Bug 2071217 - flatpak_helper_t can't use systemd-userdbd
Summary: flatpak_helper_t can't use systemd-userdbd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: flatpak
Version: 36
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Debarshi Ray
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:51dc54c18b751b06f4e75771971...
Depends On:
Blocks: 2075937
TreeView+ depends on / blocked
 
Reported: 2022-04-02 08:41 UTC by Michael
Modified: 2022-07-11 01:57 UTC (History)
13 users (show)

Fixed In Version: flatpak-1.12.7-4.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-07-11 01:57:54 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github flatpak flatpak pull 4892 0 None open selinux: Permit using systemd-userdbd 2022-05-11 20:47:24 UTC

Description Michael 2022-04-02 08:41:24 UTC 
Description of problem:
flatpak update
SELinux is preventing pool-/usr/libex from 'read' accesses on the directory userdb.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that libex should be allowed read access on the userdb directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pool-/usr/libex' --raw | audit2allow -M my-poolusrlibex
# semodule -X 300 -i my-poolusrlibex.pp

Additional Information:
Source Context                system_u:system_r:flatpak_helper_t:s0
Target Context                system_u:object_r:systemd_userdbd_runtime_t:s0
Target Objects                userdb [ dir ]
Source                        pool-/usr/libex
Source Path                   pool-/usr/libex
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-36.5-1.fc36.noarch
Local Policy RPM              flatpak-selinux-1.12.7-1.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.16.16-200.fc35.x86_64 #1 SMP
                              PREEMPT Wed Mar 23 00:44:58 CET 2022 x86_64 x86_64
Alert Count                   2
First Seen                    2022-03-31 23:25:57 CEST
Last Seen                     2022-04-02 10:38:50 CEST
Local ID                      4a3dc918-6e0b-4b44-99e6-e8abe562982b

Raw Audit Messages
type=AVC msg=audit(1648888730.61:418): avc:  denied  { read } for  pid=4980 comm="pool-/usr/libex" name="userdb" dev="tmpfs" ino=36 scontext=system_u:system_r:flatpak_helper_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0


Hash: pool-/usr/libex,flatpak_helper_t,systemd_userdbd_runtime_t,dir,read

Version-Release number of selected component:
selinux-policy-targeted-36.5-1.fc36.noarch

Additional info:
component:      flatpak
reporter:       libreport-2.17.1
hashmarkername: setroubleshoot
kernel:         5.16.16-200.fc35.x86_64
type:           libreport
Comment 1 Debarshi Ray 2022-04-12 19:48:01 UTC 
Is this somehow related to https://github.com/fedora-selinux/selinux-policy/pull/540 ?
Comment 2 Zdenek Pytela 2022-04-14 19:26:14 UTC 
Needs to be resolved in flatpak-selinux.
Comment 3 Debarshi Ray 2022-05-06 01:06:51 UTC 
What will be the right SELinux interface to solve this?  I looked at selinux-policy/policy/modules/system/systemd.if but it wasn't immediately clear which one I should use.
Comment 4 Debarshi Ray 2022-05-11 20:47:25 UTC 
I took another look, and systemd_userdbd_stream_connect() seems to be the interface that's needed.  Does this look good to you:
  https://github.com/flatpak/flatpak/pull/4892
Comment 5 Debarshi Ray 2022-05-24 19:26:50 UTC 
(In reply to Debarshi Ray from comment #4)
> I took another look, and systemd_userdbd_stream_connect() seems to be the
> interface that's needed.  Does this look good to you:
>   https://github.com/flatpak/flatpak/pull/4892

ping
Comment 6 aannoaanno 2022-06-19 09:19:31 UTC 
Problem still persists on my f36 installation
Comment 7 Zdenek Pytela 2022-06-30 09:56:40 UTC 
(In reply to Debarshi Ray from comment #4)
> I took another look, and systemd_userdbd_stream_connect() seems to be the
> interface that's needed.  Does this look good to you:
>   https://github.com/flatpak/flatpak/pull/4892

That's the right interface. Alternatively, assigning to nsswitch_domain attribute could be an option if flatpak needs access to all nss methods.
Comment 8 Debarshi Ray 2022-07-08 17:03:41 UTC 
(In reply to aannoaanno from comment #6)
> Problem still persists on my f36 installation

Yes, that's because we never got this fixed in Fedora.  That's why the bug is still open.  :)
Comment 9 Fedora Update System 2022-07-08 17:41:55 UTC 
FEDORA-2022-cbfe9e2744 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-cbfe9e2744
Comment 10 Fedora Update System 2022-07-09 01:13:50 UTC 
FEDORA-2022-cbfe9e2744 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-cbfe9e2744`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-cbfe9e2744

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Fedora Update System 2022-07-11 01:57:54 UTC 
FEDORA-2022-cbfe9e2744 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.