Bug 2077870

Summary: SELinux is preventing gmain from 'watch' accesses on the Verzeichnis /usr/libexec.
Product: [Fedora] Fedora Reporter: aannoaanno
Component: flatpakAssignee: Debarshi Ray <debarshir>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 36CC: amigadave, debarshir, klember, mail
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:2b2b4ce504c0e87d1437a704dfd05074f6d9a7776fe141bd5c878de84a1456d1;VARIANT_ID=workstation;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-05 22:57:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description aannoaanno 2022-04-22 13:07:52 UTC 
Description of problem:
SELinux is preventing gmain from 'watch' accesses on the Verzeichnis /usr/libexec.

*****  Plugin catchall (100. confidence) suggests   **************************

Wenn Sie denken, dass es gmain standardmäßig erlaubt sein sollte, watch Zugriff auf libexec directory zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# ausearch -c 'gmain' --raw | audit2allow -M my-gmain
# semodule -X 300 -i my-gmain.pp

Additional Information:
Source Context                system_u:system_r:flatpak_helper_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                /usr/libexec [ dir ]
Source                        gmain
Source Path                   gmain
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           filesystem-3.16-2.fc36.x86_64
SELinux Policy RPM            selinux-policy-targeted-36.6-1.fc36.noarch
Local Policy RPM              flatpak-selinux-1.12.7-2.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.16.20-200.fc35.x86_64 #1 SMP
                              PREEMPT Wed Apr 13 22:09:20 UTC 2022 x86_64 x86_64
Alert Count                   7
First Seen                    2022-04-21 22:19:24 CEST
Last Seen                     2022-04-21 22:19:48 CEST
Local ID                      2c14b865-7347-427d-996a-0fe9c38e0cad

Raw Audit Messages
type=AVC msg=audit(1650572388.45:881): avc:  denied  { watch } for  pid=34684 comm="gmain" path="/usr/libexec" dev="dm-1" ino=201327291 scontext=system_u:system_r:flatpak_helper_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir permissive=0


Hash: gmain,flatpak_helper_t,bin_t,dir,watch

Version-Release number of selected component:
selinux-policy-targeted-36.6-1.fc36.noarch

Additional info:
component:      flatpak
reporter:       libreport-2.17.1
hashmarkername: setroubleshoot
kernel:         5.16.20-200.fc35.x86_64
type:           libreport
Comment 1 Debarshi Ray 2022-05-05 22:57:50 UTC 

*** This bug has been marked as a duplicate of bug 2053634 ***