Bug 2070350
| Summary: | flatpak_helper_t unable to read /etc/passwd. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Michael <michael.scheiffler> |
| Component: | flatpak | Assignee: | Debarshi Ray <debarshir> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 36 | CC: | aannoaanno, amigadave, debarshir, dwalsh, emailtoflorian, fzatlouk, grepl.miroslav, klember, lvrabec, mail, mmalik, omosnace, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:e62516abf53dea5e0b1b5313b0b96212b86b952f29f3d4bf0b958efbceb7af07;VARIANT_ID=workstation; AcceptedFreezeException | ||
| Fixed In Version: | flatpak-1.12.7-2.fc36 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-04-14 23:23:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1953786, 2075937 | ||
I have the same problem after system-upgrade to F36. Access to /etc/passwd is blocked, `flatpak update` therefore fails. Similar problem has been detected: flatpak update fails because of denied access to /etc/passwd hashmarkername: setroubleshoot kernel: 5.17.0-300.fc36.x86_64 package: selinux-policy-targeted-36.5-1.fc36.noarch reason: SELinux is preventing flatpak-system- from 'read' accesses on the file /etc/passwd. type: libreport This bug is filed against flatpak, however, I think it should be filed against selinux-policy *** Bug 2072275 has been marked as a duplicate of this bug. *** *** Bug 2071218 has been marked as a duplicate of this bug. *** (In reply to Flo H. from comment #3) > This bug is filed against flatpak, however, I think it should be filed > against selinux-policy The flatpak_helper_t type is provided by the flatpak-selinux subpackage, so it needs to be addressed in flatpak. The appropriate interface is auth_read_passwd(). Does this look good to you: https://github.com/flatpak/flatpak/pull/4852 ? (In reply to Debarshi Ray from comment #7) > Does this look good to you: > https://github.com/flatpak/flatpak/pull/4852 ? It does. (In reply to Zdenek Pytela from comment #8) > (In reply to Debarshi Ray from comment #7) > > Does this look good to you: > > https://github.com/flatpak/flatpak/pull/4852 ? > > It does. Thanks for the quick review, Zdeněk! FEDORA-2022-bc3af3f0d1 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-bc3af3f0d1 Discussed in ticket: https://pagure.io/fedora-qa/blocker-review/issue/746 The decision to classify this bug as an AcceptedFreezeException was made: "There is a high probability that this issue can be hit by users right after Fedora installation before updating their systems. It was decided to take this in during the Freeze." FEDORA-2022-bc3af3f0d1 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-bc3af3f0d1` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-bc3af3f0d1 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-bc3af3f0d1 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. *** Bug 2078074 has been marked as a duplicate of this bug. *** *** Bug 2096056 has been marked as a duplicate of this bug. *** Problem still persists on my f36 installation, see #2078074 and #2096056 |
Description of problem: SELinux is preventing flatpak-system- from 'read' accesses on the file /etc/passwd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that flatpak-system- should be allowed read access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'flatpak-system-' --raw | audit2allow -M my-flatpaksystem # semodule -X 300 -i my-flatpaksystem.pp Additional Information: Source Context system_u:system_r:flatpak_helper_t:s0 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/passwd [ file ] Source flatpak-system- Source Path flatpak-system- Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages setup-2.13.9.1-3.fc36.noarch SELinux Policy RPM selinux-policy-targeted-36.5-1.fc36.noarch Local Policy RPM flatpak-selinux-1.12.7-1.fc36.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.16.16-200.fc35.x86_64 #1 SMP PREEMPT Wed Mar 23 00:44:58 CET 2022 x86_64 x86_64 Alert Count 1 First Seen 2022-03-30 23:52:13 CEST Last Seen 2022-03-30 23:52:13 CEST Local ID 5eed63e9-c50b-4801-b5c1-b243d011ceb0 Raw Audit Messages type=AVC msg=audit(1648677133.642:1103): avc: denied { read } for pid=31490 comm="flatpak-system-" name="passwd" dev="nvme0n1p3" ino=3300790 scontext=system_u:system_r:flatpak_helper_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 Hash: flatpak-system-,flatpak_helper_t,passwd_file_t,file,read Version-Release number of selected component: selinux-policy-targeted-36.5-1.fc36.noarch Additional info: component: flatpak reporter: libreport-2.17.1 hashmarkername: setroubleshoot kernel: 5.16.16-200.fc35.x86_64 type: libreport