Hide Forgot
Description of problem: I updated my system and rebooted, this came up. SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. ***** Plugin catchall_boolean (57.6 confidence) suggests ****************** If you want to allow domain to can mmap files Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean. Do setsebool -P domain_can_mmap_files 1 ***** Plugin catchall_labels (36.2 confidence) suggests ******************* If you want to allow gnome-shell to have map access on the icon-theme.cache file Then you need to change the label on /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache Do # semanage fcontext -a -t FILE_TYPE '/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache' where FILE_TYPE is one of the following: NetworkManager_exec_t, abrt_dump_oops_exec_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_worker_exec_t, abrt_var_cache_t, accountsd_exec_t, acct_exec_t, admin_passwd_exec_t, aide_exec_t, alsa_exec_t, amanda_exec_t, amanda_recover_exec_t, amtu_exec_t, anacron_exec_t, apm_exec_t, audisp_exec_t, auditctl_exec_t, auth_cache_t, authconfig_exec_t, avahi_exec_t, bacula_admin_exec_t, bacula_unconfined_script_exec_t, bin_t, blueman_exec_t, bluetooth_helper_exec_t, boot_t, bootloader_exec_t, brctl_exec_t, cache_home_t, calamaris_exec_t, cardctl_exec_t, cdcc_exec_t, cdrecord_exec_t, cert_t, certmonger_unconfined_exec_t, certwatch_exec_t, checkpc_exec_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_nacl_exec_t, chronyc_exec_t, colord_exec_t, config_home_t, conman_unconfined_script_exec_t, consolehelper_exec_t, consolekit_exec_t, courier_exec_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuspeed_exec_t, crack_exec_t, crontab_exec_t, cupsd_config_exec_t, cvs_exec_t, cyphesis_exec_t, data_home_t, dbus_home_t, dbusd_exec_t, dcc_client_exec_t, dcc_dbclean_exec_t, debuginfo_exec_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, dhcpc_exec_t, disk_munin_plugin_exec_t, dmesg_exec_t, dmidecode_exec_t, etc_runtime_t, etc_t, exim_exec_t, fail2ban_client_exec_t, fetchmail_exec_t, file_context_t, firewalld_exec_t, firewallgui_exec_t, firstboot_exec_t, flatpak_helper_exec_t, fonts_cache_t, fonts_t, fprintd_exec_t, freqset_exec_t, fsadm_exec_t, ftpdctl_exec_t, fusermount_exec_t, fwupd_exec_t, games_exec_t, gconf_home_t, gconfd_exec_t, gconfdefaultsm_exec_t, geoclue_exec_t, getty_exec_t, gitd_exec_t, gitosis_exec_t, gkeyringd_exec_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_exec_t, gpg_helper_exec_t, gpsd_exec_t, groupadd_exec_t, gstreamer_home_t, hostname_exec_t, httpd_passwd_exec_t, hwclock_exec_t, hwloc_dhwd_exec_t, icc_data_home_t, iceauth_exec_t, icecast_exec_t, ifconfig_exec_t, init_exec_t, install_exec_t, iotop_exec_t, ipa_helper_exec_t, ipsec_mgmt_exec_t, iptables_exec_t, irc_exec_t, irssi_exec_t, jockey_exec_t, journalctl_exec_t, kdump_exec_t, kdumpgui_exec_t, keepalived_unconfined_script_exec_t, kismet_exec_t, kmod_exec_t, kpatch_exec_t, ld_so_cache_t, ld_so_t, ldconfig_exec_t, lib_t, livecd_exec_t, load_policy_exec_t, loadkeys_exec_t, locale_t, locate_exec_t, lockdev_exec_t, login_exec_t, logwatch_exec_t, lpr_exec_t, lsmd_plugin_exec_t, lvm_exec_t, mail_munin_plugin_exec_t, mcelog_exec_t, mencoder_exec_t, mirrormanager_exec_t, mock_build_exec_t, mock_exec_t, modemmanager_exec_t, mount_ecryptfs_exec_t, mount_exec_t, mozilla_exec_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_exec_t, mplayer_exec_t, mrtg_exec_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_eventhandler_plugin_exec_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_unconfined_plugin_exec_t, named_checkconf_exec_t, named_exec_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, netlabel_mgmt_exec_t, netutils_exec_t, newrole_exec_t, nscd_var_run_t, ntpdate_exec_t, obex_exec_t, oddjob_mkhomedir_exec_t, openshift_cgroup_read_exec_t, openshift_net_read_exec_t, pads_exec_t, pam_console_exec_t, pam_timestamp_exec_t, passwd_exec_t, passwd_file_t, pdns_control_exec_t, pinentry_exec_t, ping_exec_t, pkcs11_modules_conf_t, plymouth_exec_t, podsleuth_exec_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, polipo_exec_t, portmap_helper_exec_t, postfix_exec_t, postfix_map_exec_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_showq_exec_t, pppd_exec_t, prelink_exec_t, preupgrade_exec_t, procmail_exec_t, ptchown_exec_t, pulseaudio_exec_t, puppetca_exec_t, pwauth_exec_t, qemu_exec_t, qmail_tcp_env_exec_t, quota_exec_t, readahead_exec_t, realmd_exec_t, rhsmcertd_exec_t, rpm_exec_t, rpm_var_lib_t, rpmdb_exec_t, rssh_chroot_helper_exec_t, rssh_exec_t, rsync_exec_t, rtkit_daemon_exec_t, run_init_exec_t, samba_net_exec_t, sambagui_exec_t, screen_exec_t, sectoolm_exec_t, security_t, selinux_munin_plugin_exec_t, semanage_exec_t, sendmail_exec_t, services_munin_plugin_exec_t, setfiles_exec_t, setkey_exec_t, setroubleshoot_fixit_exec_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_job_exec_t, sge_shepherd_exec_t, shell_exec_t, showmount_exec_t, smbcontrol_exec_t, smoltclient_exec_t, snapperd_exec_t, sosreport_exec_t, spamc_exec_t, spamd_update_exec_t, speech_dispatcher_exec_t, squid_cron_exec_t, src_t, ssh_agent_exec_t, ssh_exec_t, ssh_keygen_exec_t, ssh_keysign_exec_t, sssd_public_t, sssd_selinux_manager_exec_t, su_exec_t, sudo_exec_t, sulogin_exec_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, sysstat_exec_t, system_conf_t, system_db_t, system_munin_plugin_exec_t, systemd_coredump_exec_t, systemd_hwdb_etc_t, systemd_passwd_agent_