Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

run0 flatpak install from admin spits out d-bus issues #2531

Open
boredsquirrel opened this issue Jan 21, 2025 · 1 comment
Open

run0 flatpak install from admin spits out d-bus issues #2531

boredsquirrel opened this issue Jan 21, 2025 · 1 comment

Comments

@boredsquirrel
Copy link

boredsquirrel commented Jan 21, 2025
edited
Loading

My setup:

  • main user, not in wheel, unconfined
  • a user in SELinux context sysadm_u and in wheel group

The flatpak polkit rule allows all users in wheel to install and remove packages without a password prompt. I try this

run0 -u sysadm-confined flatpak install com.belmoussaoui.Authenticator

I get this SELinux warning and it fails

SELinux hindert dbus-broker-lau daran, mit read-Zugriff auf lnk_file com.nextcloudgmbh.Nextcloud.service zuzugreifen.

*****  Plugin catchall_labels (83.8 Wahrscheinlichkeit) schlägt vor    *******

Wenn Sie erlauben wollen, dass dbus-broker-lau  read Zugriff auf com.nextcloudgmbh.Nextcloud.service lnk_file
Dann sie müssen das Label auf com.nextcloudgmbh.Nextcloud.service ändern
Ausführen
# semanage fcontext -a -t FILE_TYPE 'com.nextcloudgmbh.Nextcloud.service'
wobei FILE_TYPE einer der folgenen Werte ist: admin_home_t, bin_t, boot_t, cache_home_t, cert_t, cgroup_memory_pressure_t, cgroup_t, config_home_t, config_usr_t, data_home_t, dbus_home_t, dbusd_etc_t, device_t, devlog_t, etc_runtime_t, etc_t, file_context_t, fonts_cache_t, fonts_t, gconf_home_t, gkeyringd_gnome_home_t, gnome_home_t, gstreamer_home_t, home_root_t, icc_data_home_t, init_var_run_t, ld_so_t, lib_t, locale_t, man_cache_t, man_t, net_conf_t, proc_t, root_t, rpm_script_tmp_t, security_t, selinux_config_t, shell_exec_t, src_t, sssd_var_lib_t, system_conf_t, system_db_t, system_dbusd_var_lib_t, systemd_userdbd_runtime_t, textrel_shlib_t, tmp_t, user_home_dir_t, usr_t, var_run_t, var_t, virt_var_lib_t, virtinterfaced_t, virtnetworkd_t, virtnodedevd_t, virtnwfilterd_t, virtproxyd_t, virtqemud_t, virtsecretd_t, virtstoraged_t, virtvboxd_t, virtvzd_t, virtxend_t. 
Führen Sie danach Folgendes aus: 
restorecon -v 'com.nextcloudgmbh.Nextcloud.service'


*****  Plugin catchall (17.1 Wahrscheinlichkeit) schlägt vor    **************

Wenn Sie denken, dass es dbus-broker-lau standardmäßig erlaubt sein sollte, read Zugriff auf com.nextcloudgmbh.Nextcloud.service lnk_file zu erhalten.
Dann sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Ausführen
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# ausearch -c 'dbus-broker-lau' --raw | audit2allow -M my-dbusbrokerlau
# semodule -X 300 -i my-dbusbrokerlau.pp

zusätzliche Information:
Quellkontext                  sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
Zielkontext                   unconfined_u:object_r:var_lib_t:s0
Zielobjekte                   com.nextcloudgmbh.Nextcloud.service [ lnk_file ]
Quelle                        dbus-broker-lau
Quellpfad                     dbus-broker-lau
Port                          <Unbekannt>
Host                          PC
RPM-Pakete der Quelle         
RPM-Pakete des Ziels          
SELinux Policy RPM            selinux-policy-targeted-41.28-1.fc41.noarch
Local Policy RPM              
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Enforcing
Rechnername                   PC
Plattform                     Linux PC 6.12.9-200.fc41.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Jan  9 16:05:40 UTC 2025
                              x86_64
Anzahl der Alarme             6
Zuerst gesehen                2025-01-21 19:40:04 CET
Zuletzt gesehen               2025-01-21 19:40:04 CET
Lokale ID                     8953ddfa-1d50-40d4-a63c-5353f2c17dec

Raw-Audit-Meldungen
type=AVC msg=audit(1737484804.668:1629): avc:  denied  { read } for  pid=360666 comm="dbus-broker-lau" name="com.nextcloudgmbh.Nextcloud.service" dev="dm-0" ino=3932115 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0


Hash: dbus-broker-lau,sysadm_dbusd_t,var_lib_t,lnk_file,read

There are multiple such messages. It seems that flatpak is not at all compatible with this, but it is mission critical to securely install and uninstall packages, while having a nonwheel main user?

The install doesnt fail, it works.
@boredsquirrel boredsquirrel changed the title run0 flatpak install from admin user fails run0 flatpak install from admin spits out d-bus issues Jan 21, 2025
@boredsquirrel
Copy link
Author

I suppose this is not a Fedora SELinux policy issue but a flatpak one?

@boredsquirrel boredsquirrel mentioned this issue Jan 21, 2025
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@boredsquirrel