Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SELinux alerts #4128

Open
shoeper opened this issue Feb 16, 2021 · 23 comments
Open

SELinux alerts #4128

shoeper opened this issue Feb 16, 2021 · 23 comments
Labels

Comments

@shoeper
Copy link

shoeper commented Feb 16, 2021

Linux distribution and version

Fedora 33 (Workstation Edition)

Flatpak version

Installed Packages
Name : flatpak
Version : 1.10.1
Release : 1.fc33
Architecture : x86_64
Size : 7.4 M
Source : flatpak-1.10.1-1.fc33.src.rpm

Description of the problem

Since using flatpak I get SELinux alerts.

SELinux is preventing gnome-shell from map access on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.

Plugin: catchall_labels 
 SELinux has denied the gnome-shell access to potentially mislabeled files
/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. This means that
SELinux will not allow httpd to use these files. If httpd should be allowed this
access to these files you should change the file context to one of the following
types, %s. Many third party apps install html files in directories that SELinux
policy cannot predict. These directories have to be labeled with a file context
which httpd can access.

If you want to allow gnome-shell to have map access on the icon-theme.cache file
You need to change the label on /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache
# semanage fcontext -a -t FILE_TYPE '/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache'
where FILE_TYPE is one of the following: NetworkManager_exec_t, abrt_dump_oops_exec_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_worker_exec_t, abrt_var_cache_t, accountsd_exec_t, acct_exec_t, admin_passwd_exec_t, aide_exec_t, alsa_exec_t, amanda_exec_t, amanda_recover_exec_t, amtu_exec_t, anacron_exec_t, apm_exec_t, audisp_exec_t, auditctl_exec_t, auth_cache_t, authconfig_exec_t, avahi_exec_t, bacula_admin_exec_t, bacula_unconfined_script_exec_t, bin_t, blueman_exec_t, bluetooth_helper_exec_t, boot_t, bootloader_exec_t, brctl_exec_t, cache_home_t, calamaris_exec_t, cardctl_exec_t, cdcc_exec_t, cdrecord_exec_t, cert_t, certmonger_unconfined_exec_t, certwatch_exec_t, checkpc_exec_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_nacl_exec_t, chronyc_exec_t, colord_exec_t, config_home_t, conman_unconfined_script_exec_t, consolehelper_exec_t, consolekit_exec_t, courier_exec_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuspeed_exec_t, crack_exec_t, crontab_exec_t, cupsd_config_exec_t, cvs_exec_t, cyphesis_exec_t, data_home_t, dbus_home_t, dbusd_exec_t, dcc_client_exec_t, dcc_dbclean_exec_t, debuginfo_exec_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, dhcpc_exec_t, disk_munin_plugin_exec_t, dmesg_exec_t, dmidecode_exec_t, etc_runtime_t, etc_t, exim_exec_t, fail2ban_client_exec_t, fetchmail_exec_t, file_context_t, firewalld_exec_t, firewallgui_exec_t, firstboot_exec_t, flatpak_helper_exec_t, fonts_cache_t, fonts_t, fprintd_exec_t, freqset_exec_t, fsadm_exec_t, ftpdctl_exec_t, fusermount_exec_t, fwupd_exec_t, games_exec_t, gconf_home_t, gconfd_exec_t, gconfdefaultsm_exec_t, geoclue_exec_t, getty_exec_t, gitd_exec_t, gitosis_exec_t, gkeyringd_exec_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_exec_t, gpg_helper_exec_t, gpsd_exec_t, groupadd_exec_t, gstreamer_home_t, hostname_exec_t, httpd_passwd_exec_t, hwclock_exec_t, hwloc_dhwd_exec_t, icc_data_home_t, iceauth_exec_t, icecast_exec_t, ifconfig_exec_t, init_exec_t, install_exec_t, iotop_exec_t, ipa_helper_exec_t, ipsec_mgmt_exec_t, iptables_exec_t, irc_exec_t, irssi_exec_t, jockey_exec_t, journalctl_exec_t, kdump_exec_t, kdumpgui_exec_t, keepalived_unconfined_script_exec_t, kismet_exec_t, kmod_exec_t, kpatch_exec_t, ld_so_cache_t, ld_so_t, ldconfig_exec_t, lib