exec_t, systemd_systemctl_exec_t, telepathy_gabble_exec_t, telepathy_idle_exec_t, telepathy_logger_exec_t, telepathy_mission_control_exec_t, telepathy_msn_exec_t, telepathy_salut_exec_t, telepathy_sofiasip_exec_t, telepathy_stream_engine_exec_t, telepathy_sunshine_exec_t, textrel_shlib_t, thumb_exec_t, tmpreaper_exec_t, traceroute_exec_t, tvtime_exec_t, uml_exec_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, updfstab_exec_t, updpwd_exec_t, usbmodules_exec_t, usbmuxd_exec_t, user_tmp_t, useradd_exec_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uux_exec_t, var_log_t, virsh_exec_t, virt_qemu_ga_unconfined_exec_t, virtd_lxc_exec_t, vlock_exec_t, vmtools_helper_exec_t, vmtools_unconfined_exec_t, vmware_exec_t, vnstat_exec_t, vpnc_exec_t, watchdog_unconfined_exec_t, webalizer_exec_t, wine_exec_t, wireshark_exec_t, wpa_cli_exec_t, xauth_exec_t, xdm_exec_t, xdm_unconfined_exec_t, xdm_var_lib_t, xdm_var_run_t, xserver_exec_t, xserver_log_t, xserver_tmpfs_t, xsession_exec_t, zabbix_script_exec_t, zos_remote_exec_t. Then execute: restorecon -v '/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache' ***** Plugin catchall (7.64 confidence) suggests ************************** If you believe that gnome-shell should be allowed map access on the icon-theme.cache file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell # semodule -X 300 -i my-gnomeshell.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/flatpak/exports/share/icons/hicolor/icon- theme.cache [ file ] Source gnome-shell Source Path gnome-shell Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.6-33.fc33.noarch Local Policy RPM selinux-policy-targeted-3.14.6-33.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.10.7-200.fc33.x86_64 #1 SMP Tue Jan 12 20:20:11 UTC 2021 x86_64 x86_64 Alert Count 1 First Seen 2021-01-15 11:50:56 CET Last Seen 2021-01-15 11:50:56 CET Local ID aa4830c0-4c0c-42b1-a50a-3e61738ee4d2 Raw Audit Messages type=AVC msg=audit(1610707856.418:294): avc: denied { map } for pid=1283 comm="gnome-shell" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-0" ino=1870134 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 Hash: gnome-shell,xdm_t,var_lib_t,file,map Version-Release number of selected component: selinux-policy-targeted-3.14.6-33.fc33.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.10.7-200.fc33.x86_64 type: libreport
Copied from the dup bz: > After the latest Fedora update, this pops up on every boot. I have "Shortwave" flatpak app installed, but don't run it, still the denial is shown. > SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/de.haeckerfelix.Shortwave.service. Raw Audit Messages type=AVC msg=audit(1610708161.135:330): avc: denied { read } for pid=1233 comm="dbus-daemon" name="de.haeckerfelix.Shortwave.service" dev="dm-0" ino=874034 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=1
*** Bug 1916653 has been marked as a duplicate of this bug. ***
With the latest flatpak-1.8.10 and flatpak-selinux-1.8.10 update the setroubleshoot daemon is running like crazy with 100% CPU usage.
(In reply to Yang Wentao from comment #3) > With the latest flatpak-1.8.10 and flatpak-selinux-1.8.10 update the > setroubleshoot daemon is running like crazy with 100% CPU usage. It's the upgrade from 1.8.2 to 1.10.0
Similar problem has been detected: Happens immediately after booting up the computer and logging into a gnome session hashmarkername: setroubleshoot kernel: 5.10.7-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-33.fc33.noarch reason: SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. type: libreport
Same issue, F33, multiple AVC Denials on boot. $ rpm -q flatpak flatpak-selinux flatpak-1.10.0-1.fc33.x86_64 flatpak-selinux-1.10.0-1.fc33.noarch
I am also having this issue with flatpak and flatpak-selinux. While updating those packages, I also updated to the latest version of Flatseal (v1.6.7). Flatseal is a graphical utility to modify permissions of flatpak applications, of which I am getting selinux notifications for some of those as well (gnome podcasts accessing dbus-daemon, etc) rpm -q flatpak flatpak-selinux flatpak-1.10.0-1.fc33.x86_64 flatpak-selinux-1.10.0-1.fc33.noarch
Similar problem has been detected: I just did a massive upgrade after almost a month away hashmarkername: setroubleshoot kernel: 5.10.7-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/mime/mime.cache. type: libreport
This also occurs with sddm-greeter SELinux is preventing sddm-greeter from map access on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. ***** Plugin catchall_boolean (57.6 confidence) suggests ****************** If you want to allow domain to can mmap files Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean. Do setsebool -P domain_can_mmap_files 1 ***** Plugin catchall_labels (36.2 confidence) suggests ******************* If you want to allow sddm-greeter to have map access on the icon-theme.cache file Then you need to change the label on /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache Do # semanage fcontext -a -t FILE_TYPE '/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache' where FILE_TYPE is one of the following: