SELinux alerts

[shoeper]

Linux distribution and version

Fedora 33 (Workstation Edition)

Flatpak version

Installed Packages
Name : flatpak
Version : 1.10.1
Release : 1.fc33
Architecture : x86_64
Size : 7.4 M
Source : flatpak-1.10.1-1.fc33.src.rpm

Description of the problem

Since using flatpak I get SELinux alerts.

SELinux is preventing gnome-shell from map access on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.

Plugin: catchall_labels 
 SELinux has denied the gnome-shell access to potentially mislabeled files
/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. This means that
SELinux will not allow httpd to use these files. If httpd should be allowed this
access to these files you should change the file context to one of the following
types, %s. Many third party apps install html files in directories that SELinux
policy cannot predict. These directories have to be labeled with a file context
which httpd can access.

If you want to allow gnome-shell to have map access on the icon-theme.cache file
You need to change the label on /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache
# semanage fcontext -a -t FILE_TYPE '/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache'
where FILE_TYPE is one of the following: NetworkManager_exec_t, abrt_dump_oops_exec_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_worker_exec_t, abrt_var_cache_t, accountsd_exec_t, acct_exec_t, admin_passwd_exec_t, aide_exec_t, alsa_exec_t, amanda_exec_t, amanda_recover_exec_t, amtu_exec_t, anacron_exec_t, apm_exec_t, audisp_exec_t, auditctl_exec_t, auth_cache_t, authconfig_exec_t, avahi_exec_t, bacula_admin_exec_t, bacula_unconfined_script_exec_t, bin_t, blueman_exec_t, bluetooth_helper_exec_t, boot_t, bootloader_exec_t, brctl_exec_t, cache_home_t, calamaris_exec_t, cardctl_exec_t, cdcc_exec_t, cdrecord_exec_t, cert_t, certmonger_unconfined_exec_t, certwatch_exec_t, checkpc_exec_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_nacl_exec_t, chronyc_exec_t, colord_exec_t, config_home_t, conman_unconfined_script_exec_t, consolehelper_exec_t, consolekit_exec_t, courier_exec_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuspeed_exec_t, crack_exec_t, crontab_exec_t, cupsd_config_exec_t, cvs_exec_t, cyphesis_exec_t, data_home_t, dbus_home_t, dbusd_exec_t, dcc_client_exec_t, dcc_dbclean_exec_t, debuginfo_exec_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, dhcpc_exec_t, disk_munin_plugin_exec_t, dmesg_exec_t, dmidecode_exec_t, etc_runtime_t, etc_t, exim_exec_t, fail2ban_client_exec_t, fetchmail_exec_t, file_context_t, firewalld_exec_t, firewallgui_exec_t, firstboot_exec_t, flatpak_helper_exec_t, fonts_cache_t, fonts_t, fprintd_exec_t, freqset_exec_t, fsadm_exec_t, ftpdctl_exec_t, fusermount_exec_t, fwupd_exec_t, games_exec_t, gconf_home_t, gconfd_exec_t, gconfdefaultsm_exec_t, geoclue_exec_t, getty_exec_t, gitd_exec_t, gitosis_exec_t, gkeyringd_exec_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_exec_t, gpg_helper_exec_t, gpsd_exec_t, groupadd_exec_t, gstreamer_home_t, hostname_exec_t, httpd_passwd_exec_t, hwclock_exec_t, hwloc_dhwd_exec_t, icc_data_home_t, iceauth_exec_t, icecast_exec_t, ifconfig_exec_t, init_exec_t, install_exec_t, iotop_exec_t, ipa_helper_exec_t, ipsec_mgmt_exec_t, iptables_exec_t, irc_exec_t, irssi_exec_t, jockey_exec_t, journalctl_exec_t, kdump_exec_t, kdumpgui_exec_t, keepalived_unconfined_script_exec_t, kismet_exec_t, kmod_exec_t, kpatch_exec_t, ld_so_cache_t, ld_so_t, ldconfig_exec_t, lib_t, livecd_exec_t, load_policy_exec_t, loadkeys_exec_t, locale_t, locate_exec_t, lockdev_exec_t, login_exec_t, logwatch_exec_t, lpr_exec_t, lsmd_plugin_exec_t, lvm_exec_t, mail_munin_plugin_exec_t, mcelog_exec_t, mencoder_exec_t, mirrormanager_exec_t, mock_build_exec_t, mock_exec_t, modemmanager_exec_t, mount_ecryptfs_exec_t, mount_exec_t, mozilla_exec_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