Bug 1916652 - SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.
Summary: SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/fl...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: flatpak
Version: 33
Hardware: x86_64
OS: Unspecified
high
medium
Target Milestone: ---
Assignee: Kalev Lember
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:e8b18274348660ac0fe7ce3bda7...
: 1916653 1917119 1917172 1917173 1917174 1917176 1917251 1919121 1924645 1925791 1929352 1946091 1949634 1949637 1949640 1949642 1949645 1949648 1949649 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-15 10:53 UTC by Kamil Páral
Modified: 2021-04-16 17:58 UTC (History)
98 users (show)

Fixed In Version: flatpak-1.10.2-3.fc33
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-04-16 14:35:21 UTC
Type: ---


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github flatpak flatpak issues 4128 0 None open SELinux alerts 2021-03-23 17:39:46 UTC

Internal Links: 1928548

Description Kamil Páral 2021-01-15 10:53:01 UTC
Description of problem:
I updated my system and rebooted, this came up.
SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.

*****  Plugin catchall_boolean (57.6 confidence) suggests   ******************

If you want to allow domain to can mmap files
Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.

Do
setsebool -P domain_can_mmap_files 1

*****  Plugin catchall_labels (36.2 confidence) suggests   *******************

If you want to allow gnome-shell to have map access on the icon-theme.cache file
Then you need to change the label on /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache'
where FILE_TYPE is one of the following: NetworkManager_exec_t, abrt_dump_oops_exec_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_worker_exec_t, abrt_var_cache_t, accountsd_exec_t, acct_exec_t, admin_passwd_exec_t, aide_exec_t, alsa_exec_t, amanda_exec_t, amanda_recover_exec_t, amtu_exec_t, anacron_exec_t, apm_exec_t, audisp_exec_t, auditctl_exec_t, auth_cache_t, authconfig_exec_t, avahi_exec_t, bacula_admin_exec_t, bacula_unconfined_script_exec_t, bin_t, blueman_exec_t, bluetooth_helper_exec_t, boot_t, bootloader_exec_t, brctl_exec_t, cache_home_t, calamaris_exec_t, cardctl_exec_t, cdcc_exec_t, cdrecord_exec_t, cert_t, certmonger_unconfined_exec_t, certwatch_exec_t, checkpc_exec_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_nacl_exec_t, chronyc_exec_t, colord_exec_t, config_home_t, conman_unconfined_script_exec_t, consolehelper_exec_t, consolekit_exec_t, courier_exec_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuspeed_exec_t, crack_exec_t, crontab_exec_t, cupsd_config_exec_t, cvs_exec_t, cyphesis_exec_t, data_home_t, dbus_home_t, dbusd_exec_t, dcc_client_exec_t, dcc_dbclean_exec_t, debuginfo_exec_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, dhcpc_exec_t, disk_munin_plugin_exec_t, dmesg_exec_t, dmidecode_exec_t, etc_runtime_t, etc_t, exim_exec_t, fail2ban_client_exec_t, fetchmail_exec_t, file_context_t, firewalld_exec_t, firewallgui_exec_t, firstboot_exec_t, flatpak_helper_exec_t, fonts_cache_t, fonts_t, fprintd_exec_t, freqset_exec_t, fsadm_exec_t, ftpdctl_exec_t, fusermount_exec_t, fwupd_exec_t, games_exec_t, gconf_home_t, gconfd_exec_t, gconfdefaultsm_exec_t, geoclue_exec_t, getty_exec_t, gitd_exec_t, gitosis_exec_t, gkeyringd_exec_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_exec_t, gpg_helper_exec_t, gpsd_exec_t, groupadd_exec_t, gstreamer_home_t, hostname_exec_t, httpd_passwd_exec_t, hwclock_exec_t, hwloc_dhwd_exec_t, icc_data_home_t, iceauth_exec_t, icecast_exec_t, ifconfig_exec_t, init_exec_t, install_exec_t, iotop_exec_t, ipa_helper_exec_t, ipsec_mgmt_exec_t, iptables_exec_t, irc_exec_t, irssi_exec_t, jockey_exec_t, journalctl_exec_t, kdump_exec_t, kdumpgui_exec_t, keepalived_unconfined_script_exec_t, kismet_exec_t, kmod_exec_t, kpatch_exec_t, ld_so_cache_t, ld_so_t, ldconfig_exec_t, lib_t, livecd_exec_t, load_policy_exec_t, loadkeys_exec_t, locale_t, locate_exec_t, lockdev_exec_t, login_exec_t, logwatch_exec_t, lpr_exec_t, lsmd_plugin_exec_t, lvm_exec_t, mail_munin_plugin_exec_t, mcelog_exec_t, mencoder_exec_t, mirrormanager_exec_t, mock_build_exec_t, mock_exec_t, modemmanager_exec_t, mount_ecryptfs_exec_t, mount_exec_t, mozilla_exec_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_exec_t, mplayer_exec_t, mrtg_exec_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_eventhandler_plugin_exec_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_unconfined_plugin_exec_t, named_checkconf_exec_t, named_exec_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, netlabel_mgmt_exec_t, netutils_exec_t, newrole_exec_t, nscd_var_run_t, ntpdate_exec_t, obex_exec_t, oddjob_mkhomedir_exec_t, openshift_cgroup_read_exec_t, openshift_net_read_exec_t, pads_exec_t, pam_console_exec_t, pam_timestamp_exec_t, passwd_exec_t, passwd_file_t, pdns_control_exec_t, pinentry_exec_t, ping_exec_t, pkcs11_modules_conf_t, plymouth_exec_t, podsleuth_exec_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, polipo_exec_t, portmap_helper_exec_t, postfix_exec_t, postfix_map_exec_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_showq_exec_t, pppd_exec_t, prelink_exec_t, preupgrade_exec_t, procmail_exec_t, ptchown_exec_t, pulseaudio_exec_t, puppetca_exec_t, pwauth_exec_t, qemu_exec_t, qmail_tcp_env_exec_t, quota_exec_t, readahead_exec_t, realmd_exec_t, rhsmcertd_exec_t, rpm_exec_t, rpm_var_lib_t, rpmdb_exec_t, rssh_chroot_helper_exec_t, rssh_exec_t, rsync_exec_t, rtkit_daemon_exec_t, run_init_exec_t, samba_net_exec_t, sambagui_exec_t, screen_exec_t, sectoolm_exec_t, security_t, selinux_munin_plugin_exec_t, semanage_exec_t, sendmail_exec_t, services_munin_plugin_exec_t, setfiles_exec_t, setkey_exec_t, setroubleshoot_fixit_exec_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_job_exec_t, sge_shepherd_exec_t, shell_exec_t, showmount_exec_t, smbcontrol_exec_t, smoltclient_exec_t, snapperd_exec_t, sosreport_exec_t, spamc_exec_t, spamd_update_exec_t, speech_dispatcher_exec_t, squid_cron_exec_t, src_t, ssh_agent_exec_t, ssh_exec_t, ssh_keygen_exec_t, ssh_keysign_exec_t, sssd_public_t, sssd_selinux_manager_exec_t, su_exec_t, sudo_exec_t, sulogin_exec_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, sysstat_exec_t, system_conf_t, system_db_t, system_munin_plugin_exec_t, systemd_coredump_exec_t, systemd_hwdb_etc_t, systemd_passwd_agent_exec_t, systemd_systemctl_exec_t, telepathy_gabble_exec_t, telepathy_idle_exec_t, telepathy_logger_exec_t, telepathy_mission_control_exec_t, telepathy_msn_exec_t, telepathy_salut_exec_t, telepathy_sofiasip_exec_t, telepathy_stream_engine_exec_t, telepathy_sunshine_exec_t, textrel_shlib_t, thumb_exec_t, tmpreaper_exec_t, traceroute_exec_t, tvtime_exec_t, uml_exec_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, updfstab_exec_t, updpwd_exec_t, usbmodules_exec_t, usbmuxd_exec_t, user_tmp_t, useradd_exec_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uux_exec_t, var_log_t, virsh_exec_t, virt_qemu_ga_unconfined_exec_t, virtd_lxc_exec_t, vlock_exec_t, vmtools_helper_exec_t, vmtools_unconfined_exec_t, vmware_exec_t, vnstat_exec_t, vpnc_exec_t, watchdog_unconfined_exec_t, webalizer_exec_t, wine_exec_t, wireshark_exec_t, wpa_cli_exec_t, xauth_exec_t, xdm_exec_t, xdm_unconfined_exec_t, xdm_var_lib_t, xdm_var_run_t, xserver_exec_t, xserver_log_t, xserver_tmpfs_t, xsession_exec_t, zabbix_script_exec_t, zos_remote_exec_t.
Then execute:
restorecon -v '/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache'