NetworkManager_exec_t, abrt_dump_oops_exec_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_worker_exec_t, abrt_var_cache_t, accountsd_exec_t, acct_exec_t, admin_passwd_exec_t, aide_exec_t, alsa_exec_t, amanda_exec_t, amanda_recover_exec_t, amtu_exec_t, anacron_exec_t, apm_exec_t, audisp_exec_t, auditctl_exec_t, auth_cache_t, authconfig_exec_t, avahi_exec_t, bacula_admin_exec_t, bacula_unconfined_script_exec_t, bin_t, blueman_exec_t, bluetooth_helper_exec_t, boot_t, bootloader_exec_t, brctl_exec_t, cache_home_t, calamaris_exec_t, cardctl_exec_t, cdcc_exec_t, cdrecord_exec_t, cert_t, certmonger_unconfined_exec_t, certwatch_exec_t, checkpc_exec_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_nacl_exec_t, chronyc_exec_t, colord_exec_t, config_home_t, conman_unconfined_script_exec_t, consolehelper_exec_t, consolekit_exec_t, courier_exec_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuspeed_exec_t, crack_exec_t, crontab_exec_t, cupsd_config_exec_t, cvs_exec_t, cyphesis_exec_t, data_home_t, dbus_home_t, dbusd_exec_t, dcc_client_exec_t, dcc_dbclean_exec_t, debuginfo_exec_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, dhcpc_exec_t, disk_munin_plugin_exec_t, dmesg_exec_t, dmidecode_exec_t, etc_runtime_t, etc_t, exim_exec_t, fail2ban_client_exec_t, fetchmail_exec_t, file_context_t, firewalld_exec_t, firewallgui_exec_t, firstboot_exec_t, flatpak_helper_exec_t, fonts_cache_t, fonts_t, fprintd_exec_t, freqset_exec_t, fsadm_exec_t, ftpdctl_exec_t, fusermount_exec_t, fwupd_exec_t, games_exec_t, gconf_home_t, gconfd_exec_t, gconfdefaultsm_exec_t, geoclue_exec_t, getty_exec_t, gitd_exec_t, gitosis_exec_t, gkeyringd_exec_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_exec_t, gpg_helper_exec_t, gpsd_exec_t, groupadd_exec_t, gstreamer_home_t, hostname_exec_t, httpd_passwd_exec_t, hwclock_exec_t, hwloc_dhwd_exec_t, icc_data_home_t, iceauth_exec_t, icecast_exec_t, ifconfig_exec_t, init_exec_t, install_exec_t, iotop_exec_t, ipa_helper_exec_t, ipsec_mgmt_exec_t, iptables_exec_t, irc_exec_t, irssi_exec_t, jockey_exec_t, journalctl_exec_t, kdump_exec_t, kdumpgui_exec_t, keepalived_unconfined_script_exec_t, kismet_exec_t, kmod_exec_t, kpatch_exec_t, ld_so_cache_t, ld_so_t, ldconfig_exec_t, lib_t, livecd_exec_t, load_policy_exec_t, loadkeys_exec_t, locale_t, locate_exec_t, lockdev_exec_t, login_exec_t, logwatch_exec_t, lpr_exec_t, lsmd_plugin_exec_t, lvm_exec_t, mail_munin_plugin_exec_t, mcelog_exec_t, mencoder_exec_t, mirrormanager_exec_t, mock_build_exec_t, mock_exec_t, modemmanager_exec_t, mount_ecryptfs_exec_t, mount_exec_t, mozilla_exec_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_exec_t, mplayer_exec_t, mrtg_exec_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_eventhandler_plugin_exec_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_unconfined_plugin_exec_t, named_checkconf_exec_t, named_exec_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, netlabel_mgmt_exec_t, netutils_exec_t, newrole_exec_t, nscd_var_run_t, ntpdate_exec_t, obex_exec_t, oddjob_mkhomedir_exec_t, openshift_cgroup_read_exec_t, openshift_net_read_exec_t, pads_exec_t, pam_console_exec_t, pam_timestamp_exec_t, passwd_exec_t, passwd_file_t, pdns_control_exec_t, pinentry_exec_t, ping_exec_t, pkcs11_modules_conf_t, plymouth_exec_t, podsleuth_exec_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, polipo_exec_t, portmap_helper_exec_t, postfix_exec_t, postfix_map_exec_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_showq_exec_t, pppd_exec_t, prelink_exec_t, preupgrade_exec_t, procmail_exec_t, ptchown_exec_t, pulseaudio_exec_t, puppetca_exec_t, pwauth_exec_t, qemu_exec_t, qmail_tcp_env_exec_t, quota_exec_t, readahead_exec_t, realmd_exec_t, rhsmcertd_exec_t, rpm_exec_t, rpm_var_lib_t, rpmdb_exec_t, rssh_chroot_helper_exec_t, rssh_exec_t, rsync_exec_t, rtkit_daemon_exec_t, run_init_exec_t, samba_net_exec_t, sambagui_exec_t, screen_exec_t, sectoolm_exec_t, security_t, selinux_munin_plugin_exec_t, semanage_exec_t, sendmail_exec_t, services_munin_plugin_exec_t, setfiles_exec_t, setkey_exec_t, setroubleshoot_fixit_exec_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_job_exec_t, sge_shepherd_exec_t, shell_exec_t, showmount_exec_t, smbcontrol_exec_t, smoltclient_exec_t, snapperd_exec_t, sosreport_exec_t, spamc_exec_t, spamd_update_exec_t, speech_dispatcher_exec_t, squid_cron_exec_t, src_t, ssh_agent_exec_t, ssh_exec_t, ssh_keygen_exec_t, ssh_keysign_exec_t, sssd_public_t, sssd_selinux_manager_exec_t, su_exec_t, sudo_exec_t, sulogin_exec_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, sysstat_exec_t, system_conf_t, system_db_t, system_munin_plugin_exec_t, systemd_coredump_exec_t, systemd_hwdb_etc_t, systemd_passwd_agent_exec_t, systemd_systemctl_exec_t, telepathy_gabble_exec_t, telepathy_idle_exec_t, telepathy_logger_exec_t, telepathy_mission_control_exec_t, telepathy_msn_exec_t, telepathy_salut_exec_t, telepathy_sofiasip_exec_t, telepathy_stream_engine_exec_t, telepathy_sunshine_exec_t, textrel_shlib_t, thumb_exec_t, tmpreaper_exec_t, traceroute_exec_t, tvtime_exec_t, uml_exec_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, updfstab_exec_t, updpwd_exec_t, usbmodules_exec_t, usbmuxd_exec_t, user_tmp_t, useradd_exec_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uux_exec_t, var_log_t, virsh_exec_t, virt_qemu_ga_unconfined_exec_t, virtd_lxc_exec_t, vlock_exec_t, vmtools_helper_exec_t, vmtools_unconfined_exec_t, vmware_exec_t, vnstat_exec_t, vpnc_exec_t, watchdog_unconfined_exec_t, webalizer_exec_t, wine_exec_t, wireshark_exec_t, wpa_cli_exec_t, xauth_exec_t, xdm_exec_t, xdm_unconfined_exec_t, xdm_var_lib_t, xdm_var_run_t, xserver_exec_t, xserver_log_t, xserver_tmpfs_t, xsession_exec_t, zabbix_script_exec_t, zos_remote_exec_t. Then execute: restorecon -v '/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache' ***** Plugin catchall (7.64 confidence) suggests ************************** If you believe that sddm-greeter should be allowed map access on the icon-theme.cache file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sddm-greeter' --raw | audit2allow -M my-sddmgreeter # semodule -X 300 -i my-sddmgreeter.