Bug 2053631
| Summary: | SELinux is preventing pool-/usr/libex from 'read' accesses on the directory /var/lib/flatpak/repo. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
| Component: | flatpak | Assignee: | David King <amigadave> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 36 | CC: | amigadave, debarshir, gary.buhrmaster, klember |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:f978c6f9b4e4349f6e8a59530a39fdfc8998d186c2181dfa957a0d6eec1aecf5;VARIANT_ID=workstation; | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-04-01 20:46:29 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Similar problem has been detected: flatpak update fails hashmarkername: setroubleshoot kernel: 5.17.0-300.fc36.x86_64 package: selinux-policy-targeted-36.5-1.fc36.noarch reason: SELinux is preventing pool-/usr/libex from 'read' accesses on the directory /var/lib/flatpak/repo. type: libreport *** This bug has been marked as a duplicate of bug 2070741 *** |
Description of problem: Happens frequently without me doing anything specific to trigger it, on current F36. SELinux is preventing pool-/usr/libex from 'read' accesses on the directory /var/lib/flatpak/repo. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow libex to have read access on the repo directory Then you need to change the label on /var/lib/flatpak/repo Do # semanage fcontext -a -t FILE_TYPE '/var/lib/flatpak/repo' where FILE_TYPE is one of the following: bin_t, boot_t, dbusd_etc_t, device_t, devpts_t, etc_runtime_t, etc_t, fonts_cache_t, fonts_t, lib_t, locale_t, man_cache_t, man_t, pkcs11_modules_conf_t, root_t, shell_exec_t, src_t, system_conf_t, system_db_t, textrel_shlib_t, tmpfs_t, usr_t, var_run_t. Then execute: restorecon -v '/var/lib/flatpak/repo' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that libex should be allowed read access on the repo directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pool-/usr/libex' --raw | audit2allow -M my-poolusrlibex # semodule -X 300 -i my-poolusrlibex.pp Additional Information: Source Context system_u:system_r:flatpak_helper_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/flatpak/repo [ dir ] Source pool-/usr/libex Source Path pool-/usr/libex Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-36.1-1.fc36.noarch Local Policy RPM flatpak-selinux-1.12.4-2.fc36.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.16.1-200.fc35.x86_64 #1 SMP PREEMPT Mon Jan 17 00:49:29 UTC 2022 x86_64 x86_64 Alert Count 7 First Seen 2022-02-11 08:37:05 PST Last Seen 2022-02-11 08:37:07 PST Local ID 62bd2dbd-05d0-4a2c-aad1-f72b80279729 Raw Audit Messages type=AVC msg=audit(1644597427.157:508): avc: denied { read } for pid=16275 comm="pool-/usr/libex" name="repo" dev="dm-1" ino=3014773 scontext=system_u:system_r:flatpak_helper_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0 Hash: pool-/usr/libex,flatpak_helper_t,var_lib_t,dir,read Version-Release number of selected component: selinux-policy-targeted-36.1-1.fc36.noarch Additional info: component: flatpak reporter: libreport-2.16.0 hashmarkername: setroubleshoot kernel: 5.16.1-200.fc35.x86_64 type: libreport