2075937 – SELinux denials

Bug 2075937 - SELinux denials

Summary: SELinux denials

Keywords:
Status:	ASSIGNED
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	flatpak
Sub Component:
Version:	39
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Debarshi Ray
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	2013407 2072245 2073565 2073566 2053634 2070350 2070741 2071215 2071217 2072243
Blocks:
TreeView+	depends on / blocked

Reported:	2022-04-16 12:06 UTC by mershl
Modified:	2023-08-16 08:08 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description mershl 2022-04-16 12:06:42 UTC

Description of problem:
A lot of denials are logged on login. The audit will only show one of the applications. Removing the application will show the next on subsequent logins.

Version-Release number of selected component:
selinux-policy-36.6-1.fc36.noarch
flatpak-selinux-1.12.7-2.fc36.noarch
flatpak-1.12.7-2.fc36.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install `org.gnome.Extensions` from flathub
2. Reboot & login
3. sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts boot

Actual results:
A lot of read-denials are visible in the audit log.

Expected results:
No denials/audits are logged on login.

===== Audit log =====
----
type=AVC msg=audit(16.04.2022 13:29:45.245:220) : avc:  denied  { read } for  pid=1035 comm=dbus-daemon name=org.gnome.Extensions.service dev="nvme0n1p3" ino=32776193 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file
----
type=AVC msg=audit(16.04.2022 13:29:45.311:223) : avc:  denied  { map } for  pid=1038 comm=gnome-session-b path=/var/lib/flatpak/exports/share/mime/mime.cache dev="nvme0n1p3" ino=34290936 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
type=AVC msg=audit(16.04.2022 13:29:46.297:228) : avc:  denied  { read } for  pid=1035 comm=dbus-daemon name=org.gnome.Extensions.service dev="nvme0n1p3" ino=32776193 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file
----
type=AVC msg=audit(16.04.2022 13:29:46.748:232) : avc:  denied  { map } for  pid=1049 comm=gnome-shell path=/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache dev="nvme0n1p3" ino=34290938 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
type=AVC msg=audit(16.04.2022 13:29:46.900:235) : avc:  denied  { read } for  pid=1035 comm=dbus-daemon name=org.gnome.Extensions.service dev="nvme0n1p3" ino=32776193 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file
----
type=AVC msg=audit(16.04.2022 13:29:47.047:238) : avc:  denied  { getattr } for  pid=1362 comm=colord path=/var/lib/flatpak/exports/share/mime/mime.cache dev="nvme0n1p3" ino=34290936 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
type=AVC msg=audit(16.04.2022 13:29:47.047:239) : avc:  denied  { read } for  pid=1362 comm=colord name=mime.cache dev="nvme0n1p3" ino=34290936 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
type=AVC msg=audit(16.04.2022 13:29:47.047:240) : avc:  denied  { open } for  pid=1362 comm=colord path=/var/lib/flatpak/exports/share/mime/mime.cache dev="nvme0n1p3" ino=34290936 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
type=AVC msg=audit(16.04.2022 13:29:47.047:241) : avc:  denied  { map } for  pid=1362 comm=colord path=/var/lib/flatpak/exports/share/mime/mime.cache dev="nvme0n1p3" ino=34290936 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
type=AVC msg=audit(16.04.2022 13:29:47.111:243) : avc:  denied  { map } for  pid=1160 comm=gsd-color path=/var/lib/flatpak/exports/share/mime/mime.cache dev="nvme0n1p3" ino=34290936 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
type=AVC msg=audit(16.04.2022 13:29:47.290:244) : avc:  denied  { read } for  pid=1035 comm=dbus-daemon name=org.gnome.Extensions.service dev="nvme0n1p3" ino=32776193 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file

===== Audit log after removing org.gnome.Extensions =====
----
type=AVC msg=audit(16.04.2022 13:37:03.471:220) : avc:  denied  { read } for  pid=1024 comm=dbus-daemon name=org.gnome.font-viewer.service dev="nvme0n1p3" ino=32850339 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file
----
type=AVC msg=audit(16.04.2022 13:37:03.548:221) : avc:  denied  { map } for  pid=1025 comm=gnome-session-b path=/var/lib/flatpak/exports/share/mime/mime.cache dev="nvme0n1p3" ino=34335137 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
type=AVC msg=audit(16.04.2022 13:37:04.493:225) : avc:  denied  { read } for  pid=1048 comm=gnome-shell name=org.gnome.Cheese.desktop dev="nvme0n1p3" ino=33964317 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file
----
type=AVC msg=audit(16.04.2022 13:37:05.126:233) : avc:  denied  { map } for  pid=1048 comm=gnome-shell path=/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache dev="nvme0n1p3" ino=34335139 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
type=AVC msg=audit(16.04.2022 13:37:05.307:235) : avc:  denied  { read } for  pid=1024 comm=dbus-daemon name=org.gnome.font-viewer.service dev="nvme0n1p3" ino=32850339 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file
----
type=AVC msg=audit(16.04.2022 13:37:05.485:239) : avc:  denied  { getattr } for  pid=1372 comm=colord path=/var/lib/flatpak/exports/share/mime/mime.cache dev="nvme0n1p3" ino=34335137 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
type=AVC msg=audit(16.04.2022 13:37:05.485:240) : avc:  denied  { read } for  pid=1372 comm=colord name=mime.cache dev="nvme0n1p3" ino=34335137 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
type=AVC msg=audit(16.04.2022 13:37:05.485:241) : avc:  denied  { open } for  pid=1372 comm=colord path=/var/lib/flatpak/exports/share/mime/mime.cache dev="nvme0n1p3" ino=34335137 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
type=AVC msg=audit(16.04.2022 13:37:05.485:242) : avc:  denied  { map } for  pid=1372 comm=colord path=/var/lib/flatpak/exports/share/mime/mime.cache dev="nvme0n1p3" ino=34335137 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
type=AVC msg=audit(16.04.2022 13:37:05.577:243) : avc:  denied  { map } for  pid=1163 comm=gsd-color path=/var/lib/flatpak/exports/share/mime/mime.cache dev="nvme0n1p3" ino=34335137 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
type=AVC msg=audit(16.04.2022 13:37:05.681:244) : avc:  denied  { read } for  pid=1024 comm=dbus-daemon name=org.gnome.font-viewer.service dev="nvme0n1p3" ino=32850339 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file

Comment 1 Debarshi Ray 2022-04-20 00:12:52 UTC

There are already individual bugs open about several (all?) of these SELinux denials.  While we did fix a few, there' more to go.

I am going to re-purpose this bug as a tracker for all SELinux denials affecting flatpak.

Comment 2 Ben Cotton 2023-04-25 18:24:02 UTC

This message is a reminder that Fedora Linux 36 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 36 on 2023-05-16.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '36'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 36 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 3 Fedora Release Engineering 2023-08-16 08:08:32 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.

Note You need to log in before you can comment on or make changes to this bug.