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/flatpak/exports/share/icons/hicolor/icon- theme.cache [ file ] Source sddm-greeter Source Path sddm-greeter Port <Unknown> Host yuri-7 Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.6-33.fc33.noarch Local Policy RPM selinux-policy-targeted-3.14.6-33.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name yuri-7 Platform Linux yuri-7 5.10.7-200.fc33.x86_64 #1 SMP Tue Jan 12 20:20:11 UTC 2021 x86_64 x86_64 Alert Count 1 First Seen 2021-01-17 13:38:52 CST Last Seen 2021-01-17 13:38:52 CST Local ID 67b305aa-7acc-40ec-ace0-4bf073e7c6a3 Raw Audit Messages type=AVC msg=audit(1610912332.611:963): avc: denied { map } for pid=34275 comm="sddm-greeter" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-2" ino=622361 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 Hash: sddm-greeter,xdm_t,var_lib_t,file,map
Similar problem has been detected: Applied the latest updates to Fedora 33 (workstation) this morning which included updates to Flatpak (v 1.10.0-1.fc33) and to the SELinux policies: selinux-policy and selinux-policy-targeted (v 3.14.6-34.fc33) Now getting a lot of AVC denial alerts popping up upon initial login to GNOME desktop session. 89 alerts for dbus-daemon (read), 19 alerts for gnome-shell (mime.cache), 7 alerts for colord (magic) and 4 alerts for colord (generic-icons). This is just from logging in. No other apps were launched before the alerts started. hashmarkername: setroubleshoot kernel: 5.10.7-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Extensions.service. type: libreport
Similar problem has been detected: Updated to gnome-shell-3.38.3-1.fc33.x86_64, selinux-policy-targeted-3.14.6-34.fc33.noarch hashmarkername: setroubleshoot kernel: 5.10.7-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. type: libreport
Similar problem has been detected: Not sure hashmarkername: setroubleshoot kernel: 5.10.7-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. type: libreport
Similar problem has been detected: This happens on every Power on. hashmarkername: setroubleshoot kernel: 5.10.7-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/mime/mime.cache. type: libreport
Similar problem has been detected: Getting a number of these upon login to GNOME session after power cycle. Started after the recent updates which included Flatpak and selinux-policy updates hashmarkername: setroubleshoot kernel: 5.10.7-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/mime/mime.cache. type: libreport
Similar problem has been detected: my SELinux went berzerk today after the following DNF transaction (packages update) I already tried relabeling but it didn't help Transaction ID : 649 Begin time : Sat 28 Nov 2020 17:21:14 CST Begin rpmdb : 4223:e36f287702a2adb6015914f51a43f151d14dc591 End time : Sat 28 Nov 2020 17:21:39 CST (25 seconds) End rpmdb : 4223:94704b54ce632c26bdb1a8a407ba1267bc232da6 User : Mikel Pérez <mikel> Return-Code : Success Releasever : Command Line : Comment : Packages Altered: Upgrade gpac-1.0.1-1.fc33.x86_64 @rpmfusion-free-updates Upgrade gpac-libs-1.0.1-1.fc33.x86_64 @rpmfusion-free-updates Upgrade metasploit-framework-6.0.19+20201127112457~1rapid7-1.el6.x86_64 @metasploit Upgrade firefox-83.0-8.fc33.x86_64 @updates Upgrade gnupg2-2.2.25-2.fc33.x86_64 @updates Upgrade gnupg2-smime-2.2.25-2.fc33.x86_64 @updates Upgrade mesa-dri-drivers-20.2.3-1.fc33.i686 @updates Upgrade mesa-dri-drivers-20.2.3-1.fc33.x86_64 @updates Upgrade mesa-filesystem-20.2.3-1.fc33.i686 @updates Upgrade mesa-filesystem-20.2.3-1.fc33.x86_64 @updates Upgrade mesa-libEGL-20.2.3-1.fc33.i686 @updates Upgrade mesa-libEGL-20.2.3-1.fc33.x86_64 @updates Upgrade mesa-libEGL-devel-20.2.3-1.fc33.i686 @updates Upgrade mesa-libEGL-devel-20.2.3-1.fc33.x86_64 @updates Upgrade mesa-libGL-20.2.3-1.fc33.i686 @updates Upgrade mesa-libGL-20.2.3-1.fc33.x86_64 @updates Upgrade mesa-libGL-devel-20.2.3-1.fc33.x86_64 @updates Upgrade mesa-libOSMesa-20.2.3-1.fc33.i686 @updates Upgrade mesa-libOSMesa-20.2.3-1.fc33.x86_64 @updates Upgrade mesa-libOpenCL-20.2.3-1.fc33.x86_64 @updates Upgrade mesa-libgbm-20.2.3-1.fc33.i686 @updates Upgrade mesa-libgbm-20.2.3-1.fc33.x86_64 @updates Upgrade mesa-libglapi-20.2.3-1.fc33.i686 @updates Upgrade mesa-libglapi-20.2.3-1.fc33.x86_64 @updates Upgrade mesa-libxatracker-20.2.3-1.fc33.x86_64 @updates Upgrade mesa-vulkan-drivers-20.2.3-1.fc33.i686 @updates Upgrade mesa-vulkan-drivers-20.2.3-1.fc33.x86_64 @updates Upgrade minizip-compat-1.2.11-23.fc33.x86_64 @updates Upgrade openssh-8.4p1-3.fc33.x86_64 @updates Upgrade openssh-clients-8.4p1-3.fc33.x86_64 @updates Upgrade openssh-server-8.4p1-3.fc33.x86_64 @updates Upgrade osinfo-db-20201119-1.fc33.noarch @updates Upgrade rubberband-1.9.0-1.fc33.x86_64 @updates Upgrade rubberband-devel-1.9.0-1.fc33.x86_64 @updates Upgrade syncthing-1.11.1-1.fc33.x86_64 @updates Upgrade zlib-1.2.11-23.fc33.i686 @updates Upgrade zlib-1.2.11-23.fc33.x86_64 @updates Upgrade zlib-devel-1.2.11-23.fc33.x86_64 @updates Upgrade zlib-static-1.2.11-23.fc33.x86_64 @updates Upgraded gpac-1.0.0-3.fc33.x86_64 @@System