Bug 2151320
| Summary: | flatpak causes AVC flooting logs | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Leon Fauster <leonfauster> |
| Component: | flatpak | Assignee: | Debarshi Ray <debarshir> |
| Status: | CLOSED MIGRATED | QA Contact: | Desktop QE <desktop-qa-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | CentOS Stream | CC: | bstinson, jwboyer, tpelka, tpopela |
| Target Milestone: | rc | Keywords: | MigratedToJIRA |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-09-15 19:58:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Somehow the VM installation results in a installed package compose that misses flatpak-libs, albeit flatpak package was installed. After installation of flatpak-libs manually, everything seems to work fine (app launching, and no AVC log entries so far). Conclusion the flatpak spec should have "Requires: flatpak-libs". It seems to be a leaf package which it should not be. # LANG=C rpm -ev --test flatpak-libs Preparing packages... And was the flatpak-selinux preinstalled as well? I would expect that this package fixes it.
At the time of the issue flatpak-selinux _was_ installed. Only flatpak-libs was not and later installed additional:
# rpm -qa --qf '%{INSTALLTIME}-%{NAME}\n' |grep flatpak
1657191739-flatpak-selinux
1657191747-flatpak-session-helper
1657191748-flatpak
1670346958-flatpak-libs
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug. This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there. Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information. To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like: "Bugzilla Bug" = 1234567 In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information. |
Description of problem: While configuring flatpak with Fedoras OCI Reg und installing gnome-weather as normal user (flatpak --user) over hundreds of following AVC appears: ---- time->Tue Dec 6 17:10:09 2022 type=PROCTITLE msg=audit(1670346609.135:258): proctitle="/usr/libexec/flatpak-system-helper" type=SYSCALL msg=audit(1670346609.135:258): arch=c000003e syscall=254 success=no exit=-13 a0=7 a1=5618c8a5f2f0 a2=1002fce a3=7ffd1219a080 items=0 ppid=1 pid=1896 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gmain" exe="/usr/libexec/flatpak-system-helper" subj=system_u:system_r:flatpak_helper_t:s0 key=(null) type=AVC msg=audit(1670346609.135:258): avc: denied { watch } for pid=1896 comm="gmain" path="/usr/libexec" dev="dm-1" ino=529602 scontext=system_u:system_r:flatpak_helper_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir permissive=0 ---- time->Tue Dec 6 17:10:13 2022 type=PROCTITLE msg=audit(1670346613.135:259): proctitle="/usr/libexec/flatpak-system-helper" type=SYSCALL msg=audit(1670346613.135:259): arch=c000003e syscall=254 success=no exit=-13 a0=7 a1=5618c8a5f2f0 a2=1002fce a3=7ffd1219a080 items=0 ppid=1 pid=1896 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gmain" exe="/usr/libexec/flatpak-system-helper" subj=system_u:system_r:flatpak_helper_t:s0 key=(null) type=AVC msg=audit(1670346613.135:259): avc: denied { watch } for pid=1896 comm="gmain" path="/usr/libexec" dev="dm-1" ino=529602 scontext=system_u:system_r:flatpak_helper_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir permissive=0 ---- time->Tue Dec 6 17:10:17 2022 type=PROCTITLE msg=audit(1670346617.135:260): proctitle="/usr/libexec/flatpak-system-helper" type=SYSCALL msg=audit(1670346617.135:260): arch=c000003e syscall=254 success=no exit=-13 a0=7 a1=5618c8a5f2f0 a2=1002fce a3=7ffd1219a080 items=0 ppid=1 pid=1896 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gmain" exe="/usr/libexec/flatpak-system-helper" subj=system_u:system_r:flatpak_helper_t:s0 key=(null) type=AVC msg=audit(1670346617.135:260): avc: denied { watch } for pid=1896 comm="gmain" path="/usr/libexec" dev="dm-1" ino=529602 scontext=system_u:system_r:flatpak_helper_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir permissive=0 ---- Version-Release number of selected component (if applicable): # rpm -q flatpak gnome-shell centos-stream-release flatpak-1.12.7-2.el9.x86_64 gnome-shell-40.10-3.el9.x86_64 centos-stream-release-9.0-18.el9.noarch How reproducible: Steps to Reproduce: 1. Fresh VM with CS9 2. Gnome session / normal user 3. flatpak --user remote-add --if-not-exists fedora oci+https://registry.fedoraproject.org 4. flatpak --user install org.gnome.Weather Actual results: AVC in logs and installed application could only be run with flatpak --user run org.gnome.Weather Expected results: no AVC and app launch via GUI (icon)