Bug 2013407

I'll be happy to create the policy for flatpak. However, I am not fully aware of how flatpak works and am unable to assess the impact of the changes proposed.

How can I check the basic functionality? I see a tests/ directory in the github repo - can these scripts be used?

Can we figure out something temporarily for Fedora 35 - trying to comprehensively create a selinux policy for Flatpak seems unrealistic for Fedora 35 GA, and likely to create regressions, but we really need to get a simple policy in place that allows fedora-third-party running under gnome-initia-setup to call flatpak to add a repository. Can we just add the permissions detailed in the other bug to fedora-third-party policy?

https://bugzilla.redhat.com/show_bug.cgi?id=2001837#c54

I've submitted a PR to make f-t-p working, but I think there still is a need to confine flatpak.

I already have a patch set working during the installation, but I cannot confirm if flatpak and other application needing it will work correctly later.

Hmm, we still have some issues. Trying it out, I get, in addition to the setsched/sys_nice audit messages we are ignoring:

===
type=AVC msg=audit(1634569129.980:219): avc:  denied  { read write } for  pid=1603 comm="gpg" path="/dev/tty1" dev="devtmpfs" ino=20 scontext=system_u:system_r:gpg_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=
chr_file permissive=0
type=AVC msg=audit(1634569129.988:220): avc:  denied  { read write } for  pid=1605 comm="gpgsm" path="/dev/tty1" dev="devtmpfs" ino=20 scontext=system_u:system_r:gpg_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclas
s=chr_file permissive=0
type=AVC msg=audit(1634569129.993:221): avc:  denied  { create } for  pid=1595 comm="flatpak" name="ostree-gpg-1Fze82" scontext=system_u:system_r:fedoratp_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
===

The first two I don't think the are problematical and seem to not always appear - but the third is causing flatpak to exit with an exit code of 1, and fedora-third-party to crash. This probably got hidden in testing earlier because with the crash at this point

 * flatpak has created the remote
 * fedora-third-party hasn't recorded that flatpak created the remote on fedora-third-parties behalf and will not remove it on 'fedora-third-party disable'
 * on the next testing run, since the remote already exists, it will not be created

So the reset procedure needs an explicit "flatpak remote-delete flathub"

I also think selinux is also causing the stdout/stderr of fedora-third-party not to end up in the system log as you'd otherwise expect - so we don't have the backtraces there. I don't know what the required permissions are to write to the journal stdout/stderr - I think this is an inherited socket fd.

Assigning the bug to myself, because David handed the Flatpak stack to me.  It's just book-keeping, I am not actually working on this bug right now.

Zdeněk, do you need some help to move this forward?

I think, generally speaking, we should target this for Fedora 37.  We have enough time to work out the rough edges in Rawhide.

I can help you with writing a new policy.

(In reply to Zdenek Pytela from comment #7)
> I can help you with writing a new policy.

Thanks for the offer.  That will be wonderful.

We already have a SELinux policy module here:
  https://github.com/flatpak/flatpak/tree/main/selinux

Do you want to improve it?  Something else?  I might be missing some historical context around this bug, and on top of that my knowledge of SELinux is limited.

*** Bug 2072243 has been marked as a duplicate of this bug. ***

This bug appears to have been reported against 'rawhide' during the Fedora Linux 37 development cycle.
Changing version to 37.

This message is a reminder that Fedora Linux 37 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 37 on 2023-12-05.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '37'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 37 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

This bug appears to have been reported against 'rawhide' during the Fedora Linux 40 development cycle.
Changing version to 40.

This message is a reminder that Fedora Linux 40 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 40 on 2025-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '40'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 40 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.