Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1928548 - SELinux is preventing gnome-shell from 'watch' accesses on the directory /var/lib/flatpak.
Summary: SELinux is preventing gnome-shell from 'watch' accesses on the directory /var...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: flatpak
Version: rawhide
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: David King
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:f2a885de5f2e8f71d7c7bd89d6f...
: 1933307 1945268 1945275 1945276 1945277 1945294 1945295 1945981 1945982 1949219 1949220 1949221 1949222 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-14 20:12 UTC by Mikhail
Modified: 2021-04-20 06:15 UTC (History)
25 users (show)

Fixed In Version: flatpak-1.10.2-3.fc35
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-04-19 14:34:07 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1916652 1 high CLOSED SELinux is preventing gnome-shell from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-them... 2022-05-16 11:32:56 UTC

Description Mikhail 2021-02-14 20:12:55 UTC 
Description of problem:
SELinux is preventing gnome-shell from 'watch' accesses on the directory /var/lib/flatpak.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow gnome-shell to have watch access on the flatpak directory
Then you need to change the label on /var/lib/flatpak
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/flatpak'
where FILE_TYPE is one of the following: etc_t, usr_t, xdm_var_lib_t.
Then execute:
restorecon -v '/var/lib/flatpak'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that gnome-shell should be allowed watch access on the flatpak directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell
# semodule -X 300 -i my-gnomeshell.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/flatpak [ dir ]
Source                        gnome-shell
Source Path                   gnome-shell
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           flatpak-1.10.1-3.fc35.x86_64
SELinux Policy RPM            selinux-policy-targeted-3.14.8-1.fc35.noarch
Local Policy RPM              selinux-policy-targeted-3.14.8-1.fc35.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 5.11.0-0.rc7.20210212git291009f656
                              e8.151.fc35.x86_64 #1 SMP Fri Feb 12 13:02:28 UTC
                              2021 x86_64 x86_64
Alert Count                   3
First Seen                    2021-02-15 01:01:37 +05
Last Seen                     2021-02-15 01:04:21 +05
Local ID                      f2a44485-cdd8-46ab-b27a-1141d4f06ab9

Raw Audit Messages
type=AVC msg=audit(1613333061.735:549): avc:  denied  { watch } for  pid=1580 comm="gnome-shell" path="/var/lib/flatpak" dev="nvme0n1p2" ino=203546441 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1


Hash: gnome-shell,xdm_t,var_lib_t,dir,watch

Version-Release number of selected component:
selinux-policy-targeted-3.14.8-1.fc35.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.14.0
hashmarkername: setroubleshoot
kernel:         5.11.0-0.rc7.20210212git291009f656e8.151.fc35.x86_64
type:           libreport
Comment 1 Zdenek Pytela 2021-03-01 16:43:00 UTC 
*** Bug 1933307 has been marked as a duplicate of this bug. ***
Comment 2 Adam Williamson 2021-03-18 19:36:26 UTC 
Similar problem has been detected:

Happens during boot of current Fedora 34 Workstation.

hashmarkername: setroubleshoot
kernel:         5.11.6-300.fc34.x86_64
package:        selinux-policy-targeted-3.14.7-25.fc34.noarch
reason:         SELinux is preventing gnome-shell from 'watch' accesses on the directory /var/lib/flatpak/exports/share/applications.
type:           libreport
Comment 3 Adam Williamson 2021-03-24 23:48:45 UTC 
Similar problem has been detected:

Happened on boot and initial login to GNOME on current F34 with all updates from u-t, including GNOME 40.

hashmarkername: setroubleshoot
kernel:         5.11.8-300.fc34.x86_64
package:        selinux-policy-targeted-3.14.7-26.fc34.noarch
reason:         SELinux is preventing gnome-shell from 'watch' accesses on the directory /var/lib/flatpak/exports/share/applications.
type:           libreport
Comment 4 Nicolas Berrehouc 2021-03-27 12:16:15 UTC 
Similar problem has been detected:

After upgrade from F33 to F34 Beta.

