Bug 2346202

Summary: flatpak cannot install as regular user
Product: [Fedora] Fedora Reporter: Patrick Lang <patrick.lang>
Component: wsl-setupAssignee: Jeremy Cline <jeremy>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: 42CC: cloud-sig, jeremy, nilskemail, yselkowi
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrick Lang 2025-02-17 23:56:05 UTC 
In a normal workstation (or atomic desktop) install, `flatpak install` itself does not require `sudo`.

When running under WSL2, this seems to require some permissions that are not granted. I'm not sure if this is a configuration issue that Fedora can fix as part of the user config, or if it is a limitation in how WSL's kernel and/or systemd configuration.

Reproducible: Always

Steps to Reproduce:
1. sudo flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
2. flatpak install org.kicad.KiCad

Actual Results:  
$ flatpak install org.kicad.KiCad
Looking for matches…
F: An error was encountered searching remote ‘fedora’ for ‘org.kicad.KiCad’: Unable to load summary from remote fedora: Flatpak system operation GenerateOciSummary not allowed for user
Remotes found with refs similar to ‘org.kicad.KiCad’:

   1) ‘flathub’ (system)
   2) ‘flathub’ (user)

Which do you want to use (0 to abort)? [0-2]: 1
Required runtime for org.kicad.KiCad/x86_64/stable (runtime/org.freedesktop.Sdk/x86_64/24.08) found in remote flathub
Do you want to install it? [Y/n]:

org.kicad.KiCad permissions:
    ipc    network    x11    dri    file access [1]

    [1] home


        ID                                            Branch           Op           Remote            Download
 1. [✗] org.freedesktop.Sdk.Locale                    24.08            i            flathub              18.6 kB / 385.7 MB
 2. [✗] org.freedesktop.Sdk                           24.08            i            flathub             421.5 MB / 620.3 MB
 3. [ ] org.kicad.KiCad.Library.Footprints            stable           i            flathub            < 41.4 MB
 4. [ ] org.kicad.KiCad.Library.Packages3D            stable           i            flathub           < 875.1 MB
 5. [ ] org.kicad.KiCad.Library.Symbols               stable           i            flathub            < 10.7 MB
 6. [ ] org.kicad.KiCad.Library.Templates             stable           i            flathub             < 3.0 MB
 7. [ ] org.kicad.KiCad.Locale                        stable           i            flathub            < 57.2 kB (partial)
 8. [ ] org.kicad.KiCad                               stable           i            flathub           < 427.7 MB

Warning: Failed to get revokefs-fuse socket from system-helper: Flatpak system operation GetRevokefsFd not allowed for user
Warning: Flatpak system operation Deploy not allowed for user
Warning: Failed to get revokefs-fuse socket from system-helper: Flatpak system operation GetRevokefsFd not allowed for user
Error: Flatpak system operation Deploy not allowed for user
error: Failed to install org.freedesktop.Sdk: Flatpak system operation Deploy not allowed for user

Expected Results:  
No errors, should have installed.

As a mitigation, you can run `sudo flatpak install` instead and it will be able to install the app. Running the app as a user works with `flatpak run` as usual.
Comment 1 Jeremy Cline 2025-02-18 16:48:02 UTC 
I think this is due to the polkit rules. The rule in /usr/share/polkit-1/rules.d/org.freedesktop.Flatpak.rules has:

polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.Flatpak.app-install" ||
         action.id == "org.freedesktop.Flatpak.runtime-install"||
         action.id == "org.freedesktop.Flatpak.app-uninstall" ||
         action.id == "org.freedesktop.Flatpak.runtime-uninstall" ||
         action.id == "org.freedesktop.Flatpak.modify-repo") &&
        subject.active == true && subject.local == true &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
    }

    return polkit.Result.NOT_HANDLED;
});

I dropped some debug logs in the rule and tested it with "pkcheck --action-id "org.freedesktop.Flatpak.app-install" --process $$ -u --enable-internal-agent

[Subject pid=260 user='jcline' groups=jcline,wheel seat=null session=null system_unit=null local=false active=false]

So the rule doesn't apply because the user is not marked local (true if the seat associated with the subject is local) or active (true if the session is active). This is not an area I'm terribly familiar with so I'm going to have to do some further research on the right way to fix this.
Comment 2 nilskemail 2025-05-06 21:43:01 UTC 
I don't have a windows machine at hand any longer but this is very likely an artifact of WSL not spawning a proper user session through PAM (https://github.com/microsoft/WSL/issues/9213) and thus also not dbus etc (https://github.com/microsoft/WSL/issues/8842)