2053634 – flatpak_helper_t unable to watch files inside /usr/libexec

Bug 2053634 - flatpak_helper_t unable to watch files inside /usr/libexec

Summary: flatpak_helper_t unable to watch files inside /usr/libexec

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	flatpak
Sub Component:
Version:	36
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Debarshi Ray
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:093e24147e5c775bb1e99061a35...
Duplicates (2):	2071216 2077870 (view as bug list)
Depends On:
Blocks:	2075937 F36FinalFreezeException
TreeView+	depends on / blocked

Reported:	2022-02-11 16:39 UTC by Adam Williamson
Modified:	2022-06-25 14:18 UTC (History)
CC List:	16 users (show)
Fixed In Version:	flatpak-1.12.7-2.fc36
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-04-14 23:23:48 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	flatpak flatpak pull 4853	0	None	open	selinux: Let the system helper watch files inside $libexecdir	2022-04-12 19:06:15 UTC

Description Adam Williamson 2022-02-11 16:39:02 UTC

Description of problem:
Happens frequently in the background on current F36.
SELinux is preventing flatpak-system- from 'watch' accesses on the directory /usr/libexec.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that flatpak-system- should be allowed watch access on the libexec directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'flatpak-system-' --raw | audit2allow -M my-flatpaksystem
# semodule -X 300 -i my-flatpaksystem.pp

Additional Information:
Source Context                system_u:system_r:flatpak_helper_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                /usr/libexec [ dir ]
Source                        flatpak-system-
Source Path                   flatpak-system-
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           filesystem-3.16-2.fc36.x86_64
SELinux Policy RPM            selinux-policy-targeted-36.1-1.fc36.noarch
Local Policy RPM              flatpak-selinux-1.12.4-2.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.16.1-200.fc35.x86_64 #1 SMP
                              PREEMPT Mon Jan 17 00:49:29 UTC 2022 x86_64 x86_64
Alert Count                   24
First Seen                    2022-02-11 08:37:05 PST
Last Seen                     2022-02-11 08:38:37 PST
Local ID                      962e13f3-9a0a-4b30-b59e-d40f9c4034aa

Raw Audit Messages
type=AVC msg=audit(1644597517.410:541): avc:  denied  { watch } for  pid=16275 comm="gmain" path="/usr/libexec" dev="dm-1" ino=1179656 scontext=system_u:system_r:flatpak_helper_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir permissive=0


Hash: flatpak-system-,flatpak_helper_t,bin_t,dir,watch

Version-Release number of selected component:
selinux-policy-targeted-36.1-1.fc36.noarch

Additional info:
component:      flatpak
reporter:       libreport-2.16.0
hashmarkername: setroubleshoot
kernel:         5.16.1-200.fc35.x86_64
type:           libreport

Comment 1 Debarshi Ray 2022-04-06 08:00:58 UTC

*** Bug 2071216 has been marked as a duplicate of this bug. ***

Comment 2 Zdenek Pytela 2022-04-08 11:40:57 UTC

The flatpak_helper_t type is provided by the flatpak-selinux subpackage, so it needs to be addressed in flatpak.

The appropriate interface is corecmd_watch_bin_dirs() which will be present in the next selinux-policy build.

Comment 3 Debarshi Ray 2022-04-12 19:06:16 UTC

Does this look good to you:
https://github.com/flatpak/flatpak/pull/4853

Comment 4 Zdenek Pytela 2022-04-12 20:30:00 UTC

It does.

Comment 5 Debarshi Ray 2022-04-12 20:35:09 UTC

(In reply to Zdenek Pytela from comment #4)
> It does.

Thanks for the quick review, Zdeněk!

Comment 6 Debarshi Ray 2022-04-12 20:36:16 UTC

(In reply to Zdenek Pytela from comment #2)
>
> The appropriate interface is corecmd_watch_bin_dirs() which will be present
> in the next selinux-policy build.

Will we have a selinux-policy build with corecmd_watch_bin_dirs in time for Fedora 36 GA?

Comment 7 Fedora Update System 2022-04-12 21:33:07 UTC

FEDORA-2022-bc3af3f0d1 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-bc3af3f0d1

Comment 8 František Zatloukal 2022-04-13 14:43:17 UTC

Discussed in ticket: https://pagure.io/fedora-qa/blocker-review/issue/746

The decision to classify this bug as an AcceptedFreezeException was made:

"There is a high probability that this issue can be hit by users right after Fedora installation before updating their systems. It was decided to take this in during the Freeze."

Comment 9 František Zatloukal 2022-04-13 14:43:43 UTC

(In reply to František Zatloukal from comment #8)
> Discussed in ticket: https://pagure.io/fedora-qa/blocker-review/issue/746

Discussed in ticket: https://pagure.io/fedora-qa/blocker-review/issue/745

Comment 10 Fedora Update System 2022-04-13 19:48:46 UTC

FEDORA-2022-bc3af3f0d1 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-bc3af3f0d1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-bc3af3f0d1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2022-04-14 23:23:48 UTC

FEDORA-2022-bc3af3f0d1 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 12 Zdenek Pytela 2022-04-20 07:53:20 UTC

(In reply to Debarshi Ray from comment #6)
> (In reply to Zdenek Pytela from comment #2)
> >
> > The appropriate interface is corecmd_watch_bin_dirs() which will be present
> > in the next selinux-policy build.
> 
> Will we have a selinux-policy build with corecmd_watch_bin_dirs in time for
> Fedora 36 GA?

The package should have a new build today.

Comment 13 Debarshi Ray 2022-05-05 22:57:50 UTC

*** Bug 2077870 has been marked as a duplicate of this bug. ***

Comment 14 aannoaanno 2022-06-19 09:18:37 UTC

Problem still persists on my f36 installation, see #2077870

Comment 15 Stefan Becker 2022-06-25 14:18:24 UTC

(In reply to aannoaanno from comment #14)
> Problem still persists on my f36 installation, see #2077870

I had the same issue on a machine that had been installed 2 years ago, moved with the Fedora releases every 6 months and has now been upgraded to F36.

I recently installed another machine with F35 and upgraded it to F36: there everything works fine. Go figure...

Anyway, I've now finally got rid of the SELinux errors. In all steps I made sure that I had used "systemctl stop flatpak-system-helper" to stop the process that was throwing the SELinux errors.

* restorecon -vrF /usr/libexec /var/lib/flatpak /etc/passwd -> didn't help
* touch /.autorelabel & reboot, i.e. a complete relabel -> didn't help
* dnf reinstall flatpak-selinux -> no more errors, finally.....

Hope this helps.

Note You need to log in before you can comment on or make changes to this bug.