_t, livecd_exec_t, load_policy_exec_t, loadkeys_exec_t, locale_t, locate_exec_t, lockdev_exec_t, login_exec_t, logwatch_exec_t, lpr_exec_t, lsmd_plugin_exec_t, lvm_exec_t, mail_munin_plugin_exec_t, mcelog_exec_t, mencoder_exec_t, mirrormanager_exec_t, mock_build_exec_t, mock_exec_t, modemmanager_exec_t, mount_ecryptfs_exec_t, mount_exec_t, mozilla_exec_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_exec_t, mplayer_exec_t, mrtg_exec_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_eventhandler_plugin_exec_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_unconfined_plugin_exec_t, named_checkconf_exec_t, named_exec_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, netlabel_mgmt_exec_t, netutils_exec_t, newrole_exec_t, nscd_var_run_t, ntpdate_exec_t, obex_exec_t, oddjob_mkhomedir_exec_t, openshift_cgroup_read_exec_t, openshift_net_read_exec_t, pads_exec_t, pam_console_exec_t, pam_timestamp_exec_t, passwd_exec_t, passwd_file_t, pdns_control_exec_t, pinentry_exec_t, ping_exec_t, pkcs11_modules_conf_t, plymouth_exec_t, podsleuth_exec_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, polipo_exec_t, portmap_helper_exec_t, postfix_exec_t, postfix_map_exec_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_showq_exec_t, pppd_exec_t, prelink_exec_t, preupgrade_exec_t, procmail_exec_t, ptchown_exec_t, pulseaudio_exec_t, puppetca_exec_t, pwauth_exec_t, qemu_exec_t, qmail_tcp_env_exec_t, quota_exec_t, readahead_exec_t, realmd_exec_t, rhsmcertd_exec_t, rpm_exec_t, rpm_var_lib_t, rpmdb_exec_t, rssh_chroot_helper_exec_t, rssh_exec_t, rsync_exec_t, rtkit_daemon_exec_t, run_init_exec_t, samba_net_exec_t, sambagui_exec_t, screen_exec_t, sectoolm_exec_t, security_t, selinux_munin_plugin_exec_t, semanage_exec_t, sendmail_exec_t, services_munin_plugin_exec_t, setfiles_exec_t, setkey_exec_t, setroubleshoot_fixit_exec_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_job_exec_t, sge_shepherd_exec_t, shell_exec_t, showmount_exec_t, smbcontrol_exec_t, smoltclient_exec_t, snapperd_exec_t, sosreport_exec_t, spamc_exec_t, spamd_update_exec_t, speech_dispatcher_exec_t, squid_cron_exec_t, src_t, ssh_agent_exec_t, ssh_exec_t, ssh_keygen_exec_t, ssh_keysign_exec_t, sssd_public_t, sssd_selinux_manager_exec_t, su_exec_t, sudo_exec_t, sulogin_exec_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, sysstat_exec_t, system_conf_t, system_db_t, system_munin_plugin_exec_t, systemd_coredump_exec_t, systemd_hwdb_etc_t, systemd_passwd_agent_exec_t, systemd_systemctl_exec_t, tabrmd_exec_t, telepathy_gabble_exec_t, telepathy_idle_exec_t, telepathy_logger_exec_t, telepathy_mission_control_exec_t, telepathy_msn_exec_t, telepathy_salut_exec_t, telepathy_sofiasip_exec_t, telepathy_stream_engine_exec_t, telepathy_sunshine_exec_t, textrel_shlib_t, thumb_exec_t, tmpreaper_exec_t, traceroute_exec_t, tvtime_exec_t, uml_exec_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, updfstab_exec_t, updpwd_exec_t, usbmodules_exec_t, usbmuxd_exec_t, user_tmp_t, useradd_exec_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uux_exec_t, var_log_t, virsh_exec_t, virt_qemu_ga_unconfined_exec_t, virtd_lxc_exec_t, vlock_exec_t, vmtools_helper_exec_t, vmtools_unconfined_exec_t, vmware_exec_t, vnstat_exec_t, vpnc_exec_t, watchdog_unconfined_exec_t, webalizer_exec_t, wine_exec_t, wireshark_exec_t, wpa_cli_exec_t, xauth_exec_t, xdm_exec_t, xdm_unconfined_exec_t, xdm_var_lib_t, xdm_var_run_t, xserver_exec_t, xserver_log_t, xserver_tmpfs_t, xsession_exec_t, zabbix_script_exec_t, zos_remote_exec_t.
Then execute:
restorecon -v '/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache'
SELinux is preventing gnome-shell from read access on the lnk_file /var/lib/flatpak/exports/share/applications/us.zoom.Zoom.desktop.

