Description of problem: Happens frequently without me doing anything specific to trigger it, on current F36. SELinux is preventing pool-/usr/libex from 'read' accesses on the directory /var/lib/flatpak/repo. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow libex to have read access on the repo directory Then you need to change the label on /var/lib/flatpak/repo Do # semanage fcontext -a -t FILE_TYPE '/var/lib/flatpak/repo' where FILE_TYPE is one of the following: bin_t, boot_t, dbusd_etc_t, device_t, devpts_t, etc_runtime_t, etc_t, fonts_cache_t, fonts_t, lib_t, locale_t, man_cache_t, man_t, pkcs11_modules_conf_t, root_t, shell_exec_t, src_t, system_conf_t, system_db_t, textrel_shlib_t, tmpfs_t, usr_t, var_run_t. Then execute: restorecon -v '/var/lib/flatpak/repo' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that libex should be allowed read access on the repo directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pool-/usr/libex' --raw | audit2allow -M my-poolusrlibex # semodule -X 300 -i my-poolusrlibex.pp Additional Information: Source Context system_u:system_r:flatpak_helper_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/flatpak/repo [ dir ] Source pool-/usr/libex Source Path pool-/usr/libex Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-36.1-1.fc36.noarch Local Policy RPM flatpak-selinux-1.12.4-2.fc36.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.16.1-200.fc35.x86_64 #1 SMP PREEMPT Mon Jan 17 00:49:29 UTC 2022 x86_64 x86_64 Alert Count 7 First Seen 2022-02-11 08:37:05 PST Last Seen 2022-02-11 08:37:07 PST Local ID 62bd2dbd-05d0-4a2c-aad1-f72b80279729 Raw Audit Messages type=AVC msg=audit(1644597427.157:508): avc: denied { read } for pid=16275 comm="pool-/usr/libex" name="repo" dev="dm-1" ino=3014773 scontext=system_u:system_r:flatpak_helper_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0 Hash: pool-/usr/libex,flatpak_helper_t,var_lib_t,dir,read Version-Release number of selected component: selinux-policy-targeted-36.1-1.fc36.noarch Additional info: component: flatpak reporter: libreport-2.16.0 hashmarkername: setroubleshoot kernel: 5.16.1-200.fc35.x86_64 type: libreport
Similar problem has been detected: flatpak update fails hashmarkername: setroubleshoot kernel: 5.17.0-300.fc36.x86_64 package: selinux-policy-targeted-36.5-1.fc36.noarch reason: SELinux is preventing pool-/usr/libex from 'read' accesses on the directory /var/lib/flatpak/repo. type: libreport
*** This bug has been marked as a duplicate of bug 2070741 ***