Bug 2070350 - flatpak_helper_t unable to read /etc/passwd.
Summary: flatpak_helper_t unable to read /etc/passwd.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: flatpak
Version: 36
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Debarshi Ray
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:e62516abf53dea5e0b1b5313b0b...
: 2071218 2072275 2078074 2096056 (view as bug list)
Depends On:
Blocks: F36FinalFreezeException 2075937
TreeView+ depends on / blocked
 
Reported: 2022-03-30 21:53 UTC by Michael
Modified: 2022-06-19 09:20 UTC (History)
15 users (show)

Fixed In Version: flatpak-1.12.7-2.fc36
Clone Of:
Environment:
Last Closed: 2022-04-14 23:23:52 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github flatpak flatpak pull 4852 0 None open selinux: Let system helper have read access to /etc/passwd 2022-04-12 18:31:16 UTC

Description Michael 2022-03-30 21:53:28 UTC 
Description of problem:
SELinux is preventing flatpak-system- from 'read' accesses on the file /etc/passwd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that flatpak-system- should be allowed read access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'flatpak-system-' --raw | audit2allow -M my-flatpaksystem
# semodule -X 300 -i my-flatpaksystem.pp

Additional Information:
Source Context                system_u:system_r:flatpak_helper_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/passwd [ file ]
Source                        flatpak-system-
Source Path                   flatpak-system-
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           setup-2.13.9.1-3.fc36.noarch
SELinux Policy RPM            selinux-policy-targeted-36.5-1.fc36.noarch
Local Policy RPM              flatpak-selinux-1.12.7-1.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.16.16-200.fc35.x86_64 #1 SMP
                              PREEMPT Wed Mar 23 00:44:58 CET 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-03-30 23:52:13 CEST
Last Seen                     2022-03-30 23:52:13 CEST
Local ID                      5eed63e9-c50b-4801-b5c1-b243d011ceb0

Raw Audit Messages
type=AVC msg=audit(1648677133.642:1103): avc:  denied  { read } for  pid=31490 comm="flatpak-system-" name="passwd" dev="nvme0n1p3" ino=3300790 scontext=system_u:system_r:flatpak_helper_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0


Hash: flatpak-system-,flatpak_helper_t,passwd_file_t,file,read

Version-Release number of selected component:
selinux-policy-targeted-36.5-1.fc36.noarch

Additional info:
component:      flatpak
reporter:       libreport-2.17.1
hashmarkername: setroubleshoot
kernel:         5.16.16-200.fc35.x86_64
type:           libreport
Comment 1 Flo H. 2022-03-31 19:28:44 UTC 
I have the same problem after system-upgrade to F36. Access to /etc/passwd is blocked, `flatpak update` therefore fails.
Comment 2 Flo H. 2022-03-31 19:34:50 UTC 
Similar problem has been detected:

flatpak update fails because of denied access to /etc/passwd

hashmarkername: setroubleshoot
kernel:         5.17.0-300.fc36.x86_64
package:        selinux-policy-targeted-36.5-1.fc36.noarch
reason:         SELinux is preventing flatpak-system- from 'read' accesses on the file /etc/passwd.
type:           libreport
Comment 3 Flo H. 2022-03-31 20:02:05 UTC 
This bug is filed against flatpak, however, I think it should be filed against selinux-policy
Comment 4 Debarshi Ray 2022-04-06 07:52:53 UTC 
*** Bug 2072275 has been marked as a duplicate of this bug. ***
Comment 5 Debarshi Ray 2022-04-06 07:58:50 UTC 
*** Bug 2071218 has been marked as a duplicate of this bug. ***
Comment 6 Zdenek Pytela 2022-04-08 08:59:21 UTC 
(In reply to Flo H. from comment #3)
> This bug is filed against flatpak, however, I think it should be filed
> against selinux-policy

The flatpak_helper_t type is provided by the flatpak-selinux subpackage, so it needs to be addressed in flatpak.

The appropriate interface is auth_read_passwd().
Comment 7 Debarshi Ray 2022-04-12 18:31:16 UTC 
Does this look good to you:
https://github.com/flatpak/flatpak/pull/4852 ?
Comment 8 Zdenek Pytela 2022-04-12 18:54:14 UTC 
(In reply to Debarshi Ray from comment #7)
> Does this look good to you:
> https://github.com/flatpak/flatpak/pull/4852 ?

It does.
Comment 9 Debarshi Ray 2022-04-12 19:06:22 UTC 
(In reply to Zdenek Pytela from comment #8)
> (In reply to Debarshi Ray from comment #7)
> > Does this look good to you:
> > https://github.com/flatpak/flatpak/pull/4852 ?
> 
> It does.

Thanks for the quick review, Zdeněk!
Comment 10 Fedora Update System 2022-04-12 21:33:10 UTC 
FEDORA-2022-bc3af3f0d1 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-bc3af3f0d1
Comment 11 František Zatloukal 2022-04-13 14:42:43 UTC 
Discussed in ticket: https://pagure.io/fedora-qa/blocker-review/issue/746

The decision to classify this bug as an AcceptedFreezeException was made:

"There is a high probability that this issue can be hit by users right after Fedora installation before updating their systems. It was decided to take this in during the Freeze."
Comment 12 Fedora Update System 2022-04-13 19:48:49 UTC 
FEDORA-2022-bc3af3f0d1 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-bc3af3f0d1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-bc3af3f0d1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 13 Fedora Update System 2022-04-14 23:23:52 UTC 
FEDORA-2022-bc3af3f0d1 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 14 aannoaanno 2022-04-23 08:37:30 UTC 
*** Bug 2078074 has been marked as a duplicate of this bug. ***
Comment 15 aannoaanno 2022-06-12 10:10:11 UTC 
*** Bug 2096056 has been marked as a duplicate of this bug. ***
Comment 16 aannoaanno 2022-06-19 09:20:23 UTC 
Problem still persists on my f36 installation, see #2078074 and #2096056
Note You need to log in before you can comment on or make changes to this bug.