2070350 – flatpak_helper_t unable to read /etc/passwd.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 2070350 - flatpak_helper_t unable to read /etc/passwd.

Summary: flatpak_helper_t unable to read /etc/passwd.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	flatpak
Sub Component:
Version:	36
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Debarshi Ray
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:e62516abf53dea5e0b1b5313b0b...
Duplicates (4):	2071218 2072275 2078074 2096056 (view as bug list)
Depends On:
Blocks:	2075937 F36FinalFreezeException
TreeView+	depends on / blocked

Reported:	2022-03-30 21:53 UTC by Michael
Modified:	2022-06-19 09:20 UTC (History)
CC List:	15 users (show)
Fixed In Version:	flatpak-1.12.7-2.fc36
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-04-14 23:23:52 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	flatpak flatpak pull 4852	0	None	open	selinux: Let system helper have read access to /etc/passwd	2022-04-12 18:31:16 UTC

Description Michael 2022-03-30 21:53:28 UTC

Description of problem:
SELinux is preventing flatpak-system- from 'read' accesses on the file /etc/passwd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that flatpak-system- should be allowed read access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'flatpak-system-' --raw | audit2allow -M my-flatpaksystem
# semodule -X 300 -i my-flatpaksystem.pp

Additional Information:
Source Context                system_u:system_r:flatpak_helper_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/passwd [ file ]
Source                        flatpak-system-
Source Path                   flatpak-system-
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           setup-2.13.9.1-3.fc36.noarch
SELinux Policy RPM            selinux-policy-targeted-36.5-1.fc36.noarch
Local Policy RPM              flatpak-selinux-1.12.7-1.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.16.16-200.fc35.x86_64 #1 SMP
                              PREEMPT Wed Mar 23 00:44:58 CET 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-03-30 23:52:13 CEST
Last Seen                     2022-03-30 23:52:13 CEST
Local ID                      5eed63e9-c50b-4801-b5c1-b243d011ceb0

Raw Audit Messages
type=AVC msg=audit(1648677133.642:1103): avc:  denied  { read } for  pid=31490 comm="flatpak-system-" name="passwd" dev="nvme0n1p3" ino=3300790 scontext=system_u:system_r:flatpak_helper_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0


Hash: flatpak-system-,flatpak_helper_t,passwd_file_t,file,read

Version-Release number of selected component:
selinux-policy-targeted-36.5-1.fc36.noarch

Additional info:
component:      flatpak
reporter:       libreport-2.17.1
hashmarkername: setroubleshoot
kernel:         5.16.16-200.fc35.x86_64
type:           libreport

Comment 1 Flo H. 2022-03-31 19:28:44 UTC

I have the same problem after system-upgrade to F36. Access to /etc/passwd is blocked, `flatpak update` therefore fails.

Comment 2 Flo H. 2022-03-31 19:34:50 UTC

Similar problem has been detected:

flatpak update fails because of denied access to /etc/passwd

hashmarkername: setroubleshoot
kernel:         5.17.0-300.fc36.x86_64
package:        selinux-policy-targeted-36.5-1.fc36.noarch
reason:         SELinux is preventing flatpak-system- from 'read' accesses on the file /etc/passwd.
type:           libreport

Comment 3 Flo H. 2022-03-31 20:02:05 UTC

This bug is filed against flatpak, however, I think it should be filed against selinux-policy

Comment 4 Debarshi Ray 2022-04-06 07:52:53 UTC

*** Bug 2072275 has been marked as a duplicate of this bug. ***

Comment 5 Debarshi Ray 2022-04-06 07:58:50 UTC

*** Bug 2071218 has been marked as a duplicate of this bug. ***

Comment 6 Zdenek Pytela 2022-04-08 08:59:21 UTC

(In reply to Flo H. from comment #3)
> This bug is filed against flatpak, however, I think it should be filed
> against selinux-policy

The flatpak_helper_t type is provided by the flatpak-selinux subpackage, so it needs to be addressed in flatpak.

The appropriate interface is auth_read_passwd().

Comment 7 Debarshi Ray 2022-04-12 18:31:16 UTC

Does this look good to you:
https://github.com/flatpak/flatpak/pull/4852 ?

Comment 8 Zdenek Pytela 2022-04-12 18:54:14 UTC

(In reply to Debarshi Ray from comment #7)
> Does this look good to you:
> https://github.com/flatpak/flatpak/pull/4852 ?

It does.

Comment 9 Debarshi Ray 2022-04-12 19:06:22 UTC

(In reply to Zdenek Pytela from comment #8)
> (In reply to Debarshi Ray from comment #7)
> > Does this look good to you:
> > https://github.com/flatpak/flatpak/pull/4852 ?
> 
> It does.

Thanks for the quick review, Zdeněk!

Comment 10 Fedora Update System 2022-04-12 21:33:10 UTC

FEDORA-2022-bc3af3f0d1 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-bc3af3f0d1

Comment 11 František Zatloukal 2022-04-13 14:42:43 UTC

Discussed in ticket: https://pagure.io/fedora-qa/blocker-review/issue/746

The decision to classify this bug as an AcceptedFreezeException was made:

"There is a high probability that this issue can be hit by users right after Fedora installation before updating their systems. It was decided to take this in during the Freeze."

Comment 12 Fedora Update System 2022-04-13 19:48:49 UTC

FEDORA-2022-bc3af3f0d1 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-bc3af3f0d1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-bc3af3f0d1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 13 Fedora Update System 2022-04-14 23:23:52 UTC

FEDORA-2022-bc3af3f0d1 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 14 aannoaanno 2022-04-23 08:37:30 UTC

*** Bug 2078074 has been marked as a duplicate of this bug. ***

Comment 15 aannoaanno 2022-06-12 10:10:11 UTC

*** Bug 2096056 has been marked as a duplicate of this bug. ***

Comment 16 aannoaanno 2022-06-19 09:20:23 UTC

Problem still persists on my f36 installation, see #2078074 and #2096056

Note You need to log in before you can comment on or make changes to this bug.