Plugin: catchall_labels 
 SELinux has denied the gnome-shell access to potentially mislabeled files
/var/lib/flatpak/exports/share/applications/us.zoom.Zoom.desktop. This means
that SELinux will not allow httpd to use these files. If httpd should be allowed
this access to these files you should change the file context to one of the
following types, %s. Many third party apps install html files in directories
that SELinux policy cannot predict. These directories have to be labeled with a
file context which httpd can access.

If you want to allow gnome-shell to have read access on the us.zoom.Zoom.desktop lnk_file
You need to change the label on /var/lib/flatpak/exports/share/applications/us.zoom.Zoom.desktop
# semanage fcontext -a -t FILE_TYPE '/var/lib/flatpak/exports/share/applications/us.zoom.Zoom.desktop'
where FILE_TYPE is one of the following: NetworkManager_etc_rw_t, NetworkManager_etc_t, abrt_etc_t, abrt_var_cache_t, admin_home_t, aiccu_etc_t, alsa_etc_rw_t, antivirus_conf_t, asterisk_etc_t, bin_t, bitlbee_conf_t, bluetooth_conf_t, boot_t, bootloader_etc_t, cache_home_t, cert_t, cgconfig_etc_t, cgroup_t, cgrules_etc_t, cluster_conf_t, cobbler_etc_t, condor_conf_t, config_home_t, config_usr_t, conntrackd_conf_t, container_config_t, couchdb_conf_t, courier_etc_t, cpucontrol_conf_t, cupsd_etc_t, cupsd_rw_etc_t, data_home_t, dbus_home_t, dbusd_etc_t, ddclient_etc_t, device_t, devlog_t, dhcp_etc_t, dictd_etc_t, dnsmasq_etc_t, dovecot_etc_t, ecryptfs_t, etc_mail_t, etc_runtime_t, etc_t, exports_t, fetchmail_etc_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t, firstboot_etc_t, fonts_cache_t, fonts_t, ftpd_etc_t, gconf_etc_t, gconf_home_t, gdomap_conf_t, getty_etc_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gpm_conf_t, gstreamer_home_t, hddtemp_etc_t, home_root_t, hostname_etc_t, httpd_config_t, hwdata_t, ibacm_conf_t, icc_data_home_t, innd_etc_t, irc_conf_t, irssi_etc_t, kdump_etc_t, kmscon_conf_t, krb5_conf_t, krb5kdc_conf_t, l2tp_conf_t, ld_so_t, lib_t, likewise_etc_t, lircd_etc_t, locale_t, lvm_etc_t, machineid_t, man_cache_t, man_t, mcelog_etc_t, mdadm_conf_t, minidlna_conf_t, minissdpd_conf_t, mock_etc_t, modules_conf_t, mozilla_conf_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_etc_t, mplayer_etc_t, mrtg_etc_t, mscan_etc_t, munin_etc_t, mysqld_etc_t, nagios_etc_t, named_conf_t, net_conf_t, nrpe_etc_t, nslcd_conf_t, ntop_etc_t, ntp_conf_t, nut_conf_t, opendnssec_conf_t, openvpn_etc_rw_t, openvpn_etc_t, openvswitch_rw_t, oracleasm_conf_t, pads_config_t, pam_var_console_t, pdns_conf_t, pegasus_conf_t, pingd_etc_t, piranha_etc_rw_t, piranha_web_conf_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t, postfix_postdrop_t, postgresql_etc_t, postgrey_etc_t, pppd_etc_t, prelude_correlator_config_t, printconf_t, proc_t, psad_etc_t, ptal_etc_t, puppet_etc_t, qmail_etc_t, rabbitmq_conf_t, radiusd_etc_t, radvd_etc_t, redis_conf_t, rhnsd_conf_t, rhsmcertd_config_t, root_t, rpm_script_tmp_t, rpm_var_cache_t, rpm_var_lib_t, rsync_etc_t, samba_etc_t, sanlock_conf_t, security_t, selinux_config_t, selinux_login_config_t, shell_exec_t, shorewall_etc_t, slapd_etc_t, snapperd_conf_t, snort_etc_t, soundd_etc_t, spamd_etc_t, squid_conf_t, src_t, ssh_home_t, sslh_config_t, sssd_conf_t, sssd_var_lib_t, stunnel_etc_t, svc_conf_t, sysfs_t, syslog_conf_t, system_conf_t, system_db_t, system_dbusd_var_lib_t, systemd_hwdb_etc_t, systemd_userdbd_runtime_t, textrel_shlib_t, tftpd_etc_t, tmp_t, tor_etc_t, tuned_etc_t, tuned_rw_etc_t, udev_etc_t, udev_var_run_t, ulogd_etc_t, user_home_dir_t, user_home_t, user_tmp_t, userhelper_conf_t, usr_t, var_lock_t, var_run_t, var_t, varnishd_etc_t, virt_etc_t, virt_var_lib_t, virtlogd_etc_t, vmware_sys_conf_t, webalizer_etc_t, xdm_etc_t, xdm_log_t, xdm_rw_etc_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xserver_etc_t, xserver_log_t, ypserv_conf_t, zarafa_etc_t, zebra_conf_t.
Then execute:
restorecon -v '/var/lib/flatpak/exports/share/applications/us.zoom.Zoom.desktop'