Upgraded gpac-libs-1.0.0-3.fc33.x86_64 @@System Upgraded metasploit-framework-6.0.18+20201125112507~1rapid7-1.el6.x86_64 @@System Upgraded firefox-83.0-3.fc33.x86_64 @@System Upgraded gnupg2-2.2.24-1.fc33.x86_64 @@System Upgraded gnupg2-smime-2.2.24-1.fc33.x86_64 @@System Upgraded mesa-dri-drivers-20.2.2-1.fc33.i686 @@System Upgraded mesa-dri-drivers-20.2.2-1.fc33.x86_64 @@System Upgraded mesa-filesystem-20.2.2-1.fc33.i686 @@System Upgraded mesa-filesystem-20.2.2-1.fc33.x86_64 @@System Upgraded mesa-libEGL-20.2.2-1.fc33.i686 @@System Upgraded mesa-libEGL-20.2.2-1.fc33.x86_64 @@System Upgraded mesa-libEGL-devel-20.2.2-1.fc33.i686 @@System Upgraded mesa-libEGL-devel-20.2.2-1.fc33.x86_64 @@System Upgraded mesa-libGL-20.2.2-1.fc33.i686 @@System Upgraded mesa-libGL-20.2.2-1.fc33.x86_64 @@System Upgraded mesa-libGL-devel-20.2.2-1.fc33.x86_64 @@System Upgraded mesa-libOSMesa-20.2.2-1.fc33.i686 @@System Upgraded mesa-libOSMesa-20.2.2-1.fc33.x86_64 @@System Upgraded mesa-libOpenCL-20.2.2-1.fc33.x86_64 @@System Upgraded mesa-libgbm-20.2.2-1.fc33.i686 @@System Upgraded mesa-libgbm-20.2.2-1.fc33.x86_64 @@System Upgraded mesa-libglapi-20.2.2-1.fc33.i686 @@System Upgraded mesa-libglapi-20.2.2-1.fc33.x86_64 @@System Upgraded mesa-libxatracker-20.2.2-1.fc33.x86_64 @@System Upgraded mesa-vulkan-drivers-20.2.2-1.fc33.i686 @@System Upgraded mesa-vulkan-drivers-20.2.2-1.fc33.x86_64 @@System Upgraded minizip-compat-1.2.11-22.fc33.x86_64 @@System Upgraded openssh-8.4p1-2.fc33.x86_64 @@System Upgraded openssh-clients-8.4p1-2.fc33.x86_64 @@System Upgraded openssh-server-8.4p1-2.fc33.x86_64 @@System Upgraded osinfo-db-20201015-1.fc33.noarch @@System Upgraded rubberband-1.8.2-6.fc33.x86_64 @@System Upgraded rubberband-devel-1.8.2-6.fc33.x86_64 @@System Upgraded syncthing-1.11.0-1.fc33.x86_64 @@System Upgraded zlib-1.2.11-22.fc33.i686 @@System Upgraded zlib-1.2.11-22.fc33.x86_64 @@System Upgraded zlib-devel-1.2.11-22.fc33.x86_64 @@System Upgraded zlib-static-1.2.11-22.fc33.x86_64 @@System hashmarkername: setroubleshoot kernel: 5.10.8-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch type: libreport
Similar problem has been detected: After recent update, SELinux is now permanent glitching. hashmarkername: setroubleshoot kernel: 5.10.8-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Maps.service. type: libreport
Similar problem has been detected: I think this happened on log in. hashmarkername: setroubleshoot kernel: 5.10.8-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. type: libreport
*** ConfidentialBug 1919121 has been marked as a duplicate of this bug. ***
Similar problem has been detected: Apparently install the app "Peek" from Flathub via flatpak. hashmarkername: setroubleshoot kernel: 5.10.8-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/com.uploadedlobster.peek.service. type: libreport
Similar problem has been detected: I think that I was just starting my computer, or maybe resuming from suspend. hashmarkername: setroubleshoot kernel: 5.10.7-200.fc33.x86_64 reason: SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. type: libreport
Similar problem has been detected: I ran a dnf update about 1 week ago and since then on every reboot I get hundreds of SELinux AVC denial messages. hashmarkername: setroubleshoot kernel: 5.10.7-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Logs.service. type: libreport
Similar problem has been detected: After login those warnings get issued like from a machine gun. :( hashmarkername: setroubleshoot kernel: 5.7.17-200.fc32.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/mime/mime.cache. type: libreport
Similar problem has been detected: This happened during login after a reboot. hashmarkername: setroubleshoot kernel: 5.10.10-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. type: libreport
Similar problem has been detected: Logged into GNOME. hashmarkername: setroubleshoot kernel: 5.10.10-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/mime/mime.cache. type: libreport
Similar problem has been detected: Immediately after startup this problem occurs a lot of times (more than 10x) hashmarkername: setroubleshoot kernel: 5.10.10-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. type: libreport
Similar problem has been detected: Ever since updating to flatpak-1.10.1-1.fc33.x86_64, selinux-policy-3.14.6-34.fc33.noarch, selinux-policy-targeted-3.14.6-34.fc33.noarch, and flatpak-selinux-1.10.1-1.fc33.noarch I get 89 of these AVC alerts on every reboot hashmarkername: setroubleshoot kernel: 5.10.10-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Extensions.service. type: libreport
Similar problem has been detected: Starting a session hashmarkername: setroubleshoot kernel: 5.10.10-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing gnome-shell from 'map' accesses on the arquivo /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. type: libreport
This is a serious bug, the first one for me after 8 (?) years as Fedora user. Any workaround to prevent it until the bug is fixed? Should I disable SElinux? What do you suggest?
Oh, well, the "workaround" is pretty easy: sudo dnf remove setroubleshoot
(In reply to Federico Bruni from comment #28) > This is a serious bug, the first one for me after 8 (?) years as Fedora user. > > Any workaround to prevent it until the bug is fixed? > Should I disable SElinux? > What do you suggest? Downgrading flatpak to 1.8.2 and versionlock it until it's fixed works for me.