_exec_t, mplayer_exec_t, mrtg_exec_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_eventhandler_plugin_exec_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_unconfined_plugin_exec_t, named_checkconf_exec_t, named_exec_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, netlabel_mgmt_exec_t, netutils_exec_t, newrole_exec_t, nscd_var_run_t, ntpdate_exec_t, obex_exec_t, oddjob_mkhomedir_exec_t, openshift_cgroup_read_exec_t, openshift_net_read_exec_t, pads_exec_t, pam_console_exec_t, pam_timestamp_exec_t, passwd_exec_t, passwd_file_t, pdns_control_exec_t, pinentry_exec_t, ping_exec_t, pkcs11_modules_conf_t, plymouth_exec_t, podsleuth_exec_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, polipo_exec_t, portmap_helper_exec_t, postfix_exec_t, postfix_map_exec_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_showq_exec_t, pppd_exec_t, prelink_exec_t, preupgrade_exec_t, procmail_exec_t, ptchown_exec_t, pulseaudio_exec_t, puppetca_exec_t, pwauth_exec_t, qemu_exec_t, qmail_tcp_env_exec_t, quota_exec_t, readahead_exec_t, realmd_exec_t, rhsmcertd_exec_t, rpm_exec_t, rpm_var_lib_t, rpmdb_exec_t, rssh_chroot_helper_exec_t, rssh_exec_t, rsync_exec_t, rtkit_daemon_exec_t, run_init_exec_t, samba_net_exec_t, sambagui_exec_t, screen_exec_t, sectoolm_exec_t, security_t, selinux_munin_plugin_exec_t, semanage_exec_t, sendmail_exec_t, services_munin_plugin_exec_t, setfiles_exec_t, setkey_exec_t, setroubleshoot_fixit_exec_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_job_exec_t, sge_shepherd_exec_t, shell_exec_t, showmount_exec_t, smbcontrol_exec_t, smoltclient_exec_t, snapperd_exec_t, sosreport_exec_t, spamc_exec_t, spamd_update_exec_t, speech_dispatcher_exec_t, squid_cron_exec_t, src_t, ssh_agent_exec_t, ssh_exec_t, ssh_keygen_exec_t, ssh_keysign_exec_t, sssd_public_t, sssd_selinux_manager_exec_t, su_exec_t, sudo_exec_t, sulogin_exec_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, sysstat_exec_t, system_conf_t, system_db_t, system_munin_plugin_exec_t, systemd_coredump_exec_t, systemd_hwdb_etc_t, systemd_passwd_agent_exec_t, systemd_systemctl_exec_t, tabrmd_exec_t, telepathy_gabble_exec_t, telepathy_idle_exec_t, telepathy_logger_exec_t, telepathy_mission_control_exec_t, telepathy_msn_exec_t, telepathy_salut_exec_t, telepathy_sofiasip_exec_t, telepathy_stream_engine_exec_t, telepathy_sunshine_exec_t, textrel_shlib_t, thumb_exec_t, tmpreaper_exec_t, traceroute_exec_t, tvtime_exec_t, uml_exec_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, updfstab_exec_t, updpwd_exec_t, usbmodules_exec_t, usbmuxd_exec_t, user_tmp_t, useradd_exec_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uux_exec_t, var_log_t, virsh_exec_t, virt_qemu_ga_unconfined_exec_t, virtd_lxc_exec_t, vlock_exec_t, vmtools_helper_exec_t, vmtools_unconfined_exec_t, vmware_exec_t, vnstat_exec_t, vpnc_exec_t, watchdog_unconfined_exec_t, webalizer_exec_t, wine_exec_t, wireshark_exec_t, wpa_cli_exec_t, xauth_exec_t, xdm_exec_t, xdm_unconfined_exec_t, xdm_var_lib_t, xdm_var_run_t, xserver_exec_t, xserver_log_t, xserver_tmpfs_t, xsession_exec_t, zabbix_script_exec_t, zos_remote_exec_t.
Then execute:
restorecon -v '/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache'

SELinux is preventing gnome-shell from read access on the lnk_file /var/lib/flatpak/exports/share/applications/us.zoom.Zoom.desktop.

Plugin: catchall_labels 
 SELinux has denied the gnome-shell access to potentially mislabeled files
/var/lib/flatpak/exports/share/applications/us.zoom.Zoom.desktop. This means
that SELinux will not allow httpd to use these files. If httpd should be allowed
this access to these files you should change the file context to one of the
following types, %s. Many third party apps install html files in directories
that SELinux policy cannot predict. These directories have to be labeled with a
file context which httpd can access.

