Bug 1947214

Summary: SELinux denials for flatpak exports (e.g. SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache )
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: flatpakAssignee: Kalev Lember <klember>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 34CC: amigadave, brianwitt, bugzilla, dustymabe, fede, jan.public, klember, otto.liljalaakso, robatino, sgallagh, Simon.Gerhards, tony, voj-tech, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: RejectedBlocker AcceptedFreezeException
Fixed In Version: flatpak-1.10.2-3.fc34 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-17 22:12:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1829025    

Description Adam Williamson 2021-04-07 23:19:05 UTC 
This is a copy of https://bugzilla.redhat.com/show_bug.cgi?id=1916652 for Fedora 34, as people wanted to propose that bug as a Fedora 34 release blocker, but it is filed against F33.

As described there, when any flatpak is installed, users are seeing constant SELinux denials for access by various processes to files under /var/lib/flatpak/exports . There is some discussion in the upstream issue too:
https://github.com/flatpak/flatpak/issues/4128
Comment 1 Adam Williamson 2021-04-09 18:50:46 UTC 
-3 in https://pagure.io/fedora-qa/blocker-review/issue/337 , marking rejected blocker. Note this could still be accepted as a freeze exception issue if proposed and there seems to be some realistic prospect of it actually getting fixed (though it would be questionable as an FE if it's true you can't hit it without install a flatpak).
Comment 2 Zdenek Pytela 2021-04-14 19:09:27 UTC 
*** Bug 1935747 has been marked as a duplicate of this bug. ***
Comment 3 Zdenek Pytela 2021-04-14 19:09:53 UTC 
*** Bug 1933905 has been marked as a duplicate of this bug. ***
Comment 4 Adam Williamson 2021-04-14 19:22:54 UTC 
Note we're slipping at this point, so it'd be great if we could figure at a fix for this ahead of next week's attempt.
Comment 5 Kalev Lember 2021-04-14 20:13:03 UTC 
As a workaround, we could remove /usr/lib/systemd/system-environment-generators/60-flatpak-system-only from the flatpak package in F33 and F34. This is only needed to support parental controls for flatpak apps in gnome-initial-setup, and we haven't enabled parental controls (malcontent) support in flatpak yet. We are planning on doing that for F35 though, so we'll definitely need a selinux policy solution at that point.

I put a longer comment in https://github.com/flatpak/flatpak/issues/4128#issuecomment-818019245 explaining what's going on.

zpytela is trying to come up with a selinux policy solution for this, but if needed, we can also go for the workaround solution for F33 and F34 without any adverse effects as per my understanding of the issue.
Comment 6 Zdenek Pytela 2021-04-14 20:20:06 UTC 
Based on Kalev's findings, I verified

mkdir -p /etc/systemd/system-environment-generators
> /etc/systemd/system-environment-generators/60-flatpak-system-only

helps with the issue and no denial appears.

David, do you think /usr/lib/systemd/system-environment-generators/60-flatpak-system-only can be dropped from the specfile for Fedora (all supported versions)?
Comment 7 Kalev Lember 2021-04-14 20:38:53 UTC 
Thanks, Zdenek! I went ahead and did that in https://src.fedoraproject.org/rpms/flatpak/c/89da895a6498469bd458c8913c23c073ce047e47

Proposing it as a Freeze Exception for F34: Would be nice to get this sorted out for Silverblue where we ship preinstalled flatpaks, and also so that people don't get selinux denials when they install flatpaks in Workstatation out of the box (when they haven't installed system updates yet).
Comment 8 Zdenek Pytela 2021-04-14 20:41:17 UTC 
Here are my findings.

tl;dr: after updating flatpak from 1.8 to 1.10, multiple AVC denials start to appear, firing setroubleshoot for each of them which consumes a lot of resources. This applies to F33+.

The problem seems to break down to 3 smaller ones:

1. gnome/xdm/sddm
type=AVC msg=audit(1610956904.439:809): avc:  denied  { map } for  pid=1948 comm="sddm-greeter" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-0" ino=2239669 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1618420025.28:709): avc:  denied  { read } for  pid=1719 comm="gnome-shell" name="com.github.xournalpp.xournalpp.desktop" dev="dm-0" ino=3145745 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1618420025.29:710): avc:  denied  { read } for  pid=1719 comm="gnome-shell" name="fyi.zoey.Boop-GTK.desktop" dev="dm-0" ino=3145758 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1612350319.979:683): avc:  denied  { read } for  pid=969 comm="gnome-shell" name="org.gimp.GIMP.desktop" dev="sdb2" ino=3421674 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1610883328.256:881): avc:  denied  { read } for  pid=3431 comm="gnome-shell" name="us.zoom.Zoom.desktop" dev="dm-1" ino=3611963 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
Mar 01 18:15:20 fmac.local audit[1143]: AVC avc:  denied  { watch } for  pid=1143 comm="gmain" path="/var/lib/flatpak/exports/share/applications" dev="sda6" ino=893077 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0

If possible, it will be addressed for F33 and F34 with not using the /usr/lib/systemd/system-environment-generators/60-flatpak-system-only generator as parental control is not used yet. Needs to start a discussion to get to another solution for F35.

2. dbus-daemon
type=AVC msg=audit(1614949721.280:523): avc:  denied  { read } for  pid=2285 comm="dbus-daemon" name="org.gnome.Builder.service" dev="dm-0" ino=7981498 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1610708161.135:330): avc:  denied  { read } for  pid=1233 comm="dbus-daemon" name="de.haeckerfelix.Shortwave.service" dev="dm-0" ino=874034 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1617530392.365:671): avc:  denied  { read } for  pid=1058 comm="dbus-daemon" name="org.gnome.Weather.BackgroundService.service" dev="dm-3" ino=1445734 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0

All denials are just for a symlink, will be resolved in selinux-policy.
Also note dbus ran in incorrect context which should be fixed with 3.14.7-26.fc34, needs to be backported to F33.

3. colord
type=AVC msg=audit(1610915386.118:166): avc:  denied  { getattr } for  pid=905 comm="colord" path="/var/lib/flatpak/exports/share/mime/mime.cache" dev="dm-0" ino=4456476 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610915386.118:167): avc:  denied  { read } for  pid=905 comm="colord" name="mime.cache" dev="dm-0" ino=4456476 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610915386.118:168): avc:  denied  { open } for  pid=905 comm="colord" path="/var/lib/flatpak/exports/share/mime/mime.cache" dev="dm-0" ino=4456476 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610915386.118:169): avc:  denied  { map } for  pid=905 comm="colord" path="/var/lib/flatpak/exports/share/mime/mime.cache" dev="dm-0" ino=4456476 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1

Needs to be resolved, no solution at the moment.
Comment 9 Fedora Update System 2021-04-14 20:47:33 UTC 
FEDORA-2021-856ff125b0 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-856ff125b0
Comment 10 Fedora Update System 2021-04-15 19:28:47 UTC 
FEDORA-2021-856ff125b0 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-856ff125b0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-856ff125b0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Adam Williamson 2021-04-17 05:40:00 UTC 
+4 in https://pagure.io/fedora-qa/blocker-review/issue/337 , marking accepted.
Comment 12 Fedora Update System 2021-04-17 22:12:07 UTC 
FEDORA-2021-856ff125b0 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 13 Kalev Lember 2021-09-09 11:46:37 UTC 
Zdenek, we just enabled malcontent support in flatpak in rawhide and that brings back the systemd system env generator that was causing the selinux denials, so this is back as an issue now.