Description of problem: Happens frequently in the background on current F36. SELinux is preventing flatpak-system- from 'watch' accesses on the directory /usr/libexec. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that flatpak-system- should be allowed watch access on the libexec directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'flatpak-system-' --raw | audit2allow -M my-flatpaksystem # semodule -X 300 -i my-flatpaksystem.pp Additional Information: Source Context system_u:system_r:flatpak_helper_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects /usr/libexec [ dir ] Source flatpak-system- Source Path flatpak-system- Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages filesystem-3.16-2.fc36.x86_64 SELinux Policy RPM selinux-policy-targeted-36.1-1.fc36.noarch Local Policy RPM flatpak-selinux-1.12.4-2.fc36.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.16.1-200.fc35.x86_64 #1 SMP PREEMPT Mon Jan 17 00:49:29 UTC 2022 x86_64 x86_64 Alert Count 24 First Seen 2022-02-11 08:37:05 PST Last Seen 2022-02-11 08:38:37 PST Local ID 962e13f3-9a0a-4b30-b59e-d40f9c4034aa Raw Audit Messages type=AVC msg=audit(1644597517.410:541): avc: denied { watch } for pid=16275 comm="gmain" path="/usr/libexec" dev="dm-1" ino=1179656 scontext=system_u:system_r:flatpak_helper_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir permissive=0 Hash: flatpak-system-,flatpak_helper_t,bin_t,dir,watch Version-Release number of selected component: selinux-policy-targeted-36.1-1.fc36.noarch Additional info: component: flatpak reporter: libreport-2.16.0 hashmarkername: setroubleshoot kernel: 5.16.1-200.fc35.x86_64 type: libreport
*** Bug 2071216 has been marked as a duplicate of this bug. ***
The flatpak_helper_t type is provided by the flatpak-selinux subpackage, so it needs to be addressed in flatpak. The appropriate interface is corecmd_watch_bin_dirs() which will be present in the next selinux-policy build.
Does this look good to you: https://github.com/flatpak/flatpak/pull/4853
It does.
(In reply to Zdenek Pytela from comment #4) > It does. Thanks for the quick review, Zdeněk!
(In reply to Zdenek Pytela from comment #2) > > The appropriate interface is corecmd_watch_bin_dirs() which will be present > in the next selinux-policy build. Will we have a selinux-policy build with corecmd_watch_bin_dirs in time for Fedora 36 GA?
FEDORA-2022-bc3af3f0d1 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-bc3af3f0d1
Discussed in ticket: https://pagure.io/fedora-qa/blocker-review/issue/746 The decision to classify this bug as an AcceptedFreezeException was made: "There is a high probability that this issue can be hit by users right after Fedora installation before updating their systems. It was decided to take this in during the Freeze."
(In reply to František Zatloukal from comment #8) > Discussed in ticket: https://pagure.io/fedora-qa/blocker-review/issue/746 Discussed in ticket: https://pagure.io/fedora-qa/blocker-review/issue/745
FEDORA-2022-bc3af3f0d1 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-bc3af3f0d1` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-bc3af3f0d1 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-bc3af3f0d1 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.
(In reply to Debarshi Ray from comment #6) > (In reply to Zdenek Pytela from comment #2) > > > > The appropriate interface is corecmd_watch_bin_dirs() which will be present > > in the next selinux-policy build. > > Will we have a selinux-policy build with corecmd_watch_bin_dirs in time for > Fedora 36 GA? The package should have a new build today.
*** Bug 2077870 has been marked as a duplicate of this bug. ***
Problem still persists on my f36 installation, see #2077870
(In reply to aannoaanno from comment #14) > Problem still persists on my f36 installation, see #2077870 I had the same issue on a machine that had been installed 2 years ago, moved with the Fedora releases every 6 months and has now been upgraded to F36. I recently installed another machine with F35 and upgraded it to F36: there everything works fine. Go figure... Anyway, I've now finally got rid of the SELinux errors. In all steps I made sure that I had used "systemctl stop flatpak-system-helper" to stop the process that was throwing the SELinux errors. * restorecon -vrF /usr/libexec /var/lib/flatpak /etc/passwd -> didn't help * touch /.autorelabel & reboot, i.e. a complete relabel -> didn't help * dnf reinstall flatpak-selinux -> no more errors, finally..... Hope this helps.