If you want to allow gnome-shell to have read access on the us.zoom.Zoom.desktop lnk_file
You need to change the label on /var/lib/flatpak/exports/share/applications/us.zoom.Zoom.desktop
# semanage fcontext -a -t FILE_TYPE '/var/lib/flatpak/exports/share/applications/us.zoom.Zoom.desktop'
where FILE_TYPE is one of the following: NetworkManager_etc_rw_t, NetworkManager_etc_t, abrt_etc_t, abrt_var_cache_t, admin_home_t, aiccu_etc_t, alsa_etc_rw_t, antivirus_conf_t, asterisk_etc_t, bin_t, bitlbee_conf_t, bluetooth_conf_t, boot_t, bootloader_etc_t, cache_home_t, cert_t, cgconfig_etc_t, cgroup_t, cgrules_etc_t, cluster_conf_t, cobbler_etc_t, condor_conf_t, config_home_t, config_usr_t, conntrackd_conf_t, container_config_t, couchdb_conf_t, courier_etc_t, cpucontrol_conf_t, cupsd_etc_t, cupsd_rw_etc_t, data_home_t, dbus_home_t, dbusd_etc_t, ddclient_etc_t, device_t, devlog_t, dhcp_etc_t, dictd_etc_t, dnsmasq_etc_t, dovecot_etc_t, ecryptfs_t, etc_mail_t, etc_runtime_t, etc_t, exports_t, fetchmail_etc_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t, firstboot_etc_t, fonts_cache_t, fonts_t, ftpd_etc_t, gconf_etc_t, gconf_home_t, gdomap_conf_t, getty_etc_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gpm_conf_t, gstreamer_home_t, hddtemp_etc_t, home_root_t, hostname_etc_t, httpd_config_t, hwdata_t, ibacm_conf_t, icc_data_home_t, innd_etc_t, irc_conf_t, irssi_etc_t, kdump_etc_t, kmscon_conf_t, krb5_conf_t, krb5kdc_conf_t, l2tp_conf_t, ld_so_t, lib_t, likewise_etc_t, lircd_etc_t, locale_t, lvm_etc_t, machineid_t, man_cache_t, man_t, mcelog_etc_t, mdadm_conf_t, minidlna_conf_t, minissdpd_conf_t, mock_etc_t, modules_conf_t, mozilla_conf_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_etc_t, mplayer_etc_t, mrtg_etc_t, mscan_etc_t, munin_etc_t, mysqld_etc_t, nagios_etc_t, named_conf_t, net_conf_t, nrpe_etc_t, nslcd_conf_t, ntop_etc_t, ntp_conf_t, nut_conf_t, opendnssec_conf_t, openvpn_etc_rw_t, openvpn_etc_t, openvswitch_rw_t, oracleasm_conf_t, pads_config_t, pam_var_console_t, pdns_conf_t, pegasus_conf_t, pingd_etc_t, piranha_etc_rw_t, piranha_web_conf_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t, postfix_postdrop_t, postgresql_etc_t, postgrey_etc_t, pppd_etc_t, prelude_correlator_config_t, printconf_t, proc_t, psad_etc_t, ptal_etc_t, puppet_etc_t, qmail_etc_t, rabbitmq_conf_t, radiusd_etc_t, radvd_etc_t, redis_conf_t, rhnsd_conf_t, rhsmcertd_config_t, root_t, rpm_script_tmp_t, rpm_var_cache_t, rpm_var_lib_t, rsync_etc_t, samba_etc_t, sanlock_conf_t, security_t, selinux_config_t, selinux_login_config_t, shell_exec_t, shorewall_etc_t, slapd_etc_t, snapperd_conf_t, snort_etc_t, soundd_etc_t, spamd_etc_t, squid_conf_t, src_t, ssh_home_t, sslh_config_t, sssd_conf_t, sssd_var_lib_t, stunnel_etc_t, svc_conf_t, sysfs_t, syslog_conf_t, system_conf_t, system_db_t, system_dbusd_var_lib_t, systemd_hwdb_etc_t, systemd_userdbd_runtime_t, textrel_shlib_t, tftpd_etc_t, tmp_t, tor_etc_t, tuned_etc_t, tuned_rw_etc_t, udev_etc_t, udev_var_run_t, ulogd_etc_t, user_home_dir_t, user_home_t, user_tmp_t, userhelper_conf_t, usr_t, var_lock_t, var_run_t, var_t, varnishd_etc_t, virt_etc_t, virt_var_lib_t, virtlogd_etc_t, vmware_sys_conf_t, webalizer_etc_t, xdm_etc_t, xdm_log_t, xdm_rw_etc_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xserver_etc_t, xserver_log_t, ypserv_conf_t, zarafa_etc_t, zebra_conf_t.
Then execute:
restorecon -v '/var/lib/flatpak/exports/share/applications/us.zoom.Zoom.desktop'

