Flatpak update to 1.10 cause setroubleshootd take lots of cpu usage

After flatpak update from 1.8.2 to 1.10.0 (together with its selinux policy: flatpak-selinux), selinux denials flood like crazy. Worse, the selinux dbus daemon process setroubleshootd run 100% cpu usage per thread (so happy that it is not multi-threaded! However, it cooperate with a SetroubleshootPrivileged process, so it counts as two 100% running threads).
It seems to have a bugzilla report at https://bugzilla.redhat.com/show_bug.cgi?id=1916652
I already tried downgrading flatpak package, and flatpak 1.8.2 (together with flatpak-selinux 1.8.2) does not trigger so much selinux denial. But flatpak update to 1.10 fix a CVE: https://github.com/flatpak/flatpak/releases/tag/1.10.0, so its not a good choice.
For now I have to disable selinux troubleshooting daemon so that it does not drain my poor battery:
systemctl mask system-dbus\\x2d:1.11\\x2dorg.fedoraproject.Setroubleshootd.slice
This bug is (although not a real, deliberate attack) in effect, no different from a local Denial of Service (DOS) attack. The gnome-shell keep visiting, selinux keep denying and setroubleshootd keep figuring out what happened, all sum up to my laptop fan keep running and terrible battery time.

2 Likes

Turns out Setroubleshootd is not as simple as a systemd service, it’s a system dbus, so the systemctl mask above does not work.

How can I disable Setroubleshootd from running completely? I have to manually send -SIGSTOP to it for now (and of course doesn’t ‘stop’ it, just halt the process)

Hi @wseran , can you please give us the package versions for flatpak, selinux etc.? I’m not seeing the issue here (or I haven’t noticed it yet).

dnf package?

flatpak-1.10.0-1.fc33.x86_64
flatpak-selinux-0:1.10.0-1.fc33.noarch
1 Like

Hrm, same here:

$ rpm -qa \*flatpak\*
flatpak-selinux-1.10.0-1.fc33.noarch
flatpak-session-helper-1.10.0-1.fc33.x86_64
flatpak-1.10.0-1.fc33.x86_64
flatpak-libs-1.10.0-1.fc33.x86_64

Odd. Can you get a few lines from the journal to show us what these messages are?

Also, what flatpaks are you using? Perhaps it’s related to a specific Flatpak? If it’s a known bug then you’ll probably need to either wait for a fix, or use a workaround if one is available.

If it’s the same message each time, in your selinux troubleshooter UI, you should be able to ignore the notification, and maybe that’ll reduce the logging. Another rather extreme measure of course is to temporarily set selinux to permissive—but I wouldn’t recommend this unless absolutely necessary.

journal logs:

1月 20 20:44:34 willy-fedora audit[27281]: AVC avc:  denied  { map } for  pid=27281 comm="gnome-shell" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-0" ino=1775771 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
1月 20 20:44:34 willy-fedora audit[27281]: AVC avc:  denied  { map } for  pid=27281 comm="gnome-shell" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-0" ino=1775771 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
1月 20 20:44:34 willy-fedora audit[27281]: AVC avc:  denied  { map } for  pid=27281 comm="gnome-shell" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-0" ino=1775771 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
1月 20 20:44:34 willy-fedora audit[27281]: AVC avc:  denied  { map } for  pid=27281 comm="gnome-shell" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-0" ino=1775771 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
1月 20 20:44:34 willy-fedora audit[27257]: AVC avc:  denied  { read } for  pid=27257 comm="dbus-daemon" name="org.gnome.Cheese.service" dev="dm-0" ino=1319999 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
1月 20 20:44:34 willy-fedora audit[27281]: AVC avc:  denied  { map } for  pid=27281 comm="gnome-shell" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-0" ino=1775771 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
1月 20 20:44:34 willy-fedora audit[27257]: AVC avc:  denied  { read } for  pid=27257 comm="dbus-daemon" name="org.gnome.FontManager.service" dev="dm-0" ino=1347360 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
1月 20 20:44:34 willy-fedora audit[27257]: AVC avc:  denied  { read } for  pid=27257 comm="dbus-daemon" name="org.gnome.Devhelp.service" dev="dm-0" ino=1379035 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
1月 20 20:44:34 willy-fedora audit[27257]: AVC avc:  denied  { read } for  pid=27257 comm="dbus-daemon" name="org.gnome.design.Palette.service" dev="dm-0" ino=1379704 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
1月 20 20:44:34 willy-fedora audit[27257]: AVC avc:  denied  { read } for  pid=27257 comm="dbus-daemon" name="org.gnome.Builder.service" dev="dm-0" ino=1389091 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
1月 20 20:44:34 willy-fedora audit[27257]: AVC avc:  denied  { read } for  pid=27257 comm="dbus-daemon" name="com.uploadedlobster.peek.service" dev="dm-0" ino=1389867 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
1月 20 20:44:34 willy-fedora audit[27257]: AVC avc:  denied  { read } for  pid=27257 comm="dbus-daemon" name="ca.desrt.dconf-editor.service" dev="dm-0" ino=1726312 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
1月 20 20:44:34 willy-fedora audit[27281]: AVC avc:  denied  { map } for  pid=27281 comm="gnome-shell" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-0" ino=1775771 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0