Steps to reproduce

Install flatpaks and alerts appear.

flatpak list
Name                 Application ID                       Version       Branch Installation
Mendeley             com.elsevier.MendeleyDesktop         1.19.8        stable system
Skype                com.skype.Client                     8.69.0.77     stable system
Freedesktop Platform org.freedesktop.Platform             20.08.4       20.08  system
default              org.freedesktop.Platform.GL.default                20.08  system
Intel                org.freedesktop.Platform.VAAPI.Intel               20.08  system
openh264             org.freedesktop.Platform.openh264    2.1.0         2.0    system
Arc Gtk theme        org.gtk.Gtk3theme.Arc                              3.22   system
Zotero               org.zotero.Zotero                    5.0.95.3      stable system
Zoom                 us.zoom.Zoom                         5.5.7011.0206 stable system
@careca1970
Copy link

Hi there!
The Same issue is making trouble to many flatpak users, in distributions which make use of "SELinux".
CPU gets busy with the flood of messages generated by SELinux. A solution must come.
Thou, switching SELinux to "permissive" mode seems to be NO option for me (and many others).

For the time being, one can overcome the flood of messages after downgrading flatpak itself (and dependencies) to version 1.8.2-2, placing an exclusion at "dnf.conf" (exact matching flatpak*-1.10.1-1.fc33.x86_64).
So that he will still able to keep updating packages, SELinux is "untouched", but flatpak remains "old".

Newly you updated flapak* to 1.10.2-1, but this issue is still present. Again, I excluded this flatpak new version from updating...

Now, please evaluate and give your statement on the root of this issue, so that it can be solved here, or anywhere else.