Steps to reproduce

Install flatpaks and alerts appear.

flatpak list
Name                 Application ID                       Version       Branch Installation
Mendeley             com.elsevier.MendeleyDesktop         1.19.8        stable system
Skype                com.skype.Client                     8.69.0.77     stable system
Freedesktop Platform org.freedesktop.Platform             20.08.4       20.08  system
default              org.freedesktop.Platform.GL.default                20.08  system
Intel                org.freedesktop.Platform.VAAPI.Intel               20.08  system
openh264             org.freedesktop.Platform.openh264    2.1.0         2.0    system
Arc Gtk theme        org.gtk.Gtk3theme.Arc                              3.22   system
Zotero               org.zotero.Zotero                    5.0.95.3      stable system
Zoom                 us.zoom.Zoom                         5.5.7011.0206 stable system

[careca1970]

Hi there!
The Same issue is making trouble to many flatpak users, in distributions which make use of "SELinux".
CPU gets busy with the flood of messages generated by SELinux. A solution must come.
Thou, switching SELinux to "permissive" mode seems to be NO option for me (and many others).

For the time being, one can overcome the flood of messages after downgrading flatpak itself (and dependencies) to version 1.8.2-2, placing an exclusion at "dnf.conf" (exact matching flatpak*-1.10.1-1.fc33.x86_64).
So that he will still able to keep updating packages, SELinux is "untouched", but flatpak remains "old".

Newly you updated flapak* to 1.10.2-1, but this issue is still present. Again, I excluded this flatpak new version from updating...

Now, please evaluate and give your statement on the root of this issue, so that it can be solved here, or anywhere else.

[hfiguiere]

See also Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=1916652

[matthew-cline]

A quick solution would be to change /etc/profile.d/flatpak.sh to not include /var/lib/flatpak/exports/share in XDG_DATA_DIRS, since that's how things like gnome-shell and sddm-greeter are finding the files. A better solution would be to update flatpak's SElinux policy to change the context of all files under /var/lib/flatpak/exports/share to system_u:object_r:usr_t:s0, since that's the same label as all the files under /usr/share/applications and /usr/share/icons.

[smcv]

A better solution would be to update flatpak's SElinux policy

If someone who understands SELinux wants to contribute that change, please open a pull request.

In AppArmor, another LSM that is used in some distros that don't normally use SELinux, the tunables/share abstraction has allowed reading Flatpak apps' exports since 2018. AppArmor is path-based rather than label-based, and the relevant profile code is part of AppArmor rather than Flatpak, so the change is not completely equivalent, but the idea is the same.

to system_u:object_r:usr_t:s0

I'm not sure whether it's really correct for .desktop files exported by Flatpak to be treated as completely equivalent to .desktop files in /usr - maybe a new context is needed for "Flatpak apps installed system-wide", and gnome-shell, sddm-greeter, etc. need to be allowed to read files labelled with that new context? But I don't use or understand SELinux myself.

This change would have to be driven by someone who understands the implications of SELinux policies and can justify why usr_t is correct, or why a new context is needed.

A quick solution would be to change /etc/profile.d/flatpak.sh to not include /var/lib/flatpak/exports/share in XDG_DATA_DIRS, since that's how things like gnome-shell and sddm-greeter are finding the files

That's not a solution: it would break the ability to install a Flatpak app system-wide and have it show up in users' menus, both on SELinux systems and on non-SELinux systems.

[smcv]

cc @amigadave @kalev - it would probably make sense for SELinux changes to come from Fedora contributors, since that's the highest-profile distro using SELinux by default.

[kalev]

Hm, I don't know at all how the SELinux integration works here and how to fix it. @amigadave understands it better, I suspect.

[refi64]

You almost definitely don't want to be labeling files under /var as usr_t. IMO this could really be a bug in the policies for GNOME Shell...

[ghost]

This is not exclusive to gnome fyi, on KDE I'm getting the same alerts.

[cgwalters]

It could make sense for the exports to be their own flatpak_export_t or so. But IMO they're also really equivalent to usr_t (even though they're not under /usr) - the problem domain is quite analogous to how for ostree systems we suggest /usr -> /var/usrlocal, and the Fedora SELinux policy is patched to label /var/usrlocal as usr_t.