*****  Plugin catchall (7.64 confidence) suggests   **************************

If you believe that gnome-shell should be allowed map access on the icon-theme.cache file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell
# semodule -X 300 -i my-gnomeshell.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/flatpak/exports/share/icons/hicolor/icon-
                              theme.cache [ file ]
Source                        gnome-shell
Source Path                   gnome-shell
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.6-33.fc33.noarch
Local Policy RPM              selinux-policy-targeted-3.14.6-33.fc33.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 5.10.7-200.fc33.x86_64 #1 SMP Tue
                              Jan 12 20:20:11 UTC 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2021-01-15 11:50:56 CET
Last Seen                     2021-01-15 11:50:56 CET
Local ID                      aa4830c0-4c0c-42b1-a50a-3e61738ee4d2

Raw Audit Messages
type=AVC msg=audit(1610707856.418:294): avc:  denied  { map } for  pid=1283 comm="gnome-shell" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-0" ino=1870134 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1


Hash: gnome-shell,xdm_t,var_lib_t,file,map

Version-Release number of selected component:
selinux-policy-targeted-3.14.6-33.fc33.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.14.0
hashmarkername: setroubleshoot
kernel:         5.10.7-200.fc33.x86_64
type:           libreport

Comment 1 Zdenek Pytela 2021-01-15 11:32:10 UTC
Copied from the dup bz:
> After the latest Fedora update, this pops up on every boot. I have "Shortwave" flatpak app installed, but don't run it, still the denial is shown.
> SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/de.haeckerfelix.Shortwave.service.

Raw Audit Messages
type=AVC msg=audit(1610708161.135:330): avc:  denied  { read } for  pid=1233 comm="dbus-daemon" name="de.haeckerfelix.Shortwave.service" dev="dm-0" ino=874034 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=1

Comment 2 Zdenek Pytela 2021-01-15 11:32:25 UTC
*** Bug 1916653 has been marked as a duplicate of this bug. ***

Comment 3 Yang Wentao 2021-01-16 14:12:38 UTC
With the latest flatpak-1.8.10 and flatpak-selinux-1.8.10 update the setroubleshoot daemon is running like crazy with 100% CPU usage.

Comment 4 Yang Wentao 2021-01-16 14:13:56 UTC
(In reply to Yang Wentao from comment #3)
> With the latest flatpak-1.8.10 and flatpak-selinux-1.8.10 update the
> setroubleshoot daemon is running like crazy with 100% CPU usage.

It's the upgrade from 1.8.2 to 1.10.0

Comment 5 leonmercier24 2021-01-17 11:58:26 UTC
Similar problem has been detected:

Happens immediately after booting up the computer and logging into a gnome session

hashmarkername: setroubleshoot
kernel:         5.10.7-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-33.fc33.noarch
reason:         SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.
type:           libreport

Comment 6 Robb Romans 2021-01-17 14:46:07 UTC
Same issue, F33, multiple AVC Denials on boot.

$ rpm -q flatpak flatpak-selinux
flatpak-1.10.0-1.fc33.x86_64
flatpak-selinux-1.10.0-1.fc33.noarch

Comment 7 Ken 2021-01-17 15:53:50 UTC
I am also having this issue with flatpak and flatpak-selinux. 
While updating those packages, I also updated to the latest version of Flatseal (v1.6.7).

Flatseal is a graphical utility to modify permissions of flatpak applications, of which I am getting selinux notifications for some of those as well (gnome podcasts accessing dbus-daemon, etc)

rpm -q flatpak flatpak-selinux 
flatpak-1.10.0-1.fc33.x86_64
flatpak-selinux-1.10.0-1.fc33.noarch

Comment 8 Andre Costa 2021-01-17 19:27:31 UTC
Similar problem has been detected:

I just did a massive upgrade after almost a month away

hashmarkername: setroubleshoot
kernel:         5.10.7-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/mime/mime.cache.
type:           libreport

Comment 9 computerdude90042 2021-01-17 19:51:07 UTC
This also occurs with sddm-greeter

SELinux is preventing sddm-greeter from map access on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.

*****  Plugin catchall_boolean (57.6 confidence) suggests   ******************

If you want to allow domain to can mmap files
Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.