@hfiguiere
Copy link
Contributor

See also Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=1916652

@matthew-cline
Copy link

A quick solution would be to change /etc/profile.d/flatpak.sh to not include /var/lib/flatpak/exports/share in XDG_DATA_DIRS, since that's how things like gnome-shell and sddm-greeter are finding the files. A better solution would be to update flatpak's SElinux policy to change the context of all files under /var/lib/flatpak/exports/share to system_u:object_r:usr_t:s0, since that's the same label as all the files under /usr/share/applications and /usr/share/icons.

@smcv
Copy link
Collaborator

smcv commented Mar 23, 2021

A better solution would be to update flatpak's SElinux policy

If someone who understands SELinux wants to contribute that change, please open a pull request.

In AppArmor, another LSM that is used in some distros that don't normally use SELinux, the tunables/share abstraction has allowed reading Flatpak apps' exports since 2018. AppArmor is path-based rather than label-based, and the relevant profile code is part of AppArmor rather than Flatpak, so the change is not completely equivalent, but the idea is the same.

to system_u:object_r:usr_t:s0

I'm not sure whether it's really correct for .desktop files exported by Flatpak to be treated as completely equivalent to .desktop files in /usr - maybe a new context is needed for "Flatpak apps installed system-wide", and gnome-shell, sddm-greeter, etc. need to be allowed to read files labelled with that new context? But I don't use or understand SELinux myself.

This change would have to be driven by someone who understands the implications of SELinux policies and can justify why usr_t is correct, or why a new context is needed.

A quick solution would be to change /etc/profile.d/flatpak.sh to not include /var/lib/flatpak/exports/share in XDG_DATA_DIRS, since that's how things like gnome-shell and sddm-greeter are finding the files

That's not a solution: it would break the ability to install a Flatpak app system-wide and have it show up in users' menus, both on SELinux systems and on non-SELinux systems.

@smcv
Copy link
Collaborator

smcv commented Mar 23, 2021

cc @amigadave @kalev - it would probably make sense for SELinux changes to come from Fedora contributors, since that's the highest-profile distro using SELinux by default.

@kalev
Copy link
Contributor

kalev commented Mar 23, 2021

Hm, I don't know at all how the SELinux integration works here and how to fix it. @amigadave understands it better, I suspect.

@refi64
Copy link
Collaborator

refi64 commented Mar 24, 2021

You almost definitely don't want to be labeling files under /var as usr_t. IMO this could really be a bug in the policies for GNOME Shell...

@mwleeds mwleeds added the bug label Mar 25, 2021
@ghost
Copy link

ghost commented Mar 30, 2021

This is not exclusive to gnome fyi, on KDE I'm getting the same alerts.

@cgwalters
Copy link
Collaborator

It could make sense for the exports to be their own flatpak_export_t or so. But IMO they're also really equivalent to usr_t (even though they're not under /usr) - the problem domain is quite analogous to how for ostree systems we suggest /usr -> /var/usrlocal, and the Fedora SELinux policy is patched to label /var/usrlocal as usr_t.

So anyone who wants a quick local workaround, do chcon -R -t usr_t /var/lib/flatpak/exports/.

@matthew-cline
Copy link

matthew-cline commented Mar 31, 2021

If we don't go the route of using usr_t, how about we label them something like xdg_t?

  • This could be reused by apps other than flatpak which want to add dirs to XDG_DATA_DIRS or XDG_CONFIG_DIRS which lives outside of /usr.
  • For apps which find files based on those envs vars, policy writers would only have to grant access to xdg_t, rather than grant access to blah_t for every single different app modifies those vars.

@tonymartino
Copy link

Can someone please provide an update on this bug?

Thank you!

@kparal
Copy link

kparal commented Apr 8, 2021

Zdenek Pytela, the selinux-policy maintainer in Fedora, wrote in this comment:

The solution can be assigning the flatpak_var_lib_t type to /var/lib/flatpak and allowing the access to all domains which can deal with flatpaks. I am ready to work with you to ensure the interactions with selinux-policy work.

@zpytela
Copy link

zpytela commented Apr 9, 2021

I am still ready to work on a long-term solution, surely there are a few of them. For now, I'd rather go with Matthew's suggestion (see above):

A quick solution would be to change /etc/profile.d/flatpak.sh to not
include /var/lib/flatpak/exports/share in XDG_DATA_DIRS

to make it working in F34 GA.