selinux troubleshoot gui:
It doesn’t seem that it’s related to one specific flatpak:

SELinux is preventing dbus-daemon from read access on the lnk_file org.libreoffice.LibreOffice.writer.desktop.

*****  插件 catchall_labels (83.8 置信度) 建议  *************************************

如果你想允许 dbus-daemon有 read 访问 org.libreoffice.LibreOffice.writer.desktop $TARGET_类
Then 必须更改 org.libreoffice.LibreOffice.writer.desktop 中的标签
Do
# semanage fcontext -a -t FILE_TYPE 'org.libreoffice.LibreOffice.writer.desktop'
其中 FILE_TYPE 为以下内容之一:NetworkManager_etc_rw_t, NetworkManager_etc_t, abrt_etc_t, abrt_var_cache_t, admin_home_t, aiccu_etc_t, alsa_etc_rw_t, antivirus_conf_t, asterisk_etc_t, bin_t, bitlbee_conf_t, bluetooth_conf_t, boot_t, bootloader_etc_t, cache_home_t, cert_t, cgconfig_etc_t, cgroup_t, cgrules_etc_t, cluster_conf_t, cobbler_etc_t, condor_conf_t, config_home_t, config_usr_t, conntrackd_conf_t, container_config_t, couchdb_conf_t, courier_etc_t, cpucontrol_conf_t, cupsd_etc_t, cupsd_rw_etc_t, data_home_t, dbus_home_t, dbusd_etc_t, ddclient_etc_t, device_t, devlog_t, dhcp_etc_t, dictd_etc_t, dnsmasq_etc_t, dovecot_etc_t, ecryptfs_t, etc_mail_t, etc_runtime_t, etc_t, exports_t, fetchmail_etc_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t, firstboot_etc_t, fonts_cache_t, fonts_t, ftpd_etc_t, gconf_etc_t, gconf_home_t, gdomap_conf_t, getty_etc_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gpm_conf_t, gstreamer_home_t, hddtemp_etc_t, home_root_t, hostname_etc_t, httpd_config_t, hwdata_t, ibacm_conf_t, icc_data_home_t, innd_etc_t, irc_conf_t, irssi_etc_t, kdump_etc_t, kmscon_conf_t, krb5_conf_t, krb5kdc_conf_t, l2tp_conf_t, ld_so_t, lib_t, likewise_etc_t, lircd_etc_t, locale_t, lvm_etc_t, machineid_t, man_cache_t, man_t, mcelog_etc_t, mdadm_conf_t, minidlna_conf_t, minissdpd_conf_t, mock_etc_t, modules_conf_t, mozilla_conf_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_etc_t, mplayer_etc_t, mrtg_etc_t, mscan_etc_t, munin_etc_t, mysqld_etc_t, nagios_etc_t, named_conf_t, net_conf_t, nrpe_etc_t, nslcd_conf_t, ntop_etc_t, ntp_conf_t, nut_conf_t, opendnssec_conf_t, openvpn_etc_rw_t, openvpn_etc_t, openvswitch_rw_t, oracleasm_conf_t, pads_config_t, pam_var_console_t, pdns_conf_t, pegasus_conf_t, pingd_etc_t, piranha_etc_rw_t, piranha_web_conf_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t, postfix_postdrop_t, postgresql_etc_t, postgrey_etc_t, pppd_etc_t, prelude_correlator_config_t, printconf_t, proc_t, psad_etc_t, ptal_etc_t, puppet_etc_t, qmail_etc_t, rabbitmq_conf_t, radiusd_etc_t, radvd_etc_t, redis_conf_t, rhnsd_conf_t, rhsmcertd_config_t, root_t, rpm_script_tmp_t, rpm_var_cache_t, rpm_var_lib_t, rsync_etc_t, samba_etc_t, sanlock_conf_t, security_t, selinux_config_t, selinux_login_config_t, shell_exec_t, shorewall_etc_t, slapd_etc_t, snapperd_conf_t, snort_etc_t, soundd_etc_t, spamd_etc_t, squid_conf_t, src_t, ssh_home_t, sslh_config_t, sssd_conf_t, sssd_var_lib_t, stunnel_etc_t, svc_conf_t, sysfs_t, syslog_conf_t, system_conf_t, system_db_t, system_dbusd_var_lib_t, systemd_hwdb_etc_t, systemd_userdbd_runtime_t, textrel_shlib_t, tftpd_etc_t, tmp_t, tor_etc_t, tuned_etc_t, tuned_rw_etc_t, udev_etc_t, udev_var_run_t, ulogd_etc_t, user_home_dir_t, user_home_t, user_tmp_t, userhelper_conf_t, usr_t, var_lock_t, var_run_t, var_t, varnishd_etc_t, virt_etc_t, virt_var_lib_t, virtlogd_etc_t, vmware_sys_conf_t, webalizer_etc_t, xdm_etc_t, xdm_log_t, xdm_rw_etc_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xserver_etc_t, xserver_log_t, ypserv_conf_t, zarafa_etc_t, zebra_conf_t。
然后执行:
restorecon -v 'org.libreoffice.LibreOffice.writer.desktop'