hashmarkername: setroubleshoot
kernel:         5.11.9-300.fc34.x86_64
package:        selinux-policy-targeted-3.14.7-27.fc34.noarch
reason:         SELinux is preventing gnome-shell from 'watch' accesses on the dossier /var/lib/flatpak/exports/share/applications.
type:           libreport
Comment 5 Vasco Rodrigues 2021-03-27 16:46:07 UTC 
Similar problem has been detected:

After login

hashmarkername: setroubleshoot
kernel:         5.11.9-300.fc34.x86_64
package:        selinux-policy-targeted-3.14.7-28.fc34.noarch
reason:         SELinux is preventing gnome-shell from 'watch' accesses on the directory /var/lib/flatpak.
type:           libreport
Comment 6 Zdenek Pytela 2021-03-31 16:03:24 UTC 
*** Bug 1945275 has been marked as a duplicate of this bug. ***
Comment 7 Zdenek Pytela 2021-03-31 16:03:38 UTC 
*** Bug 1945277 has been marked as a duplicate of this bug. ***
Comment 8 Zdenek Pytela 2021-03-31 16:03:47 UTC 
*** Bug 1941853 has been marked as a duplicate of this bug. ***
Comment 9 Zdenek Pytela 2021-03-31 16:05:41 UTC 
Note the problem is the same as in bz#1916652, just this bz is for rawhide.
Comment 10 Nicolas Berrehouc 2021-03-31 18:07:24 UTC 
Similar problem has been detected:

After upgrading from F33 to F34.

hashmarkername: setroubleshoot
kernel:         5.11.11-300.fc34.x86_64
package:        selinux-policy-targeted-3.14.7-29.fc34.noarch
reason:         SELinux is preventing gnome-shell from 'write' accesses on the sock_file dbus-5WrHm0gEYL.
type:           libreport
Comment 11 Zdenek Pytela 2021-03-31 18:53:42 UTC 
*** Bug 1945295 has been marked as a duplicate of this bug. ***
Comment 12 Zdenek Pytela 2021-03-31 18:53:54 UTC 
*** Bug 1945294 has been marked as a duplicate of this bug. ***
Comment 13 Zdenek Pytela 2021-03-31 18:56:05 UTC 
*** Bug 1945276 has been marked as a duplicate of this bug. ***
Comment 14 Zdenek Pytela 2021-03-31 18:56:21 UTC 
*** Bug 1945268 has been marked as a duplicate of this bug. ***
Comment 15 ranjan.de 2021-04-01 14:09:20 UTC 
Similar problem has been detected:

I am using Fedora 34 on Imac with Nvidia. Earlier I used Fedora 33. With both 33 and 34, every time I boot up my computer, a number of these SELinux messages appear. Tried following the troubleshoot advice, but not able to locate the file. Otherise the OS runs fine. 

hashmarkername: setroubleshoot
kernel:         5.11.11-300.fc34.x86_64
package:        selinux-policy-targeted-3.14.7-29.fc34.noarch
reason:         SELinux is preventing gnome-shell from 'write' accesses on the sock_file dbus-ILletn1kQv.
type:           libreport
Comment 16 Michael 2021-04-01 20:30:25 UTC 
Similar problem has been detected:

Upgraded to fedora 34

hashmarkername: setroubleshoot
kernel:         5.11.11-300.fc34.x86_64
package:        selinux-policy-targeted-3.14.7-29.fc34.noarch
reason:         SELinux is preventing gnome-shell from 'write' accesses on the sock_file dbus-vBNWQ7JXE1.
type:           libreport
Comment 17 Zdenek Pytela 2021-04-06 20:15:28 UTC 
*** Bug 1945982 has been marked as a duplicate of this bug. ***
Comment 18 Zdenek Pytela 2021-04-06 20:18:05 UTC 
*** Bug 1945981 has been marked as a duplicate of this bug. ***
Comment 19 Zdenek Pytela 2021-04-13 18:45:57 UTC 
*** Bug 1949222 has been marked as a duplicate of this bug. ***
Comment 20 Zdenek Pytela 2021-04-13 18:46:12 UTC 
*** Bug 1949221 has been marked as a duplicate of this bug. ***
Comment 21 Zdenek Pytela 2021-04-13 18:46:32 UTC 
*** Bug 1949220 has been marked as a duplicate of this bug. ***
Comment 22 Zdenek Pytela 2021-04-13 18:46:46 UTC 
*** Bug 1949219 has been marked as a duplicate of this bug. ***
Comment 23 Fabio Valentini 2021-04-15 08:02:57 UTC 
Similar problem has been detected:

