Bug 1726221 - the flatpak-system-helper service runs as unconfined_service_t
Summary: the flatpak-system-helper service runs as unconfined_service_t
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: flatpak
Version: 8.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.2
Assignee: David King
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks: 1726199
TreeView+ depends on / blocked
 
Reported: 2019-07-02 11:09 UTC by Milos Malik
Modified: 2020-04-28 16:11 UTC (History)
8 users (show)

Fixed In Version: flatpak-1.4.3-1.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-28 16:10:29 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2020:1767 0 None None None 2020-04-28 16:11:10 UTC

Description Milos Malik 2019-07-02 11:09:08 UTC 
Description of problem:
 * the service is shipped but it is not confined by SELinux

Version-Release number of selected component (if applicable):
flatpak-1.0.6-4.el8.x86_64
selinux-policy-3.14.3-9.el8.noarch
selinux-policy-targeted-3.14.3-9.el8.noarch

How reproducible:
 * always

Steps to Reproduce:
# service flatpak-system-helper status
Redirecting to /bin/systemctl status flatpak-system-helper.service
● flatpak-system-helper.service - flatpak system helper
   Loaded: loaded (/usr/lib/systemd/system/flatpak-system-helper.service; static; vendor preset: disabled)
   Active: inactive (dead)

Jul 02 05:29:06 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com systemd[1]: Starting flatpak system helper...
Jul 02 05:29:06 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com systemd[1]: Started flatpak system helper.
Jul 02 06:57:55 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com systemd[1]: Starting flatpak system helper...
Jul 02 06:57:55 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com systemd[1]: Started flatpak system helper.
Jul 02 07:01:30 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com systemd[1]: Stopping flatpak system helper...
Jul 02 07:01:30 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com systemd[1]: Stopped flatpak system helper.
# service flatpak-system-helper start
Redirecting to /bin/systemctl start flatpak-system-helper.service
# service flatpak-system-helper status
Redirecting to /bin/systemctl status flatpak-system-helper.service
● flatpak-system-helper.service - flatpak system helper
   Loaded: loaded (/usr/lib/systemd/system/flatpak-system-helper.service; static; vendor preset: disabled)
   Active: active (running) since Tue 2019-07-02 07:02:04 EDT; 1s ago
 Main PID: 15645 (flatpak-system-)
    Tasks: 4 (limit: 11518)
   Memory: 2.5M
   CGroup: /system.slice/flatpak-system-helper.service
           └─15645 /usr/libexec/flatpak-system-helper

Jul 02 07:02:04 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com systemd[1]: Starting flatpak system helper...
Jul 02 07:02:04 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com systemd[1]: Started flatpak system helper.
# ps -efZ | grep flatpak-system-helper
system_u:system_r:unconfined_service_t:s0 root 15645 1  0 07:02 ?      00:00:00 /usr/libexec/flatpak-system-helper
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 15676 4655  0 07:02 pts/0 00:00:00 grep --color=auto flatpak-system-helper
# ls -Z /usr/libexec/flatpak-system-helper
system_u:object_r:bin_t:s0 /usr/libexec/flatpak-system-helper
# 

Actual results:
 * the service is not confined

Expected results:
 * the service is confined
Comment 6 errata-xmlrpc 2020-04-28 16:10:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:1767
Note You need to log in before you can comment on or make changes to this bug.