2054759 – SELinux is preventing dbus-daemon from read access on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Music.Tracker3.Miner.Files.service.

Bug 2054759 - SELinux is preventing dbus-daemon from read access on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Music.Tracker3.Miner.Files.service.

Summary: SELinux is preventing dbus-daemon from read access on the lnk_file /var/lib/f...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	36
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	2070330 2070738 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-02-15 16:27 UTC by Marc Pervaz Boocha
Modified:	2022-04-26 02:40 UTC (History)
CC List:	14 users (show)
Fixed In Version:	selinux-policy-36.7-1.fc36
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-04-26 02:40:06 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1147	0	None	open	Allow xdm read generic symbolic links in /var/lib	2022-04-13 08:52:56 UTC

Description Marc Pervaz Boocha 2022-02-15 16:27:03 UTC

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow dbus-daemon to have read access on the org.gnome.Music.Tracker3.Miner.Files.service lnk_file
Then you need to change the label on /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Music.Tracker3.Miner.Files.service
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Music.Tracker3.Miner.Files.service'
where FILE_TYPE is one of the following: NetworkManager_etc_rw_t, NetworkManager_etc_t, abrt_etc_t, abrt_var_cache_t, admin_home_t, aiccu_etc_t, alsa_etc_rw_t, antivirus_conf_t, asterisk_etc_t, avahi_conf_t, bin_t, bitlbee_conf_t, bluetooth_conf_t, boot_t, bootloader_etc_t, cache_home_t, cert_t, cgconfig_etc_t, cgroup_t, cgrules_etc_t, cluster_conf_t, cobbler_etc_t, condor_conf_t, config_home_t, config_usr_t, conntrackd_conf_t, container_config_t, couchdb_conf_t, courier_etc_t, cpucontrol_conf_t, cupsd_etc_t, cupsd_rw_etc_t, data_home_t, dbus_home_t, dbusd_etc_t, ddclient_etc_t, device_t, devlog_t, dhcp_etc_t, dictd_etc_t, dnsmasq_etc_t, dovecot_etc_t, ecryptfs_t, etc_mail_t, etc_runtime_t, etc_t, exports_t, fetchmail_etc_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t, firstboot_etc_t, fonts_cache_t, fonts_t, ftpd_etc_t, gconf_etc_t, gconf_home_t, gdomap_conf_t, getty_etc_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gpm_conf_t, gstreamer_home_t, hddtemp_etc_t, home_root_t, hostname_etc_t, httpd_config_t, hwdata_t, ibacm_conf_t, icc_data_home_t, init_var_run_t, innd_etc_t, irc_conf_t, irssi_etc_t, kdump_etc_t, kmscon_conf_t, krb5_conf_t, krb5kdc_conf_t, kubernetes_file_t, l2tp_conf_t, ld_so_t, lib_t, likewise_etc_t, lircd_etc_t, locale_t, lvm_etc_t, machineid_t, man_cache_t, man_t, mcelog_etc_t, mdadm_conf_t, minidlna_conf_t, minissdpd_conf_t, mock_etc_t, modules_conf_t, motd_var_run_t, mozilla_conf_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_etc_t, mplayer_etc_t, mrtg_etc_t, mscan_etc_t, munin_etc_t, mysqld_etc_t, nagios_etc_t, named_conf_t, net_conf_t, nrpe_etc_t, nslcd_conf_t, ntop_etc_t, ntp_conf_t, nut_conf_t, opendnssec_conf_t, openvpn_etc_rw_t, openvpn_etc_t, openvswitch_rw_t, oracleasm_conf_t, pads_config_t, pam_var_console_t, pdns_conf_t, pegasus_conf_t, pingd_etc_t, piranha_etc_rw_t, piranha_web_conf_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t, postfix_postdrop_t, postgresql_etc_t, postgrey_etc_t, pppd_etc_t, prelude_correlator_config_t, printconf_t, proc_t, psad_etc_t, ptal_etc_t, puppet_etc_t, qmail_etc_t, rabbitmq_conf_t, radiusd_etc_t, radvd_etc_t, redis_conf_t, rhnsd_conf_t, rhsmcertd_config_t, root_t, rpm_script_tmp_t, rpm_var_cache_t, rpm_var_lib_t, rsync_etc_t, samba_etc_t, sanlock_conf_t, security_t, selinux_config_t, selinux_login_config_t, shell_exec_t, shorewall_etc_t, slapd_etc_t, snapperd_conf_t, snort_etc_t, soundd_etc_t, spamd_etc_t, squid_conf_t, src_t, ssh_home_t, sslh_config_t, sssd_conf_t, sssd_var_lib_t, stunnel_etc_t, svc_conf_t, sysfs_t, syslog_conf_t, system_conf_t, system_db_t, system_dbusd_var_lib_t, systemd_hwdb_etc_t, systemd_userdbd_runtime_t, textrel_shlib_t, tftpd_etc_t, tmp_t, tor_etc_t, tuned_etc_t, tuned_rw_etc_t, udev_etc_t, udev_var_run_t, ulogd_etc_t, user_home_dir_t, user_home_t, user_tmp_t, userhelper_conf_t, usr_t, var_lock_t, var_log_t, var_run_t, var_t, varnishd_etc_t, virt_etc_t, virt_var_lib_t, virtlogd_etc_t, vmware_sys_conf_t, webalizer_etc_t, xdm_etc_t, xdm_log_t, xdm_rw_etc_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xserver_etc_t, xserver_log_t, ypserv_conf_t, zarafa_etc_t, zebra_conf_t.
Then execute:
restorecon -v '/var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Music.Tracker3.Miner.Files.service'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that dbus-daemon should be allowed read access on the org.gnome.Music.Tracker3.Miner.Files.service lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dbus-daemon' --raw | audit2allow -M my-dbusdaemon
# semodule -X 300 -i my-dbusdaemon.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/flatpak/exports/share/dbus-
                              1/services/org.gnome.Music.Tracker3.Miner.Files.se
                              rvice [ lnk_file ]
Source                        dbus-daemon
Source Path                   dbus-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-36.2-2.fc36.noarch
Local Policy RPM              selinux-policy-targeted-36.2-2.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.17.0-0.rc3.89.fc36.x86_64 #1 SMP
                              PREEMPT Mon Feb 7 14:58:45 UTC 2022 x86_64 x86_64
Alert Count                   324
First Seen                    2022-02-15 21:01:47 IST
Last Seen                     2022-02-15 21:01:48 IST
Local ID                      55691d5d-6608-42e4-9414-40e96ce3d7d0