Do
setsebool -P domain_can_mmap_files 1

*****  Plugin catchall_labels (36.2 confidence) suggests   *******************

If you want to allow sddm-greeter to have map access on the icon-theme.cache file
Then you need to change the label on /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache'
where FILE_TYPE is one of the following: NetworkManager_exec_t, abrt_dump_oops_exec_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_worker_exec_t, abrt_var_cache_t, accountsd_exec_t, acct_exec_t, admin_passwd_exec_t, aide_exec_t, alsa_exec_t, amanda_exec_t, amanda_recover_exec_t, amtu_exec_t, anacron_exec_t, apm_exec_t, audisp_exec_t, auditctl_exec_t, auth_cache_t, authconfig_exec_t, avahi_exec_t, bacula_admin_exec_t, bacula_unconfined_script_exec_t, bin_t, blueman_exec_t, bluetooth_helper_exec_t, boot_t, bootloader_exec_t, brctl_exec_t, cache_home_t, calamaris_exec_t, cardctl_exec_t, cdcc_exec_t, cdrecord_exec_t, cert_t, certmonger_unconfined_exec_t, certwatch_exec_t, checkpc_exec_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_nacl_exec_t, chronyc_exec_t, colord_exec_t, config_home_t, conman_unconfined_script_exec_t, consolehelper_exec_t, consolekit_exec_t, courier_exec_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuspeed_exec_t, crack_exec_t, crontab_exec_t, cupsd_config_exec_t, cvs_exec_t, cyphesis_exec_t, data_home_t, dbus_home_t, dbusd_exec_t, dcc_client_exec_t, dcc_dbclean_exec_t, debuginfo_exec_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, dhcpc_exec_t, disk_munin_plugin_exec_t, dmesg_exec_t, dmidecode_exec_t, etc_runtime_t, etc_t, exim_exec_t, fail2ban_client_exec_t, fetchmail_exec_t, file_context_t, firewalld_exec_t, firewallgui_exec_t, firstboot_exec_t, flatpak_helper_exec_t, fonts_cache_t, fonts_t, fprintd_exec_t, freqset_exec_t, fsadm_exec_t, ftpdctl_exec_t, fusermount_exec_t, fwupd_exec_t, games_exec_t, gconf_home_t, gconfd_exec_t, gconfdefaultsm_exec_t, geoclue_exec_t, getty_exec_t, gitd_exec_t, gitosis_exec_t, gkeyringd_exec_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_exec_t, gpg_helper_exec_t, gpsd_exec_t, groupadd_exec_t, gstreamer_home_t, hostname_exec_t, httpd_passwd_exec_t, hwclock_exec_t, hwloc_dhwd_exec_t, icc_data_home_t, iceauth_exec_t, icecast_exec_t, ifconfig_exec_t, init_exec_t, install_exec_t, iotop_exec_t, ipa_helper_exec_t, ipsec_mgmt_exec_t, iptables_exec_t, irc_exec_t, irssi_exec_t, jockey_exec_t, journalctl_exec_t, kdump_exec_t, kdumpgui_exec_t, keepalived_unconfined_script_exec_t, kismet_exec_t, kmod_exec_t, kpatch_exec_t, ld_so_cache_t, ld_so_t, ldconfig_exec_t, lib_t, livecd_exec_t, load_policy_exec_t, loadkeys_exec_t, locale_t, locate_exec_t, lockdev_exec_t, login_exec_t, logwatch_exec_t, lpr_exec_t, lsmd_plugin_exec_t, lvm_exec_t, mail_munin_plugin_exec_t, mcelog_exec_t, mencoder_exec_t, mirrormanager_exec_t, mock_build_exec_t, mock_exec_t, modemmanager_exec_t, mount_ecryptfs_exec_t, mount_exec_t, mozilla_exec_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_exec_t, mplayer_exec_t, mrtg_exec_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_eventhandler_plugin_exec_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_unconfined_plugin_exec_t, named_checkconf_exec_t, named_exec_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, netlabel_mgmt_exec_t, netutils_exec_t, newrole_exec_t, nscd_var_run_t, ntpdate_exec_t, obex_exec_t, oddjob_mkhomedir_exec_t, openshift_cgroup_read_exec_t, openshift_net_read_exec_t, pads_exec_t, pam_console_exec_t, pam_timestamp_exec_t, passwd_exec_t, passwd_file_t, pdns_control_exec_t, pinentry_exec_t, ping_exec_t, pkcs11_modules_conf_t, plymouth_exec_t, podsleuth_exec_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, polipo_exec_t, portmap_helper_exec_t, postfix_exec_t, postfix_map_exec_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_showq_exec_t, pppd_exec_t, prelink_exec_t, preupgrade_exec_t, procmail_exec_t, ptchown_exec_t, pulseaudio_exec_t, puppetca_exec_t, pwauth_exec_t, qemu_exec_t, qmail_tcp_env_exec_t, quota_exec_t, readahead_exec_t, realmd_exec_t, rhsmcertd_exec_t, rpm_exec_t, rpm_var_lib_t, rpmdb_exec_t, rssh_chroot_helper_exec_t, rssh_exec_t, rsync_exec_t, rtkit_daemon_exec_t, run_init_exec_t, samba_net_exec_t, sambagui_exec_t, screen_exec_t, sectoolm_exec_t, security_t, selinux_munin_plugin_exec_t, semanage_exec_t, sendmail_exec_t, services_munin_plugin_exec_t, setfiles_exec_t, setkey_exec_t, setroubleshoot_fixit_exec_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_job_exec_t, sge_shepherd_exec_t, shell_exec_t, showmount_exec_t, smbcontrol_exec_t, smoltclient_exec_t, snapperd_exec_t, sosreport_exec_t, spamc_exec_t, spamd_update_exec_t, speech_dispatcher_exec_t, squid_cron_exec_t, src_t, ssh_agent_exec_t, ssh_exec_t, ssh_keygen_exec_t, ssh_keysign_exec_t, sssd_public_t, sssd_selinux_manager_exec_t, su_exec_t, sudo_exec_t, sulogin_exec_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, sysstat_exec_t, system_conf_t, system_db_t, system_munin_plugin_exec_t, systemd_coredump_exec_t, systemd_hwdb_etc_t, systemd_passwd_agent_exec_t, systemd_systemctl_exec_t, telepathy_gabble_exec_t, telepathy_idle_exec_t, telepathy_logger_exec_t, telepathy_mission_control_exec_t, telepathy_msn_exec_t, telepathy_salut_exec_t, telepathy_sofiasip_exec_t, telepathy_stream_engine_exec_t, telepathy_sunshine_exec_t, textrel_shlib_t, thumb_exec_t, tmpreaper_exec_t, traceroute_exec_t, tvtime_exec_t, uml_exec_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, updfstab_exec_t, updpwd_exec_t, usbmodules_exec_t, usbmuxd_exec_t, user_tmp_t, useradd_exec_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uux_exec_t, var_log_t, virsh_exec_t, virt_qemu_ga_unconfined_exec_t, virtd_lxc_exec_t, vlock_exec_t, vmtools_helper_exec_t, vmtools_unconfined_exec_t, vmware_exec_t, vnstat_exec_t, vpnc_exec_t, watchdog_unconfined_exec_t, webalizer_exec_t, wine_exec_t, wireshark_exec_t, wpa_cli_exec_t, xauth_exec_t, xdm_exec_t, xdm_unconfined_exec_t, xdm_var_lib_t, xdm_var_run_t, xserver_exec_t, xserver_log_t, xserver_tmpfs_t, xsession_exec_t, zabbix_script_exec_t, zos_remote_exec_t.
Then execute:
restorecon -v '/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache'


*****  Plugin catchall (7.64 confidence) suggests   **************************

If you believe that sddm-greeter should be allowed map access on the icon-theme.cache file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sddm-greeter' --raw | audit2allow -M my-sddmgreeter
# semodule -X 300 -i my-sddmgreeter.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/flatpak/exports/share/icons/hicolor/icon-
                              theme.cache [ file ]
Source                        sddm-greeter
Source Path                   sddm-greeter
Port                          <Unknown>
Host                          yuri-7
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.6-33.fc33.noarch
Local Policy RPM              selinux-policy-targeted-3.14.6-33.fc33.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     yuri-7
Platform                      Linux yuri-7 5.10.7-200.fc33.x86_64 #1 SMP Tue Jan
                              12 20:20:11 UTC 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2021-01-17 13:38:52 CST
Last Seen                     2021-01-17 13:38:52 CST
Local ID                      67b305aa-7acc-40ec-ace0-4bf073e7c6a3

Raw Audit Messages
type=AVC msg=audit(1610912332.611:963): avc:  denied  { map } for  pid=34275 comm="sddm-greeter" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-2" ino=622361 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0


Hash: sddm-greeter,xdm_t,var_lib_t,file,map

Comment 10 Alex Finkel 2021-01-18 12:25:51 UTC
Similar problem has been detected:

Applied the latest updates to Fedora 33 (workstation) this morning which included updates to Flatpak (v 1.10.0-1.fc33)  and
to the SELinux policies:  selinux-policy and selinux-policy-targeted (v 3.14.6-34.fc33)

Now getting a lot of AVC denial alerts popping up upon initial login to GNOME desktop session.  89 alerts for dbus-daemon (read), 
19 alerts for gnome-shell (mime.cache), 7 alerts for colord (magic) and 4 alerts for colord (generic-icons).

