2053634 – flatpak_helper_t unable to watch files inside /usr/libexec

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 2053634 - flatpak_helper_t unable to watch files inside /usr/libexec

Summary: flatpak_helper_t unable to watch files inside /usr/libexec

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	flatpak
Sub Component:
Version:	36
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Debarshi Ray
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:093e24147e5c775bb1e99061a35...
Duplicates (2):	2071216 2077870 (view as bug list)
Depends On:
Blocks:	2075937 F36FinalFreezeException
TreeView+	depends on / blocked

Reported:	2022-02-11 16:39 UTC by Adam Williamson
Modified:	2022-06-25 14:18 UTC (History)
CC List:	16 users (show)
Fixed In Version:	flatpak-1.12.7-2.fc36
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-04-14 23:23:48 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	flatpak flatpak pull 4853	0	None	open	selinux: Let the system helper watch files inside $libexecdir	2022-04-12 19:06:15 UTC

Description Adam Williamson 2022-02-11 16:39:02 UTC

Description of problem:
Happens frequently in the background on current F36.
SELinux is preventing flatpak-system- from 'watch' accesses on the directory /usr/libexec.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that flatpak-system- should be allowed watch access on the libexec directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'flatpak-system-' --raw | audit2allow -M my-flatpaksystem
# semodule -X 300 -i my-flatpaksystem.pp

Additional Information:
Source Context                system_u:system_r:flatpak_helper_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                /usr/libexec [ dir ]
Source                        flatpak-system-
Source Path                   flatpak-system-
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           filesystem-3.16-2.fc36.x86_64
SELinux Policy RPM            selinux-policy-targeted-36.1-1.fc36.noarch
Local Policy RPM              flatpak-selinux-1.12.4-2.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.16.1-200.fc35.x86_64 #1 SMP
                              PREEMPT Mon Jan 17 00:49:29 UTC 2022 x86_64 x86_64
Alert Count                   24
First Seen                    2022-02-11 08:37:05 PST
Last Seen                     2022-02-11 08:38:37 PST
Local ID                      962e13f3-9a0a-4b30-b59e-d40f9c4034aa

Raw Audit Messages
type=AVC msg=audit(1644597517.410:541): avc:  denied  { watch } for  pid=16275 comm="gmain" path="/usr/libexec" dev="dm-1" ino=1179656 scontext=system_u:system_r:flatpak_helper_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir permissive=0


Hash: flatpak-system-,flatpak_helper_t,bin_t,dir,watch

Version-Release number of selected component:
selinux-policy-targeted-36.1-1.fc36.noarch

Additional info:
component:      flatpak
reporter:       libreport-2.16.0
hashmarkername: setroubleshoot
kernel:         5.16.1-200.fc35.x86_64
type:           libreport

Comment 1 Debarshi Ray 2022-04-06 08:00:58 UTC

*** Bug 2071216 has been marked as a duplicate of this bug. ***

Comment 2 Zdenek Pytela 2022-04-08 11:40:57 UTC

The flatpak_helper_t type is provided by the flatpak-selinux subpackage, so it needs to be addressed in flatpak.

The appropriate interface is corecmd_watch_bin_dirs() which will be present in the next selinux-policy build.

Comment 3 Debarshi Ray 2022-04-12 19:06:16 UTC

Does this look good to you:
https://github.com/flatpak/flatpak/pull/4853

Comment 4 Zdenek Pytela 2022-04-12 20:30:00 UTC

It does.

Comment 5 Debarshi Ray 2022-04-12 20:35:09 UTC

(In reply to Zdenek Pytela from comment #4)
> It does.

Thanks for the quick review, Zdeněk!

Comment 6 Debarshi Ray 2022-04-12 20:36:16 UTC

(In reply to Zdenek Pytela from comment #2)
>
> The appropriate interface is corecmd_watch_bin_dirs() which will be present
> in the next selinux-policy build.

Will we have a selinux-policy build with corecmd_watch_bin_dirs in time for Fedora 36 GA?

Comment 7 Fedora Update System 2022-04-12 21:33:07 UTC

FEDORA-2022-bc3af3f0d1 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-bc3af3f0d1

Comment 8 František Zatloukal 2022-04-13 14:43:17 UTC

Discussed in ticket: https://pagure.io/fedora-qa/blocker-review/issue/746

The decision to classify this bug as an AcceptedFreezeException was made:

"There is a high probability that this issue can be hit by users right after Fedora installation before updating their systems. It was decided to take this in during the Freeze."

Comment 9 František Zatloukal 2022-04-13 14:43:43 UTC

(In reply to František Zatloukal from comment #8)
> Discussed in ticket: https://pagure.io/fedora-qa/blocker-review/issue/746

Discussed in ticket: https://pagure.io/fedora-qa/blocker-review/issue/745

Comment 10 Fedora Update System 2022-04-13 19:48:46 UTC

FEDORA-2022-bc3af3f0d1 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-bc3af3f0d1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-bc3af3f0d1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2022-04-14 23:23:48 UTC

FEDORA-2022-bc3af3f0d1 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 12 Zdenek Pytela 2022-04-20 07:53:20 UTC

(In reply to Debarshi Ray from comment #6)
> (In reply to Zdenek Pytela from comment #2)
> >
> > The appropriate interface is corecmd_watch_bin_dirs() which will be present
> > in the next selinux-policy build.
> 
> Will we have a selinux-policy build with corecmd_watch_bin_dirs in time for
> Fedora 36 GA?

The package should have a new build today.

Comment 13 Debarshi Ray 2022-05-05 22:57:50 UTC

*** Bug 2077870 has been marked as a duplicate of this bug. ***

Comment 14 aannoaanno 2022-06-19 09:18:37 UTC

Problem still persists on my f36 installation, see #2077870

Comment 15 Stefan Becker 2022-06-25 14:18:24 UTC

(In reply to aannoaanno from comment #14)
> Problem still persists on my f36 installation, see #2077870

I had the same issue on a machine that had been installed 2 years ago, moved with the Fedora releases every 6 months and has now been upgraded to F36.

I recently installed another machine with F35 and upgraded it to F36: there everything works fine. Go figure...

Anyway, I've now finally got rid of the SELinux errors. In all steps I made sure that I had used "systemctl stop flatpak-system-helper" to stop the process that was throwing the SELinux errors.

* restorecon -vrF /usr/libexec /var/lib/flatpak /etc/passwd -> didn't help
* touch /.autorelabel & reboot, i.e. a complete relabel -> didn't help
* dnf reinstall flatpak-selinux -> no more errors, finally.....

Hope this helps.

Note You need to log in before you can comment on or make changes to this bug.