Raw Audit Messages
type=AVC msg=audit(1644939108.408:833): avc:  denied  { read } for  pid=1083 comm="dbus-daemon" name="org.gnome.Music.Tracker3.Miner.Files.service" dev="nvme0n1p3" ino=273511 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0


Hash: dbus-daemon,xdm_t,var_lib_t,lnk_file,read

Comments: related but maybe a separate issue is during installing or updating flatpak fails with:
Warning: Failed to get revokefs-fuse socket from system-helper: User flatpak does not exist in password file entry
Error: Can't open system repo default: While opening repository /var/lib/flatpak/repo: opening repo: opendir(/var/lib/flatpak/repo): Permission denied
error: Failed to install com.gitlab.newsflash: Can't open system repo default: While opening repository /var/lib/flatpak/repo: opening repo: opendir(/var/lib/flatpak/repo): Permission denied

Selinux error are also present.

Comment 1 Debarshi Ray 2022-04-12 19:18:24 UTC

(In reply to Marc Pervaz Boocha from comment #0)
> Comments: related but maybe a separate issue is during installing or
> updating flatpak fails with:
> Warning: Failed to get revokefs-fuse socket from system-helper: User flatpak
> does not exist in password file entry

I think this is bug 2070350

Comment 2 Debarshi Ray 2022-04-12 19:21:55 UTC

(In reply to Marc Pervaz Boocha from comment #0)
> Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023

I am a bit puzzled by the presence of xdm_t there.  That doesn't seem like something Flatpak has.

Marc, are you using XDM as your display manager by any chance?  Or is this is a stock Fedora Workstation/Silverblue?

Comment 3 Zdenek Pytela 2022-04-13 08:52:57 UTC

(In reply to Debarshi Ray from comment #2)
> (In reply to Marc Pervaz Boocha from comment #0)
> > Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
> 
> I am a bit puzzled by the presence of xdm_t there.  That doesn't seem like
> something Flatpak has.

These two problems are independent, xdm_t AVC will be addressed in selinux-policy.

Comment 4 Zdenek Pytela 2022-04-14 14:37:41 UTC

*** Bug 2070330 has been marked as a duplicate of this bug. ***

Comment 5 Zdenek Pytela 2022-04-20 10:14:46 UTC

*** Bug 2070738 has been marked as a duplicate of this bug. ***

Comment 6 Fedora Update System 2022-04-21 14:14:14 UTC

FEDORA-2022-76963fee71 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-76963fee71

Comment 7 Marc Pervaz Boocha 2022-04-21 14:56:18 UTC

I am using Workstation. GDM is my display manager.

Comment 8 Fedora Update System 2022-04-21 17:50:13 UTC

FEDORA-2022-76963fee71 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-76963fee71`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-76963fee71

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 krinkodot22 2022-04-24 02:05:34 UTC

Similar problem has been detected:

Switched to another account (via System Menu -> Power Off / Log Out -> Switch User...).  Shortly after logging in to that account, CPU usage spiked.  Logging out of that account & switching back to the first account showed SELinux alerts getting fired once every 3 seconds.

This alert is only one of the many that were fired. They are all due to "read" access by /usr/bin/dbus-daemon on what appear to be names of Flatpak apps I have installed.

hashmarkername: setroubleshoot
kernel:         5.17.3-302.fc36.x86_64
package:        selinux-policy-targeted-36.6-1.fc36.noarch
reason:         SELinux is preventing /usr/bin/dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/applications/org.gnome.Photos.desktop.
type:           libreport

Comment 10 Fedora Update System 2022-04-26 02:40:06 UTC

FEDORA-2022-76963fee71 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.