This is just from logging in.  No other apps were launched before the alerts started.






hashmarkername: setroubleshoot
kernel:         5.10.7-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Extensions.service.
type:           libreport

Comment 11 James 2021-01-18 19:47:07 UTC
Similar problem has been detected:

Updated to gnome-shell-3.38.3-1.fc33.x86_64, selinux-policy-targeted-3.14.6-34.fc33.noarch

hashmarkername: setroubleshoot
kernel:         5.10.7-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.
type:           libreport

Comment 12 mr.wandell 2021-01-19 02:25:43 UTC
Similar problem has been detected:

Not sure

hashmarkername: setroubleshoot
kernel:         5.10.7-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.
type:           libreport

Comment 13 relentless.1980 2021-01-19 07:47:47 UTC
Similar problem has been detected:

This happens on every Power on.

hashmarkername: setroubleshoot
kernel:         5.10.7-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/mime/mime.cache.
type:           libreport

Comment 14 Alex Finkel 2021-01-20 13:10:34 UTC
Similar problem has been detected:

Getting a number of these upon login to GNOME session after power cycle.  Started after the recent updates which included Flatpak and selinux-policy updates

hashmarkername: setroubleshoot
kernel:         5.10.7-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/mime/mime.cache.
type:           libreport

Comment 15 Mikel Pérez 2021-01-20 18:42:55 UTC
Similar problem has been detected:

my SELinux went berzerk today after the following DNF transaction (packages update)
I already tried relabeling but it didn't help

Transaction ID : 649
Begin time     : Sat 28 Nov 2020 17:21:14 CST
Begin rpmdb    : 4223:e36f287702a2adb6015914f51a43f151d14dc591
End time       : Sat 28 Nov 2020 17:21:39 CST (25 seconds)
End rpmdb      : 4223:94704b54ce632c26bdb1a8a407ba1267bc232da6
User           : Mikel Pérez <mikel>
Return-Code    : Success
Releasever     : 
Command Line   : 
Comment        : 
Packages Altered:
    Upgrade  gpac-1.0.1-1.fc33.x86_64                                        @rpmfusion-free-updates
    Upgrade  gpac-libs-1.0.1-1.fc33.x86_64                                   @rpmfusion-free-updates
    Upgrade  metasploit-framework-6.0.19+20201127112457~1rapid7-1.el6.x86_64 @metasploit
    Upgrade  firefox-83.0-8.fc33.x86_64                                      @updates
    Upgrade  gnupg2-2.2.25-2.fc33.x86_64                                     @updates
    Upgrade  gnupg2-smime-2.2.25-2.fc33.x86_64                               @updates
    Upgrade  mesa-dri-drivers-20.2.3-1.fc33.i686                             @updates
    Upgrade  mesa-dri-drivers-20.2.3-1.fc33.x86_64                           @updates
    Upgrade  mesa-filesystem-20.2.3-1.fc33.i686                              @updates
    Upgrade  mesa-filesystem-20.2.3-1.fc33.x86_64                            @updates
    Upgrade  mesa-libEGL-20.2.3-1.fc33.i686                                  @updates
    Upgrade  mesa-libEGL-20.2.3-1.fc33.x86_64                                @updates
    Upgrade  mesa-libEGL-devel-20.2.3-1.fc33.i686                            @updates
    Upgrade  mesa-libEGL-devel-20.2.3-1.fc33.x86_64                          @updates
    Upgrade  mesa-libGL-20.2.3-1.fc33.i686                                   @updates
    Upgrade  mesa-libGL-20.2.3-1.fc33.x86_64                                 @updates
    Upgrade  mesa-libGL-devel-20.2.3-1.fc33.x86_64                           @updates
    Upgrade  mesa-libOSMesa-20.2.3-1.fc33.i686                               @updates
    Upgrade  mesa-libOSMesa-20.2.3-1.fc33.x86_64                             @updates
    Upgrade  mesa-libOpenCL-20.2.3-1.fc33.x86_64                             @updates
    Upgrade  mesa-libgbm-20.2.3-1.fc33.i686                                  @updates
    Upgrade  mesa-libgbm-20.2.3-1.fc33.x86_64                                @updates
    Upgrade  mesa-libglapi-20.2.3-1.fc33.i686                                @updates
    Upgrade  mesa-libglapi-20.2.3-1.fc33.x86_64                              @updates
    Upgrade  mesa-libxatracker-20.2.3-1.fc33.x86_64                          @updates
    Upgrade  mesa-vulkan-drivers-20.2.3-1.fc33.i686                          @updates
    Upgrade  mesa-vulkan-drivers-20.2.3-1.fc33.x86_64                        @updates
    Upgrade  minizip-compat-1.2.11-23.fc33.x86_64                            @updates
    Upgrade  openssh-8.4p1-3.fc33.x86_64                                     @updates
    Upgrade  openssh-clients-8.4p1-3.fc33.x86_64                             @updates
    Upgrade  openssh-server-8.4p1-3.fc33.x86_64                              @updates
    Upgrade  osinfo-db-20201119-1.fc33.noarch                                @updates
    Upgrade  rubberband-1.9.0-1.fc33.x86_64                                  @updates
    Upgrade  rubberband-devel-1.9.0-1.fc33.x86_64                            @updates
    Upgrade  syncthing-1.11.1-1.fc33.x86_64                                  @updates
    Upgrade  zlib-1.2.11-23.fc33.i686                                        @updates
    Upgrade  zlib-1.2.11-23.fc33.x86_64                                      @updates
    Upgrade  zlib-devel-1.2.11-23.fc33.x86_64                                @updates
    Upgrade  zlib-static-1.2.11-23.fc33.x86_64                               @updates
    Upgraded gpac-1.0.0-3.fc33.x86_64                                        @@System
    Upgraded gpac-libs-1.0.0-3.fc33.x86_64                                   @@System
    Upgraded metasploit-framework-6.0.18+20201125112507~1rapid7-1.el6.x86_64 @@System
    Upgraded firefox-83.0-3.fc33.x86_64                                      @@System
    Upgraded gnupg2-2.2.24-1.fc33.x86_64                                     @@System
    Upgraded gnupg2-smime-2.2.24-1.fc33.x86_64                               @@System
    Upgraded mesa-dri-drivers-20.2.2-1.fc33.i686                             @@System
    Upgraded mesa-dri-drivers-20.2.2-1.fc33.x86_64                           @@System
    Upgraded mesa-filesystem-20.2.2-1.fc33.i686                              @@System
    Upgraded mesa-filesystem-20.2.2-1.fc33.x86_64                            @@System
    Upgraded mesa-libEGL-20.2.2-1.fc33.i686                                  @@System
    Upgraded mesa-libEGL-20.2.2-1.fc33.x86_64                                @@System
    Upgraded mesa-libEGL-devel-20.2.2-1.fc33.i686                            @@System
    Upgraded mesa-libEGL-devel-20.2.2-1.fc33.x86_64                          @@System
    Upgraded mesa-libGL-20.2.2-1.fc33.i686                                   @@System
    Upgraded mesa-libGL-20.2.2-1.fc33.x86_64                                 @@System
    Upgraded mesa-libGL-devel-20.2.2-1.fc33.x86_64                           @@System
    Upgraded mesa-libOSMesa-20.2.2-1.fc33.i686                               @@System
    Upgraded mesa-libOSMesa-20.2.2-1.fc33.x86_64                             @@System
    Upgraded mesa-libOpenCL-20.2.2-1.fc33.x86_64                             @@System
    Upgraded mesa-libgbm-20.2.2-1.fc33.i686                                  @@System
    Upgraded mesa-libgbm-20.2.2-1.fc33.x86_64                                @@System
    Upgraded mesa-libglapi-20.2.2-1.fc33.i686                                @@System
    Upgraded mesa-libglapi-20.2.2-1.fc33.x86_64                              @@System
    Upgraded mesa-libxatracker-20.2.2-1.fc33.x86_64                          @@System
    Upgraded mesa-vulkan-drivers-20.2.2-1.fc33.i686                          @@System
    Upgraded mesa-vulkan-drivers-20.2.2-1.fc33.x86_64                        @@System
    Upgraded minizip-compat-1.2.11-22.fc33.x86_64                            @@System
    Upgraded openssh-8.4p1-2.fc33.x86_64                                     @@System
    Upgraded openssh-clients-8.4p1-2.fc33.x86_64                             @@System
    Upgraded openssh-server-8.4p1-2.fc33.x86_64                              @@System
    Upgraded osinfo-db-20201015-1.fc33.noarch                                @@System
    Upgraded rubberband-1.8.2-6.fc33.x86_64                                  @@System
    Upgraded rubberband-devel-1.8.2-6.fc33.x86_64                            @@System
    Upgraded syncthing-1.11.0-1.fc33.x86_64                                  @@System
    Upgraded zlib-1.2.11-22.fc33.i686                                        @@System
    Upgraded zlib-1.2.11-22.fc33.x86_64                                      @@System
    Upgraded zlib-devel-1.2.11-22.fc33.x86_64                                @@System
    Upgraded zlib-static-1.2.11-22.fc33.x86_64                               @@System

