Bugzilla – Bug 1220591
[SELinux] flatpak: "Warning: Failed to get revokefs-fuse socket from system-helper" with selinux in enforcing during install/update
Last modified: 2024-05-17 09:20:58 UTC
When trying to install new application or to upgrade existing ones, if SELinux is set to `enforcing`, flatpak will log the following warning for each updated/installed application: ``` Warning: Failed to get revokefs-fuse socket from system-helper: Message recipient disconnected from message bus without replying ``` Installation seems to finish without any corruption or other problems. Running flatpak with `--verbose` isn't much more helpful. ``` Updating 1/n… F: Calling system helper: GetRevokefsFd F: Calling system helper: GetRevokefsFd Warning: Failed to get revokefs-fuse socket from system-helper: Message recipient disconnected from message bus without replying F: flatpak_dir_pull: Using commit <COMMIT_SHA> for pull of ref <REF> from remote flathub Updating 1/11… 0% 0 bytes/s # snip F: Received XXX bytes F: Calling system helper: Deploy Updating 2/n… # snip ``` I checked SELinux's logs with `ausearch` for any access violation nad any failure in general but nothing showed up. Setting SELinux to permissive fixes the warning. System information: - OS: openSUSE Tumbleweed snapshot 20240227 - Relevant versions: - flatpak: 1.15.6-1.3 - selinux-policy: 20240205-1.1 - selinux-policy-targeted: 20240205-1.1
Can you please run semodule -DB then update flatpack again and check for AVCs? Maybe it's dontaudited (not visible by default)
Done. Using `ausearch -sv no -ts recent` after an installation I get the following errors: ``` ---- time->Thu Feb 29 14:32:16 2024 type=AVC msg=audit(1709213536.141:320): avc: denied { sys_ptrace } for pid=796 comm="systemd-journal" capability=19 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=cap_userns permissive=0 ---- time->Thu Feb 29 14:32:16 2024 type=AVC msg=audit(1709213536.161:321): avc: denied { sys_ptrace } for pid=796 comm="systemd-journal" capability=19 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=cap_userns permissive=0 ---- time->Thu Feb 29 14:32:19 2024 type=AVC msg=audit(1709213539.065:323): avc: denied { noatsecure } for pid=28909 comm="dbus-daemon-lau" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- time->Thu Feb 29 14:32:19 2024 type=AVC msg=audit(1709213539.068:324): avc: denied { rlimitinh } for pid=28909 comm="SetroubleshootP" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- time->Thu Feb 29 14:32:19 2024 type=AVC msg=audit(1709213539.068:325): avc: denied { siginh } for pid=28909 comm="SetroubleshootP" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- time->Thu Feb 29 14:32:45 2024 type=AVC msg=audit(1709213565.245:332): avc: denied { noatsecure } for pid=2514 comm="dbus-daemon-lau" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- time->Thu Feb 29 14:32:45 2024 type=AVC msg=audit(1709213565.249:333): avc: denied { rlimitinh } for pid=2514 comm="SetroubleshootP" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- time->Thu Feb 29 14:32:45 2024 type=AVC msg=audit(1709213565.249:334): avc: denied { siginh } for pid=2514 comm="SetroubleshootP" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- time->Thu Feb 29 14:33:16 2024 type=AVC msg=audit(1709213596.996:345): avc: denied { read write } for pid=10803 comm="unix_chkpwd" path="/dev/pts/4" dev="devpts" ino=7 scontext=unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0 ---- time->Thu Feb 29 14:33:17 2024 type=AVC msg=audit(1709213597.003:347): avc: denied { read write } for pid=10807 comm="unix_chkpwd" path="/dev/pts/4" dev="devpts" ino=7 scontext=unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0 ``` Not sure if it is all related, but surely those relative to `dbus-daemon-launcher` are related.
Flatpak upstream provides a minimal SELinux policy module to deal exactly with flatpak-system-helper and dbus-daemon. This SELinux module is packaged in Fedora and thus Flatpak works there without the reported issue. The openSUSE packager of Flatpak has not packaged this policy module, and so Flatpak has this issue. I will look into this further, to see if this upstream policy module contains the whole solution, and how best to provide this in openSUSE. I am working in
The provided upstream policy module found in flatpak-1.15.6/selinux/ is sufficient to fix the issue. After installing the module, it is necessary to relabel at least the interested file /usr/libexec/flatpak-system-helper. I will discuss internally whether it is better to provide this policy module in the flatpak package, or it is simpler to provide natively in our system SELinux policy.
hi @gnome-bugs, can you help to provide the upstream selinux policy module in the flatpak packaging, like e.g. Fedora does?
As mentioned to Antonio directly, we only care about TW/MicroOS for this one for now. We do not offer a supported SELinux policy on SLES.
Antonio has promptly prepared a solution, submitted in https://build.opensuse.org/request/show/1156005. Thank you Antonio for the excellent and quick work
Fix submitted in https://build.opensuse.org/request/show/1156276