Bug 2070741
| Summary: | flatpak_helper_t unable to open, read and lock files inside /var/lib/flatpak | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Flo H. <emailtoflorian> |
| Component: | flatpak | Assignee: | Debarshi Ray <debarshir> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 36 | CC: | amigadave, awilliam, debarshir, dwalsh, fzatlouk, grepl.miroslav, klember, lvrabec, mail, michael.scheiffler, mmalik, omosnace, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:7890417aefe265361726257f0623a15e7506e62c4c752f7fd480db71837831a2;VARIANT_ID=workstation; AcceptedFreezeException | ||
| Fixed In Version: | flatpak-1.12.7-2.fc36 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-04-14 23:23:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1953786, 2075937 | ||
There's also bug 2053631, which is about: SELinux is preventing pool-/usr/libex from 'read' accesses on the directory /var/lib/flatpak/repo. *** Bug 2053631 has been marked as a duplicate of this bug. *** *** Bug 2070742 has been marked as a duplicate of this bug. *** *** Bug 2070739 has been marked as a duplicate of this bug. *** *** Bug 2070750 has been marked as a duplicate of this bug. *** I think these are all SELinux denials caused by the flatpak_helper_t SELinux domain not being able to read files inside /var/lib/flatpak. This should clearly be allowed. Zdeněk, any suggestions? As long as it is only reading, files_read_var_lib_files(flatpak_helper_t) should do it, possibly also files_list_var_lib(flatpak_helper_t) files_read_var_lib_files(flatpak_helper_t) Does this look good to you: https://github.com/flatpak/flatpak/pull/4855 ? FEDORA-2022-bc3af3f0d1 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-bc3af3f0d1 It looks good. Discussed in ticket: https://pagure.io/fedora-qa/blocker-review/issue/747 The decision to classify this bug as an AcceptedFreezeException was made: "There is a high probability that this issue can be hit by users right after Fedora installation before updating their systems. It was decided to take this in during the Freeze." FEDORA-2022-bc3af3f0d1 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-bc3af3f0d1` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-bc3af3f0d1 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-bc3af3f0d1 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. *** Bug 2072274 has been marked as a duplicate of this bug. *** *** Bug 2072246 has been marked as a duplicate of this bug. *** |
Description of problem: I guess flatpak update caused this problem SELinux is preventing pool-/usr/libex from 'read' accesses on the lnk_file /var/lib/flatpak/runtime/org.gnome.Platform/x86_64/40/active. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow libex to have read access on the active lnk_file Then you need to change the label on /var/lib/flatpak/runtime/org.gnome.Platform/x86_64/40/active Do # semanage fcontext -a -t FILE_TYPE '/var/lib/flatpak/runtime/org.gnome.Platform/x86_64/40/active' where FILE_TYPE is one of the following: admin_home_t, bin_t, boot_t, device_t, etc_runtime_t, etc_t, fonts_cache_t, fonts_t, ld_so_t, lib_t, locale_t, man_cache_t, man_t, proc_t, root_t, rpm_script_tmp_t, security_t, shell_exec_t, src_t, system_conf_t, system_db_t, system_dbusd_var_lib_t, textrel_shlib_t, tmp_t, usr_t, var_run_t, var_t. Then execute: restorecon -v '/var/lib/flatpak/runtime/org.gnome.Platform/x86_64/40/active' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that libex should be allowed read access on the active lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pool-/usr/libex' --raw | audit2allow -M my-poolusrlibex # semodule -X 300 -i my-poolusrlibex.pp Additional Information: Source Context system_u:system_r:flatpak_helper_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/flatpak/runtime/org.gnome.Platform/x86_64 /40/active [ lnk_file ] Source pool-/usr/libex Source Path pool-/usr/libex Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-36.5-1.fc36.noarch Local Policy RPM flatpak-selinux-1.12.7-1.fc36.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.17.0-300.fc36.x86_64 #1 SMP PREEMPT Wed Mar 23 22:00:40 UTC 2022 x86_64 x86_64 Alert Count 40 First Seen 2022-03-31 21:43:32 CEST Last Seen 2022-03-31 21:47:28 CEST Local ID 0eb1b76a-9a0f-4e83-aabc-c5f607379938 Raw Audit Messages type=AVC msg=audit(1648756048.256:1802): avc: denied { read } for pid=46399 comm="pool-/usr/libex" name="active" dev="dm-1" ino=1584753 scontext=system_u:system_r:flatpak_helper_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0 Hash: pool-/usr/libex,flatpak_helper_t,var_lib_t,lnk_file,read Version-Release number of selected component: selinux-policy-targeted-36.5-1.fc36.noarch Additional info: component: flatpak reporter: libreport-2.17.1 hashmarkername: setroubleshoot kernel: 5.17.0-300.fc36.x86_64 type: libreport