hashmarkername: setroubleshoot
kernel:         5.10.8-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
type:           libreport

Comment 16 Max E 2021-01-21 12:58:08 UTC
Similar problem has been detected:

After recent update, SELinux is now permanent glitching.


hashmarkername: setroubleshoot
kernel:         5.10.8-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Maps.service.
type:           libreport

Comment 17 Andrew Stitcher 2021-01-22 01:53:58 UTC
Similar problem has been detected:

I think this happened on log in.

hashmarkername: setroubleshoot
kernel:         5.10.8-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.
type:           libreport

Comment 18 Pawel Jakubowski 2021-01-22 08:10:49 UTC
*** Bug 1919121 has been marked as a duplicate of this bug. ***

Comment 19 rugk 2021-01-22 14:56:16 UTC
Similar problem has been detected:

Apparently install the app "Peek"  from Flathub via flatpak.

hashmarkername: setroubleshoot
kernel:         5.10.8-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/com.uploadedlobster.peek.service.
type:           libreport

Comment 20 Jan Vlug 2021-01-22 22:33:30 UTC
Similar problem has been detected:

I think that I was just starting my computer, or maybe resuming from suspend.

hashmarkername: setroubleshoot
kernel:         5.10.7-200.fc33.x86_64
reason:         SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.
type:           libreport

Comment 21 Paul 2021-01-24 07:37:59 UTC
Similar problem has been detected:

I ran a dnf update about 1 week ago and since then on every reboot I get hundreds of SELinux AVC denial messages.

hashmarkername: setroubleshoot
kernel:         5.10.7-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Logs.service.
type:           libreport

Comment 22 Michael 2021-01-24 16:25:11 UTC
Similar problem has been detected:

After login those warnings get issued like from a machine gun. :(

hashmarkername: setroubleshoot
kernel:         5.7.17-200.fc32.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/mime/mime.cache.
type:           libreport

Comment 23 Adam Goode 2021-01-27 14:28:01 UTC
Similar problem has been detected:

This happened during login after a reboot.

hashmarkername: setroubleshoot
kernel:         5.10.10-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.
type:           libreport

Comment 24 Nils Philippsen 2021-01-28 13:54:26 UTC
Similar problem has been detected:

Logged into GNOME.

hashmarkername: setroubleshoot
kernel:         5.10.10-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/mime/mime.cache.
type:           libreport

Comment 25 A.J. Bonnema 2021-01-29 08:07:31 UTC
Similar problem has been detected:

Immediately after startup this problem occurs a lot of times (more than 10x)

hashmarkername: setroubleshoot
kernel:         5.10.10-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.
type:           libreport

Comment 26 Alex Finkel 2021-01-29 13:11:55 UTC
Similar problem has been detected:

Ever since updating to flatpak-1.10.1-1.fc33.x86_64, selinux-policy-3.14.6-34.fc33.noarch,  
selinux-policy-targeted-3.14.6-34.fc33.noarch, and flatpak-selinux-1.10.1-1.fc33.noarch
I get 89 of these AVC alerts on every reboot

hashmarkername: setroubleshoot
kernel:         5.10.10-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Extensions.service.
type:           libreport

Comment 27 Gustavo Maciel Dias Vieira 2021-01-30 19:29:36 UTC
Similar problem has been detected:

Starting a session

hashmarkername: setroubleshoot
kernel:         5.10.10-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing gnome-shell from 'map' accesses on the arquivo /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.
type:           libreport

Comment 28 Federico Bruni 2021-01-30 21:37:56 UTC
This is a serious bug, the first one for me after 8 (?) years as Fedora user.

Any workaround to prevent it until the bug is fixed?
Should I disable SElinux?
What do you suggest?

Comment 29 Federico Bruni 2021-01-30 21:41:14 UTC
Oh, well, the "workaround" is pretty easy:

sudo dnf remove setroubleshoot

Comment 30 vincent 2021-01-30 21:52:06 UTC
(In reply to Federico Bruni from comment #28)
> This is a serious bug, the first one for me after 8 (?) years as Fedora user.
> 
> Any workaround to prevent it until the bug is fixed?
> Should I disable SElinux?
> What do you suggest?

Downgrading flatpak to 1.8.2 and versionlock it until it's fixed works for me.

Comment 31 Jan Vlug 2021-01-31 12:06:04 UTC
Similar problem has been detected:

I saw many of these alerts just after logging in after a system reboot.

hashmarkername: setroubleshoot
kernel:         5.10.10-200.fc33.x86_64
reason:         SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.
type:           libreport

Comment 32 Jan Vlug 2021-01-31 12:10:14 UTC
Similar problem has been detected:

I think that this happened (28 times) just after logging in after a reboot.

hashmarkername: setroubleshoot
kernel:         5.10.10-200.fc33.x86_64
reason:         SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gabmus.whatip.service.
type:           libreport

Comment 33 Mikel Pérez 2021-02-01 07:38:45 UTC
can confirm downgrading flatpak to 1.8.2 stops the notifications

Comment 34 Dmitry 2021-02-03 07:34:45 UTC
Similar problem has been detected:

after reboot

hashmarkername: setroubleshoot
kernel:         5.10.11-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/app/org.gnome.Screenshot/current.
type:           libreport

Comment 35 Jiri Konecny 2021-02-03 09:05:30 UTC
Similar problem has been detected:

I'm getting bunch of SELinux denials when I have flatpak com.uploadedlobster.peek installed immediatelly when my system boots up.

Steps to reproduce:
1) sudo flatpak install com.uploadedlobster.peek
2) reboot the system

Notes:
I did not test the reproducer above but it should work. If not I'll try to provide more info.

hashmarkername: setroubleshoot
kernel:         5.10.11-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/com.uploadedlobster.peek.service.
type:           libreport

Comment 36 krinkodot22 2021-02-07 17:22:47 UTC
Similar problem has been detected:

After logging out to install some extension updates, an endless stream of SELinux alerts began to be raised, even while still on the GDM login screen.

Once logging back in, SELinux security alerts keep getting raised over and over, all for dbus-deamon attempting read access on a lnk_file.