This AVC denial happens every time I log into GNOME / Xorg session after upgrading to Fedora 34 from Workstation 33.

If that matters, I'm using the proprietary NVidia driver, and I even did a full system relabel after the upgrade for good measure.

hashmarkername: setroubleshoot
kernel:         5.11.13-300.fc34.x86_64
package:        selinux-policy-targeted-34.3-1.fc34.noarch
reason:         SELinux is preventing gnome-shell from 'watch' accesses on the directory /var/lib/flatpak/exports/share/applications.
type:           libreport
Comment 24 Otto Urpelainen 2021-04-16 21:08:15 UTC 
Similar problem has been detected:

Happens every time I log in. The second (random string) part of 'dbug-PUMqu5ktAf' is different every time.

hashmarkername: setroubleshoot
kernel:         5.11.13-300.fc34.x86_64
package:        selinux-policy-targeted-34.3-1.fc34.noarch
reason:         SELinux is preventing gnome-shell from 'write' accesses on the sock_file dbus-PUMqu5ktAf.
type:           libreport
Comment 25 Otto Urpelainen 2021-04-16 21:23:57 UTC 
Is bug 1941853 really a duplicate of this? These two look so different:

this: SELinux is preventing gnome-shell from 'watch' accesses on the directory /var/lib/flatpak/exports/share/applications
that: SELinux is preventing /usr/bin/gnome-shell from 'write' accesses on the sock_file /tmp/dbus-28iHchP5PL
Comment 26 Ian Laurie 2021-04-18 02:59:29 UTC 
Similar problem has been detected:

Booted fc34 WS and logged in.

hashmarkername: setroubleshoot
kernel:         5.11.14-300.fc34.x86_64
package:        selinux-policy-targeted-34.3-1.fc34.noarch
reason:         SELinux is preventing gnome-shell from 'write' accesses on the sock_file dbus-fGwdvY3I84.
type:           libreport
Comment 27 Kamil Páral 2021-04-19 09:06:29 UTC 
Similar problem has been detected:

I switched between users in GNOME Workstation.

hashmarkername: setroubleshoot
kernel:         5.11.14-300.fc34.x86_64
package:        selinux-policy-targeted-34.3-1.fc34.noarch
reason:         SELinux is preventing gnome-shell from 'write' accesses on the sock_file dbus-wdRLZ42k7D.
type:           libreport
Comment 28 Kalev Lember 2021-04-19 14:34:07 UTC 
I believe the last two reports are a completely separate issue. The original report that's "SELinux is preventing gnome-shell from 'watch' accesses on the directory /var/lib/flatpak." should be fixed in flatpak-1.10.2-3.fc35 build, but the dbus sock_file issue still needs addressing somewhere.

Let's close this ticket as the original issue is fixed.
Comment 29 Otto Urpelainen 2021-04-20 06:15:55 UTC 
(In reply to Kalev Lember from comment #28)
> I believe the last two reports are a completely separate issue. The original
> report that's "SELinux is preventing gnome-shell from 'watch' accesses on
> the directory /var/lib/flatpak." should be fixed in flatpak-1.10.2-3.fc35
> build, but the dbus sock_file issue still needs addressing somewhere.
> 
> Let's close this ticket as the original issue is fixed.

Tested, the "SELinux is preventing gnome-shell from 'write' accesses on the sock_file dbus-PUMqu5ktAf" denial still happens with the flatpak version you list. I will reopen bug 1941853, to me it looks like it was marked as duplicate of this issue in mistake.
Note You need to log in before you can comment on or make changes to this bug.