Similar problem has been detected: I saw many of these alerts just after logging in after a system reboot. hashmarkername: setroubleshoot kernel: 5.10.10-200.fc33.x86_64 reason: SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. type: libreport
Similar problem has been detected: I think that this happened (28 times) just after logging in after a reboot. hashmarkername: setroubleshoot kernel: 5.10.10-200.fc33.x86_64 reason: SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gabmus.whatip.service. type: libreport
can confirm downgrading flatpak to 1.8.2 stops the notifications
Similar problem has been detected: after reboot hashmarkername: setroubleshoot kernel: 5.10.11-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/app/org.gnome.Screenshot/current. type: libreport
Similar problem has been detected: I'm getting bunch of SELinux denials when I have flatpak com.uploadedlobster.peek installed immediatelly when my system boots up. Steps to reproduce: 1) sudo flatpak install com.uploadedlobster.peek 2) reboot the system Notes: I did not test the reproducer above but it should work. If not I'll try to provide more info. hashmarkername: setroubleshoot kernel: 5.10.11-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/com.uploadedlobster.peek.service. type: libreport
Similar problem has been detected: After logging out to install some extension updates, an endless stream of SELinux alerts began to be raised, even while still on the GDM login screen. Once logging back in, SELinux security alerts keep getting raised over and over, all for dbus-deamon attempting read access on a lnk_file. The same alert gets raised for several lnk_files: * org.gnome.Polari.service * org.gnome.Contacts.service * org.gnome.Tetravex.service * org.gnome.Music.Tracker3.Miner.Files.Control.service * org.gnome.Recipes.service * org.gnome.Builder.service * org.gnome.Extensions.service * org.gnome.Documents.service * org.gnome.Chess.service * org.gnome.gedit.service * org.gnome.Maps.service * org.gnome.Games.service * org.gnome.Photos.service * and many more... hashmarkername: setroubleshoot kernel: 5.10.12-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Characters.BackgroundService.service. type: libreport
Similar problem has been detected: Starting gnome-shell causes this problem when it tries to access the flatpak icon cache hashmarkername: setroubleshoot kernel: 5.10.13-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. type: libreport
A workaround (at least for GNOME 3) is to enable auto-login in Settings->Users->Automatic Login. That way, the CPU blowup will only happen when switching accounts, instead of on every boot.
Similar problem has been detected: After upgrade Fedora 32 / 33 Once logged on, SELinux gives lots of notifications on this regard. Tryed re-labeling with "sudo fixfiles -B onboot", but didn't seem to help. What might be the reason for this messages, and how to solve this issue? hashmarkername: setroubleshoot kernel: 5.10.15-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Extensions.service. type: libreport
*** ConfidentialBug 1929352 has been marked as a duplicate of this bug. ***
Is there any progress on this? Each time I login on Fedora 33 I get bombarded with a huge amount of SELinux messages regarding flatpak accesses.
While waiting for fix: dnf downgrade flatpak Or downgrade fedora to 32 😀
Or remove flatpak. It's a software bundling security nightmare anyway. And I am not referring to anything to do with flatpak itself. I will leave others to criticize that if they wish. I am referring to lazy software developers that decide to bundle the world with their application because they cannot be bothered to try to make their application work with (maintained) distribution native libraries, and then forget all about "the world" (i.e. all of the libraries) that they bundled into their package while those libraries bitrot into security vulnerability after security vulnerability. A prudent flatpak application packager needs to be paying attention to the update stream of *all* of the libraries that they bundle and release new flatpak packages of their application every time one of those libraries releases a security fix. Do you honestly believe *all* flatpak packagers are doing that? I don't and therefore I don't use flatpak. I just removed it from my system. I was simply ignoring it before, but now that this bug is causing a slew of AVCs on every login, it's more effective to just "dnf erase flatpak". Hopefully that resolves this issue too.
Similar issues has been detected: SELinux is preventing boltd from getattr access on the file /var/lib/flatpak/exports/share/mime/magic. Additional Information: Source Context system_u:system_r:boltd_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/flatpak/exports/share/mime/magic [ file ] Source boltd Source Path boltd Port <Unknown> Host Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.6-34.fc33.noarch Local Policy RPM selinux-policy-targeted-3.14.6-34.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name Platform Linux 5.10.16-200.fc33.x86_64 #1 SMP Sun Feb 14 03:02:32 UTC 2021 x86_64 x86_64 Alert Count 14 Raw Audit Messages type=AVC msg=audit(1613876685.397:183): avc: denied { getattr } for pid=1718 comm="boltd" path="/var/lib/flatpak/exports/share/mime/magic" dev="dm-1" ino=1177482 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 Hash: boltd,boltd_t,var_lib_t,file,getattr ----------------------------- SELinux is preventing sddm-greeter from map access on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/flatpak/exports/share/icons/hicolor/icon- theme.cache [ file ] Source sddm-greeter Source Path sddm-greeter Port <Unknown> Host Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.6-34.fc33.noarch Local Policy RPM selinux-policy-targeted-3.14.6-34.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name Platform Linux 5.10.16-200.fc33.x86_64 #1 SMP Sun Feb 14 03:02:32 UTC 2021 x86_64 x86_64 Alert Count 2 Raw Audit Messages type=AVC msg=audit(1613876703.807:666): avc: denied { map } for pid=2447 comm="sddm-greeter" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-1" ino=1177475 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 Hash: sddm-greeter,xdm_t,var_lib_t,file,map
Not fixed after upgrading to selinux-policy-targeted from 3.14.6-34 to 3.14.6-35.
This bug is flooding any new graphical session here. As posted here, downgrading flatpak works as temporary a workaround: $ sudo dnf install flatpak-1.8.2-2.fc33 Regards
(In reply to Zdenek Pytela from comment #1) > Copied from the dup bz: > > After the latest Fedora update, this pops up on every boot. I have "Shortwave" flatpak app installed, but don't run it, still the denial is shown. > > SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/de.haeckerfelix.Shortwave.service. > > Raw Audit Messages > type=AVC msg=audit(1610708161.135:330): avc: denied { read } for pid=1233 > comm="dbus-daemon" name="de.haeckerfelix.Shortwave.service" dev="dm-0" > ino=874034 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=1 When can we expect that this will be ultimately fixed? Thanks in advance.
This bz should be addressed soon.
(In reply to Yannick Defais from comment #46) > As posted here, downgrading flatpak works as temporary a workaround: > $ sudo dnf install flatpak-1.8.2-2.fc33 Same here, I only get this with versions 1.10.1 and 1.10.2 of flatpak.
I have the same problem.
After update of flatpack to 1.10.2-1.fc33 things are still the same. It this problem already being treated upstream by flatpack devel yet? Could anyone point the thread/error-tracking?! Thank you all!
So, I found an issue reported at github/flatpak under this link. Hope this is the right place... https://github.com/flatpak/flatpak/issues/4128 Please, help to convince flatpak devel looking at this issue.