@zpytela
Copy link

zpytela commented Apr 9, 2021

I see now Simon's comment about XDG_DATA_DIRS. So another possible solution is using attributes: xdm and some other services already have access to objects in the gnome_home_type atttribute, but /var/lib/ is not a home directory. Will think about it.

@kalev
Copy link
Contributor

kalev commented Apr 9, 2021

Err, but wouldn't that just break all of the desktop integration? gnome-shell needs to be able to find the desktop files to be able to show the flatpak apps. I think it's a complete no-go, unless I'm missing something here.

@zpytela, I replied to you in https://bugzilla.redhat.com/show_bug.cgi?id=1916652#c66 earlier today but we can bring the discussion over here if you want. Could you reply to my questions there please?

@kalev
Copy link
Contributor

kalev commented Apr 12, 2021

@zpytela Thanks for the reply! Let's continue the discussion here.

I spent some time bisecting flatpak today to find out what change actually caused the selinux alerts and it is this one:
f434508

In particular, it's the addition of /usr/lib/systemd/system-environment-generators/60-flatpak-system-only that causes the alerts.

If I understand it right what's going on, the system generator changes the environment for the gdm (login) session that uses gnome-shell for its UI, so it's now looking through the desktop files in /var/lib/flatpak.

According to the commit message, the system environment change was done for gnome-initial-session to be able to handle parental controls. I believe gnome-initial-session also launches from the same login session and is spawned by gdm.

On Fedora side, this means that we now have a quick fix: Just drop the flatpak system env generator as we don't use parental controls in F33 and F34. We only need the user env generator.

Or maybe this now gives you ideas how we could easily fix this on the selinux policy side, @zpytela?

@kalev
Copy link
Contributor

kalev commented Apr 14, 2021

Sooo, to move the discussion forward, how about labeling /var/lib/flatpak/exports/ in a specific way (flatpak_exports_var_lib_t?) and then allow xdm_t access to it?

Or label all of /var/lib/flatpak in a specific way (flatpak_var_lib_t) and allow xdm_t access to it?

I guess letting xdm_t read all of /var/lib would be too big of a hole?

Or should I move forward with the workaround above if you want to think more about this?

@zpytela
Copy link

zpytela commented Apr 14, 2021

@kalev this is a possible way; problem is that it is not only xdm, but also other processes/services. I know we need to move forward, hopefully today I'll come up with my suggestion.

@kalev
Copy link
Contributor

kalev commented Apr 14, 2021

Ah, I see! Now I finally understand what's the hard part here :)

@zpytela
Copy link

zpytela commented Apr 14, 2021

@kalev, if I understand the problem now correctly, this can be used as a quick workaround for xdm:

mkdir -p /etc/systemd/system-environment-generators
> /etc/systemd/system-environment-generators/60-flatpak-system-only

If the parental control feature is not planned to use in Fedora, it would be nice to disable it then in rpm specfile. I will now continue testing to figure out if we can address this in selinux-policy by allowing or dontauditing the permissions. Stay tuned.

@kalev
Copy link
Contributor

kalev commented Apr 14, 2021

OK, let me do that then. We are planning on enabling parental controls support for F35, but it's not enabled in F33 and F34, so I think we should be able to safely disable the system env generator there.

That should take some pressure off of getting a selinux-policy fix out :)

@zpytela
Copy link

zpytela commented Apr 14, 2021

That should take some pressure off of getting a selinux-policy fix out :)

This is the point at the moment, thank you for understanding.

See more details in https://bugzilla.redhat.com/show_bug.cgi?id=1947214#c8

@kalev
Copy link
Contributor

kalev commented Apr 14, 2021

Thanks, @zpytela! I went ahead and did the builds and the system env generator should be gone in flatpak-1.10.2-3.fc35, flatpak-1.10.2-3.fc34, flatpak-1.10.2-3.fc33 builds.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests