Hide Forgot
Description of problem: dmesg error: SELinux: Context system_u:object_r:flatpak_helper_exec_t:s0 is not valid (left unmapped). Version-Release number of selected component (if applicable): selinux-policy 3.14.6-23.fc33 How reproducible: always Steps to Reproduce: 1. Boot Fedora Workstation Rawhide Actual results: dmesg error: SELinux: Context system_u:object_r:flatpak_helper_exec_t:s0 is not valid (left unmapped). Expected results: No error.
Hi, Such an error can appear if there is a problem with the flatpak selinux policy module. Have you uninstalled it recently? # rpm -q flatpak-selinux # semodule -lfull|grep flatpak # ll /var/lib/selinux/targeted/active/modules/200/flatpak/
Apparently I did not uninstall flatpak-selinux: grep flatpak-selinux /var/log/dnf.rpm.log 2020-06-22T05:52:23Z SUBDEBUG Upgrade: flatpak-selinux-1.7.3-1.fc33.noarch 2020-06-22T05:59:50Z SUBDEBUG Upgraded: flatpak-selinux-1.7.2-1.fc33.noarch 2020-06-27T08:14:57Z SUBDEBUG Upgrade: flatpak-selinux-1.8.0-1.fc33.noarch 2020-06-27T08:19:51Z SUBDEBUG Upgraded: flatpak-selinux-1.7.3-1.fc33.noarch 2020-07-06T09:55:19Z SUBDEBUG Upgrade: flatpak-selinux-1.8.1-1.fc33.noarch 2020-07-06T09:58:51Z SUBDEBUG Upgraded: flatpak-selinux-1.8.0-1.fc33.noarch 2020-08-03T16:14:56Z SUBDEBUG Upgrade: flatpak-selinux-1.8.1-2.fc33.noarch 2020-08-03T16:27:32Z SUBDEBUG Upgraded: flatpak-selinux-1.8.1-1.fc33.noarch 2020-08-25T03:59:52Z SUBDEBUG Upgrade: flatpak-selinux-1.8.2-1.fc34.noarch 2020-08-25T04:10:39Z SUBDEBUG Upgraded: flatpak-selinux-1.8.1-2.fc33.noarch rpm -q flatpak-selinux flatpak-selinux-1.8.2-1.fc34.noarch sudo semodule -lfull|grep flatpak 200 flatpak pp sudo ls -l /var/lib/selinux/targeted/active/modules/200/flatpak/ total 20 -rw-------. 1 root root 2535 Aug 30 09:52 cil -rw-------. 1 root root 11894 Aug 30 09:52 hll -rw-------. 1 root root 2 Aug 30 09:52 lang_ext
This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle. Changing version to 34.
This affects F35 since selinux-policy-targeted-35.10-1.fc35.noarch. Changing priority to High since this now means automatic flatpak upgrading may stop working. I was seeing AVCs like this: type=AVC msg=audit(1642590463.412:615): avc: denied { execute } for pid=25890 comm="(m-helper)" name="flatpak-system-helper" dev="dm-1" ino=1060919 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:flatpak_helper_exec_t:s0" Upgrading flatpak didn't help: # dnf update --enablerepo=updates-testing flatpak Last metadata expiration check: 0:00:49 ago on Wed 19 Jan 2022 11:08:04 GMT. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Upgrading: flatpak x86_64 1.12.4-1.fc35 updates-testing 1.5 M flatpak-selinux noarch 1.12.4-1.fc35 updates-testing 22 k flatpak-session-helper x86_64 1.12.4-1.fc35 updates-testing 43 k Transaction Summary ================================================================================ Upgrade 3 Packages Total download size: 1.6 M Is this ok [y/N]: y Downloading Packages: (1/3): flatpak-selinux-1.12.4-1.fc35.noarch.rpm 157 kB/s | 22 kB 00:00 (2/3): flatpak-session-helper-1.12.4-1.fc35.x86 286 kB/s | 43 kB 00:00 (3/3): flatpak-1.12.4-1.fc35.x86_64.rpm 4.1 MB/s | 1.5 MB 00:00 -------------------------------------------------------------------------------- Total 2.2 MB/s | 1.6 MB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Upgrading : flatpak-session-helper-1.12.4-1.fc35.x86_64 1/6 Upgrading : flatpak-selinux-1.12.4-1.fc35.noarch 2/6 Running scriptlet: flatpak-selinux-1.12.4-1.fc35.noarch 2/6 Problems processing filecon rules Failed post db handling Post process failed /usr/sbin/semodule: Failed! Running scriptlet: flatpak-1.12.4-1.fc35.x86_64 3/6 Upgrading : flatpak-1.12.4-1.fc35.x86_64 3/6 error: lsetfilecon: (/usr/libexec/flatpak-system-helper;61e7f147, system_u:object_r:flatpak_helper_exec_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed Error unpacking rpm package flatpak-1.12.4-1.fc35.x86_64 Cleanup : flatpak-selinux-1.12.3-1.fc35.noarch 4/6 error: unpacking of archive failed on file /usr/libexec/flatpak-system-helper;61e7f147: cpio: (error 0x2) error: flatpak-1.12.4-1.fc35.x86_64: install failed error: flatpak-1.12.3-1.fc35.x86_64: erase skipped Running scriptlet: flatpak-selinux-1.12.3-1.fc35.noarch 4/6 Cleanup : flatpak-session-helper-1.12.3-1.fc35.x86_64 5/6 Running scriptlet: flatpak-session-helper-1.12.3-1.fc35.x86_64 5/6 Verifying : flatpak-1.12.4-1.fc35.x86_64 1/6 Verifying : flatpak-1.12.3-1.fc35.x86_64 2/6 Verifying : flatpak-selinux-1.12.4-1.fc35.noarch 3/6 Verifying : flatpak-selinux-1.12.3-1.fc35.noarch 4/6 Verifying : flatpak-session-helper-1.12.4-1.fc35.x86_64 5/6 Verifying : flatpak-session-helper-1.12.3-1.fc35.x86_64 6/6 Upgraded: flatpak-selinux-1.12.4-1.fc35.noarch flatpak-session-helper-1.12.4-1.fc35.x86_64 Failed: flatpak-1.12.3-1.fc35.x86_64 flatpak-1.12.4-1.fc35.x86_64 Error: Transaction failed
Does the flatpak policy module contain any mention of "lockdown" string?