Switching the component to flatpak. Folks, Since flatpak-1.10 there are numerous bugs reported that a service cannot read objects in /var/lib/flatpak. Can you address the problem in the flatpak package? The solution can be assigning the flatpak_var_lib_t type to /var/lib/flatpak and allowing the access to all domains which can deal with flatpaks. I am ready to work with you to ensure the interactions with selinux-policy work.
Downgrading flatpak seems to be the only solution without setting selinux to permissive at this moment. Is this a packaging/selinux-policy issue or an upstream one that needs to be addressed by flatpak devs? Additionally, since this is likely going to take a while to get fixed, is it possible to at least make flatpak 1.8.5 available in the repos?
Is anyone having this problem (selinux denials + setroubleshoot popups + high CPU usage) on Fedora 34? If so we can propose this as a blocker/FE for the Fedora 34 release.
Yes, I am receiving denials on startup in F34 as well: SELinux is preventing sddm-greeter from map access on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.
*** Bug 1924645 has been marked as a duplicate of this bug. ***
*** Bug 1917119 has been marked as a duplicate of this bug. ***
Is there any progress on this issue? Versionlocking flatpak to 1.8 is blocking more and more package updates.
(In reply to Alice McLafferty from comment #59) > Is there any progress on this issue? Versionlocking flatpak to 1.8 is > blocking more and more package updates. No comments for a week on the issue page on Flatpak's github: https://github.com/flatpak/flatpak/issues/4128 It looks like nobody is working on this.
This bug can't block F34 because it's an F33 bug. It would be fairly rude to just re-assign to to F34 when it was clearly reported against F33 and is still affecting F33. For F34 purposes we need there to be an equivalent bug filed against F34.
I filed https://bugzilla.redhat.com/show_bug.cgi?id=1947214 and proposed it as an F34 blocker.
(In reply to Dusty Mabe from comment #55) > Is anyone having this problem (selinux denials + setroubleshoot popups + > high CPU usage) on Fedora 34? If so we can propose this as a blocker/FE for > the Fedora 34 release. Yes, had to set SELinux to permissive because otherwise the constant selinux denials in background would cause regular CPU spikes and microfreezes, that (among other issues) caused sound distortions when playing music or videos. Disabling the troubleshoot popups didn't help.
As far as I see the only workaround is to uninstall setroubleshoot daemon: dnf autoremove setroubleshoot* Setting SELinux to permissive (whether globally or per selinux domain) won't work, because these still counts as SELinux denials, and setrobleshoot will always analyze SELinux denials, which is flooding if you have many flatpak apps installed. Removing setroubleshoot at least considerably lowers CPU usage. (Plain avc denials and avc logging are still available, it's just you don't want use setroubleshoot to analyze them. See https://wiki.centos.org/HowTos/SELinux for troubleshooting SELinux issues.) Also setroubleshoot is by default no longer installed in recent Fedora Workstation versions, so this bug mainly affect long upgrading Fedora installs, and is very unlikely to become a F34 blocker (see https://pagure.io/fedora-qa/blocker-review/issue/337)
The upstream is expecting Fedora contributors to fix this bug: https://github.com/flatpak/flatpak/issues/4128#issuecomment-804876383. As for F34 this couldn't happen because Fedora expect upstream to fix it, which form an impossible 'nobody-fix-bug' loop here; plus it's already very close to F34 final freeze, and there's still no sign of anybody fixing it. For the long term the solution can only be somebody pretty familiar with SELinux to push changes upstream. Note that this bug is pretty nasty, it's not even clear whether it's a dbus issue, a flatpak issue or even a gnome-shell issue. And I think casual users shouldn't even try to fix that. As a normal fedora user I hacked around some SELinux manuals but I don't understand very much beyond mass-kills like reassigning stuff to unconfined_t etc.
(In reply to Zdenek Pytela from comment #53) > Switching the component to flatpak. > > Folks, > > Since flatpak-1.10 there are numerous bugs reported that a service cannot > read objects in /var/lib/flatpak. > > Can you address the problem in the flatpak package? The solution can be > assigning the flatpak_var_lib_t type to /var/lib/flatpak and allowing the > access to all domains which can deal with flatpaks. I am ready to work with > you to ensure the interactions with selinux-policy work. I started looking at this, but I'm going to need some help. First, can you explain please why does the fix need to be in flatpak, not in selinux policy? (I am not at all disagreeing with it, just trying to understand.) Second, I have this patch from amigadave who started looking at this but got stuck. Any suggestions if something like this is the way to go here? I'm happy to help drive this to finish on flatpak side but I don't really know a lot about selinux :) diff --git a/selinux/flatpak.fc b/selinux/flatpak.fc index dc5b3bf8..06614276 100644 --- a/selinux/flatpak.fc +++ b/selinux/flatpak.fc @@ -1 +1,2 @@ /usr/libexec/flatpak-system-helper -- gen_context(system_u:object_r:flatpak_helper_exec_t,s0) +/var/lib/flatpak(/.*)? gen_context(system_u:object_r:flatpak_var_lib_t,s0) diff --git a/selinux/flatpak.te b/selinux/flatpak.te index 2bcc507b..09047d97 100644 --- a/selinux/flatpak.te +++ b/selinux/flatpak.te @@ -8,6 +8,9 @@ policy_module(flatpak, 0.0.1) # I did try to make the domain confined, but it needs a lot of # permissions and my selinux-foo just isn't good enough. +type flatpak_var_lib_t; +files_type(flatpak_var_lib_t) + type flatpak_helper_t; type flatpak_helper_exec_t; init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
I'm willing to help, but I don't know what are the criteria to determine whether the issue is with the selinux policy or Flatpak itself. I used the setroubleshooter to create custom policies to stop the deluge of AVC denial warnings, but not sure what the next steps are.
Yang: setroubleshoot also has an "ignore" button, which just tells it to not bother you about this denial again. If there are dozens of different-but-similar ones it can be annoying/impractical to "ignore" them all, but otherwise it does the trick. Note I do think KDE still installs setroubleshoot by default.
Sorry if this is off-topic, but I was curious to see what flatpaks might be on my systems and "flatpak list" returns these: Name Application ID Version Branch Installation Fedora Platform org.fedoraproject.Platform 32 f32 system Fedora Platform org.fedoraproject.Platform 33 f33 system Fedora Platform org.fedoraproject.Platform 34 f34 system Extensions org.gnome.Extensions 40.0 stable system Is "Extensions" installed by default? I don't remember ever installing it myself - let alone twice - as I'm using gnome-tweaks and e.g.o to manage my extensions. (It could be that my memory is failing me though) Why do I get these three "Fedora Platform" versions on F33?