The same alert gets raised for several lnk_files:
* org.gnome.Polari.service
* org.gnome.Contacts.service
* org.gnome.Tetravex.service
* org.gnome.Music.Tracker3.Miner.Files.Control.service
* org.gnome.Recipes.service
* org.gnome.Builder.service
* org.gnome.Extensions.service
* org.gnome.Documents.service
* org.gnome.Chess.service
* org.gnome.gedit.service
* org.gnome.Maps.service
* org.gnome.Games.service
* org.gnome.Photos.service
* and many more...

hashmarkername: setroubleshoot
kernel:         5.10.12-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Characters.BackgroundService.service.
type:           libreport

Comment 37 Andrew Stitcher 2021-02-10 17:17:56 UTC
Similar problem has been detected:

Starting gnome-shell causes this problem when it tries to access the flatpak icon cache

hashmarkername: setroubleshoot
kernel:         5.10.13-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.
type:           libreport

Comment 38 krinkodot22 2021-02-10 23:54:56 UTC
A workaround (at least for GNOME 3) is to enable auto-login in Settings->Users->Automatic Login. That way, the CPU blowup will only happen when switching accounts, instead of on every boot.

Comment 39 Alex. H. F. 2021-02-15 16:56:41 UTC
Similar problem has been detected:

After upgrade Fedora 32 / 33

Once logged on, SELinux gives lots of notifications on this regard.

Tryed re-labeling with "sudo fixfiles -B onboot", but didn't seem to help.

What might be the reason for this messages, and how to solve this issue?

hashmarkername: setroubleshoot
kernel:         5.10.15-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Extensions.service.
type:           libreport

Comment 40 gGabriel 2021-02-16 17:47:42 UTC
*** Bug 1929352 has been marked as a duplicate of this bug. ***

Comment 41 Krause.Markus 2021-02-24 21:04:43 UTC
Is there any progress on this?
Each time I login on Fedora 33 I get bombarded with a huge amount of SELinux messages regarding flatpak accesses.

Comment 42 Biji 2021-02-25 02:42:47 UTC
While waiting for fix:
dnf downgrade flatpak

Or downgrade fedora to 32 😀

Comment 43 Brian J. Murrell 2021-02-25 12:39:56 UTC
Or remove flatpak.  It's a software bundling security nightmare anyway.  And I am not referring to anything to do with flatpak itself.  I will leave others to criticize that if they wish.

I am referring to lazy software developers that decide to bundle the world with their application because they cannot be bothered to try to make their application work with (maintained) distribution native libraries, and then forget all about "the world" (i.e. all of the libraries) that they bundled into their package while those libraries bitrot into security vulnerability after security vulnerability.

A prudent flatpak application packager needs to be paying attention to the update stream of *all* of the libraries that they bundle and release new flatpak packages of their application every time one of those libraries releases a security fix.

Do you honestly believe *all* flatpak packagers are doing that?  I don't and therefore I don't use flatpak.

I just removed it from my system.  I was simply ignoring it before, but now that this bug is causing a slew of AVCs on every login, it's more effective to just "dnf erase flatpak".  Hopefully that resolves this issue too.

Comment 44 Alice McLafferty 2021-02-28 14:23:41 UTC
Similar issues has been detected:

SELinux is preventing boltd from getattr access on the file /var/lib/flatpak/exports/share/mime/magic.

Additional Information:
Source Context                system_u:system_r:boltd_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/flatpak/exports/share/mime/magic [ file ]
Source                        boltd
Source Path                   boltd
Port                          <Unknown>
Host                          
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.6-34.fc33.noarch
Local Policy RPM              selinux-policy-targeted-3.14.6-34.fc33.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     
Platform                      Linux  5.10.16-200.fc33.x86_64 #1 SMP Sun
                              Feb 14 03:02:32 UTC 2021 x86_64 x86_64
Alert Count                   14

Raw Audit Messages
type=AVC msg=audit(1613876685.397:183): avc:  denied  { getattr } for  pid=1718 comm="boltd" path="/var/lib/flatpak/exports/share/mime/magic" dev="dm-1" ino=1177482 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0


Hash: boltd,boltd_t,var_lib_t,file,getattr


-----------------------------
SELinux is preventing sddm-greeter from map access on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/flatpak/exports/share/icons/hicolor/icon-
                              theme.cache [ file ]
Source                        sddm-greeter
Source Path                   sddm-greeter
Port                          <Unknown>
Host                          
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.6-34.fc33.noarch
Local Policy RPM              selinux-policy-targeted-3.14.6-34.fc33.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     
Platform                      Linux  5.10.16-200.fc33.x86_64 #1 SMP Sun
                              Feb 14 03:02:32 UTC 2021 x86_64 x86_64
Alert Count                   2

Raw Audit Messages
type=AVC msg=audit(1613876703.807:666): avc:  denied  { map } for  pid=2447 comm="sddm-greeter" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-1" ino=1177475 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0


Hash: sddm-greeter,xdm_t,var_lib_t,file,map

Comment 45 krinkodot22 2021-03-06 21:59:08 UTC
Not fixed after upgrading to selinux-policy-targeted from 3.14.6-34 to 3.14.6-35.

Comment 46 Yannick Defais 2021-03-07 09:12:47 UTC
This bug is flooding any new graphical session here.

As posted here, downgrading flatpak works as temporary a workaround:
$ sudo dnf install flatpak-1.8.2-2.fc33

Regards

Comment 47 Michael 2021-03-11 21:50:20 UTC
(In reply to Zdenek Pytela from comment #1)
> Copied from the dup bz:
> > After the latest Fedora update, this pops up on every boot. I have "Shortwave" flatpak app installed, but don't run it, still the denial is shown.
> > SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/de.haeckerfelix.Shortwave.service.
> 
> Raw Audit Messages
> type=AVC msg=audit(1610708161.135:330): avc:  denied  { read } for  pid=1233
> comm="dbus-daemon" name="de.haeckerfelix.Shortwave.service" dev="dm-0"
> ino=874034 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=1

When can we expect that this will be ultimately fixed?
Thanks in advance.

Comment 48 Zdenek Pytela 2021-03-11 22:08:19 UTC
This bz should be addressed soon.

Comment 49 Nils Philippsen 2021-03-14 16:39:22 UTC
(In reply to Yannick Defais from comment #46)
> As posted here, downgrading flatpak works as temporary a workaround:
> $ sudo dnf install flatpak-1.8.2-2.fc33

Same here, I only get this with versions 1.10.1 and 1.10.2 of flatpak.

Comment 50 Andras Kovacs 2021-03-20 07:58:30 UTC
I have the same problem.

Comment 51 Alex. H. F. 2021-03-21 10:48:00 UTC
After update of flatpack to 1.10.2-1.fc33 things are still the same.
It this problem already being treated upstream by flatpack devel yet?

Could anyone point the thread/error-tracking?!

Thank you all!

Comment 52 Alex. H. F. 2021-03-21 11:37:36 UTC
So, I found an issue reported at github/flatpak under this link. Hope this is the right place...

https://github.com/flatpak/flatpak/issues/4128


Please, help to convince flatpak devel looking at this issue.

Comment 53 Zdenek Pytela 2021-03-22 11:05:09 UTC
Switching the component to flatpak.

Folks,

Since flatpak-1.10 there are numerous bugs reported that a service cannot read objects in /var/lib/flatpak.

Can you address the problem in the flatpak package? The solution can be assigning the flatpak_var_lib_t type to /var/lib/flatpak and allowing the access to all domains which can deal with flatpaks. I am ready to work with you to ensure the interactions with selinux-policy work.

Comment 54 Alice McLafferty 2021-03-22 21:37:58 UTC
Downgrading flatpak seems to be the only solution without setting selinux to permissive at this moment. Is this a packaging/selinux-policy issue or an upstream one that needs to be addressed by flatpak devs? Additionally, since this is likely going to take a while to get fixed, is it possible to at least make flatpak 1.8.5 available in the repos?