No, not that I see in flatpak-1.12-4/selinux.
Please update to selinux-policy-35.11-1 and let me know if the problems persist.
I'm getting this issue, as well as one with crun: Installing : crun-1.4.1-1.fc35.x86_64 1/1 error: lsetfilecon: (/usr/bin/crun;61e924df, system_u:object_r:container_runtime_exec_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed and osbuild: Installing : osbuild-46-1.20220119145423018138.main.1.g597759c.fc35.noarch 1/1 error: lsetfilecon: (/usr/bin/osbuild;61e92353, system_u:object_r:osbuild_exec_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed I just tried installing selinux-policy-35.11-1 from koiji and got: Upgrading : selinux-policy-35.11-1.fc35.noarch 1/8 Running scriptlet: selinux-policy-35.11-1.fc35.noarch 1/8 Problems processing filecon rules Failed post db handling Post process failed /usr/sbin/semodule: Failed!
Hmm, once selinux-policy-35.11-1 was installed things seems to work again though.
selinux-policy-targeted-35.11-1 works for me too.
(In reply to Alexander Larsson from comment #9) > Hmm, once selinux-policy-35.11-1 was installed things seems to work again > though. (In reply to Tim Waugh from comment #10) > selinux-policy-targeted-35.11-1 works for me too. Thanks for the testing!
Clopsing based on previous comments.
This problem has returned in Rawhide. This is a clean install from Fedora-Workstation-Live-x86_64-Rawhide-20220201.n.1.iso which has: flatpak-selinux-1.12.4-2.fc36.noarch selinux-policy-36.1-1.fc36.noarch But the problem remains once updated to selinux-policy-36.1-1.fc36.noarch. [ 48.798067] kernel: SELinux: Context system_u:object_r:flatpak_helper_exec_t:s0 is not valid (left unmapped). [ 48.377025] audit[2517]: AVC avc: denied { execute } for pid=2517 comm="(m-helper)" name="flatpak-system-helper" dev="nvme0n1p5" ino=45546 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="system_u:object_r:flatpak_helper_exec_t:s0" [ 48.378380] audit[2517]: AVC avc: denied { execute_no_trans } for pid=2517 comm="(m-helper)" path="/usr/libexec/flatpak-system-helper" dev="nvme0n1p5" ino=45546 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="system_u:object_r:flatpak_helper_exec_t:s0" [ 48.384703] audit[2517]: AVC avc: denied { map } for pid=2517 comm="flatpak-system-" path="/usr/libexec/flatpak-system-helper" dev="nvme0n1p5" ino=45546 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 trawcon="system_u:object_r:flatpak_helper_exec_t:s0" $ $ sudo semodule -lfull|grep flatpak 200 flatpak pp $ sudo ls -lZ /var/lib/selinux/targeted/active/modules/200/flatpak/ total 20 -rw-------. 1 root root unconfined_u:object_r:semanage_store_t:s0 2588 Feb 7 18:34 cil -rw-------. 1 root root unconfined_u:object_r:semanage_store_t:s0 12089 Feb 7 18:34 hll -rw-------. 1 root root unconfined_u:object_r:semanage_store_t:s0 2 Feb 7 18:34 lang_ext
This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle. Changing version to 36.
I upgrade F35 to F36 this morning and now all dnf operations are giving me failure with these errors. Example: Running transaction Preparing : 1/1 Upgrading : conmon-2:2.1.0-2.fc36.x86_64 1/2 error: lsetfilecon: (/usr/bin/conmon;624e495d, system_u:object_r:conmon_exec_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed I have selinux-policy-36.5-1.fc36.noarch installed. How does one fix this?
semodule -X 200 -r container snappy flatpak dnf reinstall container-selinux flatpak-selinux
The issue as reported has been resolved. There are some additional problems, you can monitor bz#2056303 for the latest development.