(In reply to Kalev Lember from comment #66) > (In reply to Zdenek Pytela from comment #53) > > Switching the component to flatpak. > > > > Folks, > > > > Since flatpak-1.10 there are numerous bugs reported that a service cannot > > read objects in /var/lib/flatpak. > > > > Can you address the problem in the flatpak package? The solution can be > > assigning the flatpak_var_lib_t type to /var/lib/flatpak and allowing the > > access to all domains which can deal with flatpaks. I am ready to work with > > you to ensure the interactions with selinux-policy work. > > I started looking at this, but I'm going to need some help. First, can you > explain please why does the fix need to be in flatpak, not in selinux > policy? (I am not at all disagreeing with it, just trying to understand.) If a flatpak-related type, like flatpak_var_lib_t, is to be defined, it needs to be in the flatpak policy, as well as allowing the permissions. However, there are more possible ways how to deal with this issue. > > Second, I have this patch from amigadave who started looking at this but got > stuck. Any suggestions if something like this is the way to go here? > > I'm happy to help drive this to finish on flatpak side but I don't really > know a lot about selinux :) Conversely, I am happy to help with the selinux part, but I don't understand much the rest. > > > > diff --git a/selinux/flatpak.fc b/selinux/flatpak.fc > index dc5b3bf8..06614276 100644 > --- a/selinux/flatpak.fc > +++ b/selinux/flatpak.fc > @@ -1 +1,2 @@ > /usr/libexec/flatpak-system-helper -- > gen_context(system_u:object_r:flatpak_helper_exec_t,s0) > +/var/lib/flatpak(/.*)? > gen_context(system_u:object_r:flatpak_var_lib_t,s0) > diff --git a/selinux/flatpak.te b/selinux/flatpak.te > index 2bcc507b..09047d97 100644 > --- a/selinux/flatpak.te > +++ b/selinux/flatpak.te > @@ -8,6 +8,9 @@ policy_module(flatpak, 0.0.1) > # I did try to make the domain confined, but it needs a lot of > # permissions and my selinux-foo just isn't good enough. > > +type flatpak_var_lib_t; > +files_type(flatpak_var_lib_t) > + > type flatpak_helper_t; > type flatpak_helper_exec_t; > init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t) This is a good start if we wanted to go this way. Currently I am not convinced it would solve all known problems.
(In reply to Adam Williamson from comment #68) > Yang: setroubleshoot also has an "ignore" button, which just tells it to not > bother you about this denial again. If there are dozens of > different-but-similar ones it can be annoying/impractical to "ignore" them > all, but otherwise it does the trick. > > Note I do think KDE still installs setroubleshoot by default. The ignore button in setroubleshoot works, and it's a global option which make setroubleshoot quiet and don't send notifications. But the reason I dropped setroubleshoot is that it took too much CPU, to the extent that it will run one thread 100%, and not just temporary but for a long time (10 minutes or even longer). It's a pretty noticeable performance hit, espcially on laptops (which are battery-sensitive) and on computers with weaker CPU. Setroubleshoot will try to analyze SELinux denials on background and send notifications to warn users. I guess most users wouldn't bother SELinux and will just click the "ignore" button, a few will try to look at them and analyze them, which is not too bad since it will at least make users know they can check SELinux denials at setroubleshoot. But when a bug like this encounters and SELinux denials floods, setroubleshoot simply became a daemon that eat your hardware resources, and all users with a few flatpak installed will be affected. SELinux denial floods aren't impossible or rare, as wrong selinux labeling will make all files for that label trigger warning, and when daemons like dbus recursively read files selinux denial floods. So I guess this is the reason recent fedora versions dropped setroubleshoot because its overhead is potentially bigger than simply annoyance (which itself alone is not too bad), and selinux policy will have bugs. I checked for my KDE install on a virtual machine and setroubleshoot wasn't installed by default as of fedora 33.
I am not sure that illiminating the warning that selinux gives is the right answer. I am one of the users that sometimes ignores a abort (if I think it is onetime) and otherwise report it. I normally do not touch selinux directives. I find a better solution to the problem that you rightly note i.e. flooding of selinux warnings and usage of cpu begs a different kind of question: why do we analyze without a request from the user? So, suppose we would issue the warning, but not do the analysis until the user requests it. That is a far step from ignoring the problem alltogether, i.e. not installing setroubleshoot. In summary, I have no reason to doubt your analysis, but I come a different conclusion. Setroubleshoot should not occupy the cpu unless requested to do so by the user. The warning however, as a user, I need. I cannot stress how important it is to know what is going wrong in my system.
*** Bug 1946091 has been marked as a duplicate of this bug. ***
*** Bug 1925791 has been marked as a duplicate of this bug. ***
*** Bug 1917174 has been marked as a duplicate of this bug. ***
*** Bug 1949634 has been marked as a duplicate of this bug. ***
*** Bug 1949640 has been marked as a duplicate of this bug. ***
*** Bug 1949637 has been marked as a duplicate of this bug. ***
*** Bug 1949645 has been marked as a duplicate of this bug. ***
*** Bug 1949648 has been marked as a duplicate of this bug. ***
*** Bug 1949649 has been marked as a duplicate of this bug. ***
*** Bug 1917172 has been marked as a duplicate of this bug. ***
*** Bug 1917173 has been marked as a duplicate of this bug. ***
*** ConfidentialBug 1917176 has been marked as a duplicate of this bug. ***
*** Bug 1917251 has been marked as a duplicate of this bug. ***
*** Bug 1949642 has been marked as a duplicate of this bug. ***
The discussion here has been spread out over 3 different tickets, so it's a bit hard to follow. A brief summary: We identified a workaround solution on the flatpak side (see https://bugzilla.redhat.com/show_bug.cgi?id=1947214#c5 and https://github.com/flatpak/flatpak/issues/4128#issuecomment-818019245) and decided to go with that until we have selinux policy changes figured out. I just kicked off flatpak builds for F33, F34 and rawhide with the fix.
FEDORA-2021-78e6b2c6a9 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-78e6b2c6a9
FEDORA-2021-78e6b2c6a9 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-78e6b2c6a9` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-78e6b2c6a9 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-78e6b2c6a9 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.