Bug 1764538 - SELinux is preventing (m-helper) from 'execute' accesses on the fichier /usr/libexec/flatpak-system-helper.
Summary: SELinux is preventing (m-helper) from 'execute' accesses on the fichier /usr/...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: flatpak
Version: 30
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: David King
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:17f22524034b50935339f173008...
: 1764541 1780902 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-23 09:44 UTC by Cocci Satch
Modified: 2020-04-17 11:25 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-17 11:25:30 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
File: CameraZOOM-20191021204545113.jpg (9.36 MB, application/octet-stream)
2019-10-23 09:45 UTC, Cocci Satch
no flags Details
File: CameraZOOM-20191021204602496.jpg (7.94 MB, application/octet-stream)
2019-10-23 09:45 UTC, Cocci Satch
no flags Details

Description Cocci Satch 2019-10-23 09:44:58 UTC
Description of problem:
Hello,

I have this problem since the update of October 21, which caused a panic kernel, so I start on the previous kernel and I have this error.
SELinux is preventing (m-helper) from 'execute' accesses on the fichier /usr/libexec/flatpak-system-helper.

*****  Plugin catchall (100. confidence) suggests   **************************

Si vous pensez que (m-helper) devrait être autorisé à accéder execute sur flatpak-system-helper file par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# ausearch -c "(m-helper)" --raw | audit2allow -M my-mhelper
# semodule -X 300 -i my-mhelper.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                /usr/libexec/flatpak-system-helper [ file ]
Source                        (m-helper)
Source Path                   (m-helper)
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Inconnu>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.2.15-200.fc30.x86_64 #1 SMP Mon
                              Sep 16 15:17:36 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2019-10-21 20:49:45 CEST
Last Seen                     2019-10-21 20:49:45 CEST
Local ID                      cddabb61-f6e6-4f6e-85e6-a5629cba108c

Raw Audit Messages
type=AVC msg=audit(1571683785.613:293): avc:  denied  { execute } for  pid=3623 comm="(m-helper)" name="flatpak-system-helper" dev="dm-0" ino=2502826 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:flatpak_helper_exec_t:s0"


Hash: (m-helper),init_t,unlabeled_t,file,execute


Additional info:
component:      selinux-policy
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.15-200.fc30.x86_64
type:           libreport

Comment 1 Cocci Satch 2019-10-23 09:45:25 UTC
Created attachment 1628240 [details]
File: CameraZOOM-20191021204545113.jpg

Comment 2 Cocci Satch 2019-10-23 09:45:54 UTC
Created attachment 1628242 [details]
File: CameraZOOM-20191021204602496.jpg

Comment 3 Lukas Vrabec 2019-10-23 09:59:38 UTC
*** Bug 1764541 has been marked as a duplicate of this bug. ***

Comment 4 Cocci Satch 2019-10-23 10:05:25 UTC
I'm sorry, i speak english little.
I have 3 alerts on Selinux, i have report all alerts :/ :
https://bugzilla.redhat.com/show_bug.cgi?id=1764538
https://bugzilla.redhat.com/show_bug.cgi?id=1764541
https://bugzilla.redhat.com/show_bug.cgi?id=1764543

I don't know what do you need.
If you need more, say me what.

Thanks you very much

Comment 5 Zdenek Pytela 2019-11-25 16:58:03 UTC
Hi,

Could you please send the output of the following command?

rpm -qa selinux-policy\* container-selinux

Comment 6 Cocci Satch 2019-11-30 11:13:19 UTC
Hi

[snow@cocci-linux ~]$ rpm -qa selinux-policy\* container-selinux
selinux-policy-3.14.3-46.fc30.noarch
selinux-policy-targeted-3.14.3-46.fc30.noarch
[snow@cocci-linux ~]$

Comment 7 Matt Bacchi 2019-12-11 18:01:50 UTC
Similar problem has been detected:

Updated to selinux-policy-targeted-3.14.3-53.fc30.noarch

Error received:

  Running scriptlet: selinux-policy-3.14.3-53.fc30.noarch                                                                                                                                                                                                                  2/24 
  Running scriptlet: selinux-policy-targeted-3.14.3-53.fc30.noarch                                                                                                                                                                                                         3/24 
  Upgrading        : selinux-policy-targeted-3.14.3-53.fc30.noarch                                                                                                                                                                                                         3/24 
  Running scriptlet: selinux-policy-targeted-3.14.3-53.fc30.noarch                                                                                                                                                                                                         3/24 
Conflicting name type transition rules
Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1784
Failed to generate binary
/usr/sbin/semodule:  Failed!

hashmarkername: setroubleshoot
kernel:         5.3.15-200.fc30.x86_64
package:        selinux-policy-3.14.3-53.fc30.noarch
reason:         SELinux is preventing restorecon from using the 'mac_admin' capabilities.
type:           libreport

Comment 8 Lukas Vrabec 2019-12-15 15:50:18 UTC
*** Bug 1780902 has been marked as a duplicate of this bug. ***

Comment 9 Jasper Vinkenvleugel 2019-12-16 10:16:40 UTC
I had a similar issue, but I managed to fix it. I was unable to run 'flatpak update', and reinstalling flatpak using dnf gave me the 'mac_admin' issue.

This comment gave the clue:

(In reply to Cocci Satch from comment #6)
> Hi
> 
> [snow@cocci-linux ~]$ rpm -qa selinux-policy\* container-selinux
> selinux-policy-3.14.3-46.fc30.noarch
> selinux-policy-targeted-3.14.3-46.fc30.noarch
> [snow@cocci-linux ~]$

I installed container-selinux and now everything works as usual again.

Comment 10 marcox.rossi 2019-12-20 11:45:53 UTC
Similar problem has been detected:

all'avvio del sistema

hashmarkername: setroubleshoot
kernel:         5.3.16-300.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing (m-helper) from 'execute' accesses on the file /usr/libexec/flatpak-system-helper.
type:           libreport

Comment 11 krinkodot22 2020-01-26 18:58:38 UTC
Similar problem has been detected:

This happens shortly after logging in. It has been happening for a few weeks now. Maybe what triggered this was a per-user installation of a Flatpak app.

hashmarkername: setroubleshoot
kernel:         5.4.13-201.fc31.x86_64
package:        selinux-policy-3.14.4-44.fc31.noarch
reason:         SELinux is preventing (m-helper) from 'execute' accesses on the file /usr/libexec/flatpak-system-helper.
type:           libreport

Comment 12 Zdenek Pytela 2020-04-02 14:16:41 UTC
Hi,

Can you still reproduce this bug with all packages updated?

Comment 13 Zdenek Pytela 2020-04-17 11:25:30 UTC
As this bug has no been updated for a certain period of long time and supposedly the bug has been fixed in the current release, we are going to close it.

Feel free open a new bugzilla if the issue persists.


Note You need to log in before you can comment on or make changes to this bug.