Description of problem: SELinux is preventing pool-/usr/libex from 'open' accesses on the file /var/lib/flatpak/repo/config. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow libex to have open access on the config file Then you need to change the label on /var/lib/flatpak/repo/config Do # semanage fcontext -a -t FILE_TYPE '/var/lib/flatpak/repo/config' where FILE_TYPE is one of the following: abrt_helper_exec_t, abrt_var_run_t, bin_t, boot_t, cluster_conf_t, cluster_var_lib_t, cluster_var_run_t, cpu_online_t, dbusd_etc_t, etc_runtime_t, etc_t, fail2ban_var_lib_t, flatpak_helper_exec_t, fonts_cache_t, fonts_t, ica_tmpfs_t, ld_so_cache_t, ld_so_t, lib_t, locale_t, machineid_t, man_cache_t, man_t, mandb_cache_t, pkcs11_modules_conf_t, prelink_exec_t, rkhunter_var_lib_t, rpm_script_tmp_t, shell_exec_t, sosreport_tmp_t, src_t, system_conf_t, system_db_t, system_dbusd_var_lib_t, textrel_shlib_t, usr_t. Then execute: restorecon -v '/var/lib/flatpak/repo/config' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that libex should be allowed open access on the config file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pool-/usr/libex' --raw | audit2allow -M my-poolusrlibex # semodule -X 300 -i my-poolusrlibex.pp Additional Information: Source Context system_u:system_r:flatpak_helper_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/flatpak/repo/config [ file ] Source pool-/usr/libex Source Path pool-/usr/libex Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-36.5-1.fc36.noarch Local Policy RPM flatpak-selinux-1.12.7-1.fc36.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.16.16-200.fc35.x86_64 #1 SMP PREEMPT Wed Mar 23 00:44:58 CET 2022 x86_64 x86_64 Alert Count 1 First Seen 2022-04-05 23:44:40 CEST Last Seen 2022-04-05 23:44:40 CEST Local ID fa5fb330-0f72-46f9-ab24-9def4a5507fa Raw Audit Messages type=AVC msg=audit(1649195080.561:672): avc: denied { open } for pid=12473 comm="pool-/usr/libex" path="/var/lib/flatpak/repo/config" dev="nvme0n1p3" ino=2640046 scontext=system_u:system_r:flatpak_helper_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 Hash: pool-/usr/libex,flatpak_helper_t,var_lib_t,file,open Version-Release number of selected component: selinux-policy-targeted-36.5-1.fc36.noarch Additional info: component: flatpak reporter: libreport-2.17.1 hashmarkername: setroubleshoot kernel: 5.16.16-200.fc35.x86_64 type: libreport
Needs to be resolved in flatpak-selinux.
What's the correct interface to allow this? files_create_var_lib_dirs and/or files_create_var_lib_symlinks?
Depends on what flatpak does after opening the file. For reading, files_read_var_lib_files() may be the right one.
So, this denial is about an 'open' access to a 'file' with the var_lib_t context, specifically /var/lib/flatpak/repo/config. After following your pointers in: https://bugzilla.redhat.com/show_bug.cgi?id=2072274#c2 ... I see that 'files_read_var_lib_files' evaluates to: interface(`files_read_var_lib_files',` gen_require(` type var_t, var_lib_t; ') allow $1 var_lib_t:dir { getattr search open read lock ioctl }; // read_files_pattern allow $1 { var_t var_lib_t }:dir { getattr search open }; allow $1 var_lib_t:file { open getattr read ioctl lock }; ') We already added files_read_var_lib_files() as part of bug 2070741 so this is a duplicate of that.
*** This bug has been marked as a duplicate of bug 2070741 ***