1216237 – SELinux: execstack denied for unconfined Discord flatpak

Bug 1216237 - SELinux: execstack denied for unconfined Discord flatpak

Summary: SELinux: execstack denied for unconfined Discord flatpak

Status:	RESOLVED FIXED

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Current
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Filippo Bonazzi
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-10-14 07:44 UTC by Felix Niederwanger
Modified:	2023-10-24 07:47 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Screenshot of the reported broken Discord application (85.85 KB, image/png) 2023-10-14 07:44 UTC, Felix Niederwanger	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Niederwanger 2023-10-14 07:44:53 UTC

Created attachment 870177 [details]
Screenshot of the reported broken Discord application

The Discord application (flatpak) on Tumbleweed reports a corrupt Discord installation (See Screenshot) due to some SELinux violations:

> # ausearch -m avc | grep Discord
> type=AVC msg=audit(1697269338.440:235): avc:  denied  { execstack } for  pid=9690 comm="Discord" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
> type=AVC msg=audit(1697269338.456:236): avc:  denied  { execstack } for  pid=9690 comm="Discord" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
> type=AVC msg=audit(1697269338.456:237): avc:  denied  { execstack } for  pid=9690 comm="Discord" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
> type=AVC msg=audit(1697269340.490:238): avc:  denied  { execstack } for  pid=9690 comm="Discord" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
> type=AVC msg=audit(1697269340.503:239): avc:  denied  { execstack } for  pid=9690 comm="Discord" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0

Running the application in permissive SELinux mode makes those reports go away.

Comment 1 Felix Niederwanger 2023-10-14 07:45:28 UTC

See also https://github.com/flathub/com.discordapp.Discord/issues/310

Comment 2 Filippo Bonazzi 2023-10-16 06:44:34 UTC

Is this solved by 'sudo setsebool selinuxuser_execstack 1`?

See https://en.opensuse.org/Portal:Aeon#Android_Studio_emulator_not_working_from_flatpak

Comment 3 Felix Niederwanger 2023-10-24 07:10:00 UTC

Yes that works.

Comment 4 Filippo Bonazzi 2023-10-24 07:15:37 UTC

Nice, closing as fixed.

Comment 5 Felix Niederwanger 2023-10-24 07:47:09 UTC

Thank you Filippo!