Comment 55 Dusty Mabe 2021-03-31 13:15:41 UTC
Is anyone having this problem (selinux denials + setroubleshoot popups + high CPU usage) on Fedora 34? If so we can propose this as a blocker/FE for the Fedora 34 release.

Comment 56 Alice McLafferty 2021-03-31 13:28:10 UTC
Yes, I am receiving denials on startup in F34 as well:

SELinux is preventing sddm-greeter from map access on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.

Comment 57 Zdenek Pytela 2021-03-31 16:01:11 UTC
*** Bug 1924645 has been marked as a duplicate of this bug. ***

Comment 58 Zdenek Pytela 2021-03-31 16:01:22 UTC
*** Bug 1917119 has been marked as a duplicate of this bug. ***

Comment 59 Alice McLafferty 2021-04-06 20:17:30 UTC
Is there any progress on this issue? Versionlocking flatpak to 1.8 is blocking more and more package updates.

Comment 60 Tony 2021-04-06 21:10:09 UTC
(In reply to Alice McLafferty from comment #59)
> Is there any progress on this issue? Versionlocking flatpak to 1.8 is
> blocking more and more package updates.

No comments for a week on the issue page on Flatpak's github:

  https://github.com/flatpak/flatpak/issues/4128

It looks like nobody is working on this.

Comment 61 Adam Williamson 2021-04-07 23:12:39 UTC
This bug can't block F34 because it's an F33 bug. It would be fairly rude to just re-assign to to F34 when it was clearly reported against F33 and is still affecting F33.

For F34 purposes we need there to be an equivalent bug filed against F34.

Comment 62 Adam Williamson 2021-04-07 23:19:46 UTC
I filed https://bugzilla.redhat.com/show_bug.cgi?id=1947214 and proposed it as an F34 blocker.

Comment 63 Jonathan Haas 2021-04-08 12:57:20 UTC
(In reply to Dusty Mabe from comment #55)
> Is anyone having this problem (selinux denials + setroubleshoot popups +
> high CPU usage) on Fedora 34? If so we can propose this as a blocker/FE for
> the Fedora 34 release.

Yes, had to set SELinux to permissive because otherwise the constant selinux denials in background would cause regular CPU spikes and microfreezes, that (among other issues) caused sound distortions when playing music or videos. Disabling the troubleshoot popups didn't help.

Comment 64 Yang Wentao 2021-04-09 13:38:08 UTC
As far as I see the only workaround is to uninstall setroubleshoot daemon: dnf autoremove setroubleshoot*
Setting SELinux to permissive (whether globally or per selinux domain) won't work, because these still counts as SELinux denials, and setrobleshoot will always analyze SELinux denials, which is flooding if you have many flatpak apps installed. Removing setroubleshoot at least considerably lowers CPU usage. (Plain avc denials and avc logging are still available, it's just you don't want use setroubleshoot to analyze them. See https://wiki.centos.org/HowTos/SELinux for troubleshooting SELinux issues.)
Also setroubleshoot is by default no longer installed in recent Fedora Workstation versions, so this bug mainly affect long upgrading Fedora installs, and is very unlikely to become a F34 blocker (see https://pagure.io/fedora-qa/blocker-review/issue/337)

Comment 65 Yang Wentao 2021-04-09 13:59:27 UTC
The upstream is expecting Fedora contributors to fix this bug: https://github.com/flatpak/flatpak/issues/4128#issuecomment-804876383. As for F34 this couldn't happen because Fedora expect upstream to fix it, which form an impossible 'nobody-fix-bug' loop here; plus it's already very close to F34 final freeze, and there's still no sign of anybody fixing it.
For the long term the solution can only be somebody pretty familiar with SELinux to push changes upstream.
Note that this bug is pretty nasty, it's not even clear whether it's a dbus issue, a flatpak issue or even a gnome-shell issue. And I think casual users shouldn't even try to fix that. As a normal fedora user I hacked around some SELinux manuals but I don't understand very much beyond mass-kills like reassigning stuff to unconfined_t etc.

Comment 66 Kalev Lember 2021-04-09 15:05:38 UTC
(In reply to Zdenek Pytela from comment #53)
> Switching the component to flatpak.
> 
> Folks,
> 
> Since flatpak-1.10 there are numerous bugs reported that a service cannot
> read objects in /var/lib/flatpak.
> 
> Can you address the problem in the flatpak package? The solution can be
> assigning the flatpak_var_lib_t type to /var/lib/flatpak and allowing the
> access to all domains which can deal with flatpaks. I am ready to work with
> you to ensure the interactions with selinux-policy work.

I started looking at this, but I'm going to need some help. First, can you explain please why does the fix need to be in flatpak, not in selinux policy? (I am not at all disagreeing with it, just trying to understand.)

Second, I have this patch from amigadave who started looking at this but got stuck. Any suggestions if something like this is the way to go here?

I'm happy to help drive this to finish on flatpak side but I don't really know a lot about selinux :)



diff --git a/selinux/flatpak.fc b/selinux/flatpak.fc
index dc5b3bf8..06614276 100644
--- a/selinux/flatpak.fc
+++ b/selinux/flatpak.fc
@@ -1 +1,2 @@
 /usr/libexec/flatpak-system-helper     --      gen_context(system_u:object_r:flatpak_helper_exec_t,s0)
+/var/lib/flatpak(/.*)?                         gen_context(system_u:object_r:flatpak_var_lib_t,s0)
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
index 2bcc507b..09047d97 100644
--- a/selinux/flatpak.te
+++ b/selinux/flatpak.te
@@ -8,6 +8,9 @@ policy_module(flatpak, 0.0.1)
 # I did try to make the domain confined, but it needs a lot of
 # permissions and my selinux-foo just isn't good enough.

+type flatpak_var_lib_t;
+files_type(flatpak_var_lib_t)
+
 type flatpak_helper_t;
 type flatpak_helper_exec_t;
 init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)

Comment 67 Alex Finkel 2021-04-09 15:23:38 UTC
I'm willing to help, but I don't know what are the criteria to determine whether the issue is with the selinux policy or Flatpak itself.

I used the setroubleshooter to create custom policies to stop the deluge of AVC denial warnings, but not sure what the next steps are.

Comment 68 Adam Williamson 2021-04-09 17:15:09 UTC
Yang: setroubleshoot also has an "ignore" button, which just tells it to not bother you about this denial again. If there are dozens of different-but-similar ones it can be annoying/impractical to "ignore" them all, but otherwise it does the trick.

Note I do think KDE still installs setroubleshoot by default.

Comment 69 Alexander Ploumistos 2021-04-09 17:33:19 UTC
Sorry if this is off-topic, but I was curious to see what flatpaks might be on my systems and "flatpak list" returns these:

Name              Application ID               Version  Branch  Installation
Fedora Platform   org.fedoraproject.Platform   32       f32     system
Fedora Platform   org.fedoraproject.Platform   33       f33     system
Fedora Platform   org.fedoraproject.Platform   34       f34     system
Extensions        org.gnome.Extensions         40.0     stable  system

Is "Extensions" installed by default? I don't remember ever installing it myself - let alone twice - as I'm using gnome-tweaks and e.g.o to manage my extensions. (It could be that my memory is failing me though)

Why do I get these three "Fedora Platform" versions on F33?

Comment 70 Zdenek Pytela 2021-04-09 21:31:41 UTC
(In reply to Kalev Lember from comment #66)
> (In reply to Zdenek Pytela from comment #53)
> > Switching the component to flatpak.
> > 
> > Folks,
> > 
> > Since flatpak-1.10 there are numerous bugs reported that a service cannot
> > read objects in /var/lib/flatpak.
> > 
> > Can you address the problem in the flatpak package? The solution can be
> > assigning the flatpak_var_lib_t type to /var/lib/flatpak and allowing the
> > access to all domains which can deal with flatpaks. I am ready to work with
> > you to ensure the interactions with selinux-policy work.
> 
> I started looking at this, but I'm going to need some help. First, can you
> explain please why does the fix need to be in flatpak, not in selinux
> policy? (I am not at all disagreeing with it, just trying to understand.)
If a flatpak-related type, like flatpak_var_lib_t, is to be defined, it needs to be in the flatpak policy, as well as allowing the permissions. However, there are more possible ways how to deal with this issue.

> 
> Second, I have this patch from amigadave who started looking at this but got
> stuck. Any suggestions if something like this is the way to go here?
> 
> I'm happy to help drive this to finish on flatpak side but I don't really
> know a lot about selinux :)
Conversely, I am happy to help with the selinux part, but I don't understand much the rest.

> 
> 
> 
> diff --git a/selinux/flatpak.fc b/selinux/flatpak.fc
> index dc5b3bf8..06614276 100644
> --- a/selinux/flatpak.fc
> +++ b/selinux/flatpak.fc
> @@ -1 +1,2 @@
>  /usr/libexec/flatpak-system-helper     --     
> gen_context(system_u:object_r:flatpak_helper_exec_t,s0)
> +/var/lib/flatpak(/.*)?                        
> gen_context(system_u:object_r:flatpak_var_lib_t,s0)
> diff --git a/selinux/flatpak.te b/selinux/flatpak.te
> index 2bcc507b..09047d97 100644
> --- a/selinux/flatpak.te
> +++ b/selinux/flatpak.te
> @@ -8,6 +8,9 @@ policy_module(flatpak, 0.0.1)
>  # I did try to make the domain confined, but it needs a lot of
>  # permissions and my selinux-foo just isn't good enough.
> 
> +type flatpak_var_lib_t;
> +files_type(flatpak_var_lib_t)
> +
>  type flatpak_helper_t;
>  type flatpak_helper_exec_t;
>  init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
This is a good start if we wanted to go this way. Currently I am not convinced it would solve all known problems.

Comment 71 Yang Wentao 2021-04-10 06:08:30 UTC
(In reply to Adam Williamson from comment #68)
> Yang: setroubleshoot also has an "ignore" button, which just tells it to not
> bother you about this denial again. If there are dozens of
> different-but-similar ones it can be annoying/impractical to "ignore" them
> all, but otherwise it does the trick.
> 
> Note I do think KDE still installs setroubleshoot by default.

The ignore button in setroubleshoot works, and it's a global option which make setroubleshoot quiet and don't send notifications.
But the reason I dropped setroubleshoot is that it took too much CPU, to the extent that it will run one thread 100%, and not just temporary but for a long time (10 minutes or even longer). It's a pretty noticeable performance hit, espcially on laptops (which are battery-sensitive) and on computers with weaker CPU.
Setroubleshoot will try to analyze SELinux denials on background and send notifications to warn users. I guess most users wouldn't bother SELinux and will just click the "ignore" button, a few will try to look at them and analyze them, which is not too bad since it will at least make users know they can check SELinux denials at setroubleshoot. But when a bug like this encounters and SELinux denials floods, setroubleshoot simply became a daemon that eat your hardware resources, and all users with a few flatpak installed will be affected. SELinux denial floods aren't impossible or rare, as wrong selinux labeling will make all files for that label trigger warning, and when daemons like dbus recursively read files selinux denial floods.
So I guess this is the reason recent fedora versions dropped setroubleshoot because its overhead is potentially bigger than simply annoyance (which itself alone is not too bad), and selinux policy will have bugs.
I checked for my KDE install on a virtual machine and setroubleshoot wasn't installed by default as of fedora 33.

Comment 72 A.J. Bonnema 2021-04-10 06:25:54 UTC
I am not sure that illiminating the warning that selinux gives is the right answer. I am one of the users that sometimes ignores a abort (if I think it is onetime) and otherwise report it. I normally do not touch selinux directives. I find a better solution to the problem that you rightly note i.e. flooding of selinux warnings and usage of cpu begs a different kind of question: why do we analyze without a request from the user? So, suppose we would issue the warning, but not do the analysis until the user requests it. That is a far step from ignoring the problem alltogether, i.e. not installing setroubleshoot. 

In summary, I have no reason to doubt your analysis, but I come a different conclusion. Setroubleshoot should not occupy the cpu unless requested to do so by the user. The warning however, as a user, I need. I cannot stress how important it is to know what is going wrong in my system.

Comment 73 Zdenek Pytela 2021-04-13 18:50:45 UTC
*** Bug 1946091 has been marked as a duplicate of this bug. ***

Comment 74 Zdenek Pytela 2021-04-13 18:51:16 UTC
*** Bug 1925791 has been marked as a duplicate of this bug. ***

Comment 75 Zdenek Pytela 2021-04-13 19:11:21 UTC
*** Bug 1917174 has been marked as a duplicate of this bug. ***

Comment 76 Zdenek Pytela 2021-04-14 17:32:27 UTC
*** Bug 1949634 has been marked as a duplicate of this bug. ***

Comment 77 Zdenek Pytela 2021-04-14 18:37:13 UTC
*** Bug 1949640 has been marked as a duplicate of this bug. ***

Comment 78 Zdenek Pytela 2021-04-14 18:37:27 UTC
*** Bug 1949637 has been marked as a duplicate of this bug. ***

Comment 79 Zdenek Pytela 2021-04-14 18:37:41 UTC
*** Bug 1949645 has been marked as a duplicate of this bug. ***

Comment 80 Zdenek Pytela 2021-04-14 18:37:54 UTC
*** Bug 1949648 has been marked as a duplicate of this bug. ***

Comment 81 Zdenek Pytela 2021-04-14 18:38:06 UTC
*** Bug 1949649 has been marked as a duplicate of this bug. ***

Comment 82 Zdenek Pytela 2021-04-14 19:08:08 UTC
*** Bug 1917172 has been marked as a duplicate of this bug. ***

Comment 83 Zdenek Pytela 2021-04-14 19:08:23 UTC
*** Bug 1917173 has been marked as a duplicate of this bug. ***

Comment 84 Zdenek Pytela 2021-04-14 19:08:40 UTC
*** Bug 1917176 has been marked as a duplicate of this bug. ***

Comment 85 Zdenek Pytela 2021-04-14 19:09:17 UTC
*** Bug 1917251 has been marked as a duplicate of this bug. ***

Comment 86 Zdenek Pytela 2021-04-14 19:10:49 UTC
*** Bug 1949642 has been marked as a duplicate of this bug. ***

Comment 87 Kalev Lember 2021-04-14 20:42:59 UTC
The discussion here has been spread out over 3 different tickets, so it's a bit hard to follow. A brief summary: We identified a workaround solution on the flatpak side (see https://bugzilla.redhat.com/show_bug.cgi?id=1947214#c5 and https://github.com/flatpak/flatpak/issues/4128#issuecomment-818019245) and decided to go with that until we have selinux policy changes figured out.

I just kicked off flatpak builds for F33, F34 and rawhide with the fix.

Comment 88 Fedora Update System 2021-04-14 20:55:30 UTC
FEDORA-2021-78e6b2c6a9 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-78e6b2c6a9

Comment 89 Fedora Update System 2021-04-15 15:14:35 UTC
FEDORA-2021-78e6b2c6a9 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-78e6b2c6a9`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-78e6b2c6a9

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 90 Fedora Update System 2021-04-16 14:35:21 UTC
FEDORA-2021-78e6b2c6a9 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.