So anyone who wants a quick local workaround, do chcon -R -t usr_t /var/lib/flatpak/exports/.

[matthew-cline]

If we don't go the route of using usr_t, how about we label them something like xdg_t?

• This could be reused by apps other than flatpak which want to add dirs to XDG_DATA_DIRS or XDG_CONFIG_DIRS which lives outside of /usr.
• For apps which find files based on those envs vars, policy writers would only have to grant access to xdg_t, rather than grant access to blah_t for every single different app modifies those vars.

[tonymartino]

Can someone please provide an update on this bug?

Thank you!

[kparal]

Zdenek Pytela, the selinux-policy maintainer in Fedora, wrote in this comment:

The solution can be assigning the flatpak_var_lib_t type to /var/lib/flatpak and allowing the access to all domains which can deal with flatpaks. I am ready to work with you to ensure the interactions with selinux-policy work.

[zpytela]

I am still ready to work on a long-term solution, surely there are a few of them. For now, I'd rather go with Matthew's suggestion (see above):

A quick solution would be to change /etc/profile.d/flatpak.sh to not
include /var/lib/flatpak/exports/share in XDG_DATA_DIRS

to make it working in F34 GA.

[zpytela]

I see now Simon's comment about XDG_DATA_DIRS. So another possible solution is using attributes: xdm and some other services already have access to objects in the gnome_home_type atttribute, but /var/lib/ is not a home directory. Will think about it.

[kalev]

Err, but wouldn't that just break all of the desktop integration? gnome-shell needs to be able to find the desktop files to be able to show the flatpak apps. I think it's a complete no-go, unless I'm missing something here.

@zpytela, I replied to you in https://bugzilla.redhat.com/show_bug.cgi?id=1916652#c66 earlier today but we can bring the discussion over here if you want. Could you reply to my questions there please?

[kalev]

@zpytela Thanks for the reply! Let's continue the discussion here.

I spent some time bisecting flatpak today to find out what change actually caused the selinux alerts and it is this one:
f434508

In particular, it's the addition of /usr/lib/systemd/system-environment-generators/60-flatpak-system-only that causes the alerts.

If I understand it right what's going on, the system generator changes the environment for the gdm (login) session that uses gnome-shell for its UI, so it's now looking through the desktop files in /var/lib/flatpak.

According to the commit message, the system environment change was done for gnome-initial-session to be able to handle parental controls. I believe gnome-initial-session also launches from the same login session and is spawned by gdm.

On Fedora side, this means that we now have a quick fix: Just drop the flatpak system env generator as we don't use parental controls in F33 and F34. We only need the user env generator.

Or maybe this now gives you ideas how we could easily fix this on the selinux policy side, @zpytela?

[kalev]

Sooo, to move the discussion forward, how about labeling /var/lib/flatpak/exports/ in a specific way (flatpak_exports_var_lib_t?) and then allow xdm_t access to it?

Or label all of /var/lib/flatpak in a specific way (flatpak_var_lib_t) and allow xdm_t access to it?

I guess letting xdm_t read all of /var/lib would be too big of a hole?

Or should I move forward with the workaround above if you want to think more about this?

[zpytela]

@kalev this is a possible way; problem is that it is not only xdm, but also other processes/services. I know we need to move forward, hopefully today I'll come up with my suggestion.

[kalev]

Ah, I see! Now I finally understand what's the hard part here :)

[zpytela]

@kalev, if I understand the problem now correctly, this can be used as a quick workaround for xdm:

mkdir -p /etc/systemd/system-environment-generators
> /etc/systemd/system-environment-generators/60-flatpak-system-only

If the parental control feature is not planned to use in Fedora, it would be nice to disable it then in rpm specfile. I will now continue testing to figure out if we can address this in selinux-policy by allowing or dontauditing the permissions. Stay tuned.

[kalev]

OK, let me do that then. We are planning on enabling parental controls support for F35, but it's not enabled in F33 and F34, so I think we should be able to safely disable the system env generator there.

That should take some pressure off of getting a selinux-policy fix out :)

[zpytela]

That should take some pressure off of getting a selinux-policy fix out :)

This is the point at the moment, thank you for understanding.

See more details in https://bugzilla.redhat.com/show_bug.cgi?id=1947214#c8

[kalev]

Thanks, @zpytela! I went ahead and did the builds and the system env generator should be gone in flatpak-1.10.2-3.fc35, flatpak-1.10.2-3.fc34, flatpak-1.10.2-3.fc33 builds.