: denied { map } for pid=1948 comm="sddm-greeter" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-0" ino=2239669 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1618420025.28:709): avc: denied { read } for pid=1719 comm="gnome-shell" name="com.github.xournalpp.xournalpp.desktop" dev="dm-0" ino=3145745 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1618420025.29:710): avc: denied { read } for pid=1719 comm="gnome-shell" name="fyi.zoey.Boop-GTK.desktop" dev="dm-0" ino=3145758 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1612350319.979:683): avc: denied { read } for pid=969 comm="gnome-shell" name="org.gimp.GIMP.desktop" dev="sdb2" ino=3421674 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1610883328.256:881): avc: denied { read } for pid=3431 comm="gnome-shell" name="us.zoom.Zoom.desktop" dev="dm-1" ino=3611963 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0 Mar 01 18:15:20 fmac.local audit[1143]: AVC avc: denied { watch } for pid=1143 comm="gmain" path="/var/lib/flatpak/exports/share/applications" dev="sda6" ino=893077 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0 If possible, it will be addressed for F33 and F34 with not using the /usr/lib/systemd/system-environment-generators/60-flatpak-system-only generator as parental control is not used yet. Needs to start a discussion to get to another solution for F35. 2. dbus-daemon type=AVC msg=audit(1614949721.280:523): avc: denied { read } for pid=2285 comm="dbus-daemon" name="org.gnome.Builder.service" dev="dm-0" ino=7981498 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1610708161.135:330): avc: denied { read } for pid=1233 comm="dbus-daemon" name="de.haeckerfelix.Shortwave.service" dev="dm-0" ino=874034 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=1 type=AVC msg=audit(1617530392.365:671): avc: denied { read } for pid=1058 comm="dbus-daemon" name="org.gnome.Weather.BackgroundService.service" dev="dm-3" ino=1445734 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0 All denials are just for a symlink, will be resolved in selinux-policy. Also note dbus ran in incorrect context which should be fixed with 3.14.7-26.fc34, needs to be backported to F33. 3. colord type=AVC msg=audit(1610915386.118:166): avc: denied { getattr } for pid=905 comm="colord" path="/var/lib/flatpak/exports/share/mime/mime.cache" dev="dm-0" ino=4456476 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610915386.118:167): avc: denied { read } for pid=905 comm="colord" name="mime.cache" dev="dm-0" ino=4456476 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610915386.118:168): avc: denied { open } for pid=905 comm="colord" path="/var/lib/flatpak/exports/share/mime/mime.cache" dev="dm-0" ino=4456476 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610915386.118:169): avc: denied { map } for pid=905 comm="colord" path="/var/lib/flatpak/exports/share/mime/mime.cache" dev="dm-0" ino=4456476 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 Needs to be resolved, no solution at the moment. FEDORA-2021-856ff125b0 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-856ff125b0 FEDORA-2021-856ff125b0 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-856ff125b0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-856ff125b0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. +4 in https://pagure.io/fedora-qa/blocker-review/issue/337 , marking accepted. FEDORA-2021-856ff125b0 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. Zdenek, we just enabled malcontent support in flatpak in rawhide and that brings back the systemd system env generator that was causing the selinux denials, so this is back as an issue now. |