*****  插件 catchall (17.1 置信度) 建议  ********************************************

如果你相信 dbus-daemon应该允许_BASE_PATH read 访问 org.libreoffice.LibreOffice.writer.desktop lnk_file默认情况下。
Then 应该将这个情况作为 bug 报告。
可以生成本地策略模块以允许此访问。
Do
暂时允许此访问权限执行:#ausearch -c'dbus-daemon'--raw | audit2allow -M my-dbusdaemon#semodule -X 300 -i my-dbusdaemon.pp

更多信息:
源环境 (Context)                 system_u:system_r:xdm_t:s0-s0:c0.c1023
目标环境                          system_u:object_r:var_lib_t:s0
目标对象                          org.libreoffice.LibreOffice.writer.desktop [
                              lnk_file ]
源                             dbus-daemon
源路径                           dbus-daemon
端口                            <未知>
主机                            willy-fedora
源 RPM 软件包                     
目标 RPM 软件包                    
SELinux 策略 RPM                selinux-policy-targeted-3.14.6-34.fc33.noarch
本地策略 RPM                      selinux-policy-targeted-3.14.6-34.fc33.noarch
Selinux 已启用                   True
策略类型                          targeted
强制模式                          Enforcing
主机名                           willy-fedora
平台                            Linux willy-fedora 5.10.7-200.fc33.x86_64 #1 SMP
                              Tue Jan 12 20:20:11 UTC 2021 x86_64 x86_64
警报计数                          2016
第一个                           2021-01-18 01:02:20 CST
最后一个                          2021-01-20 14:38:31 CST
本地 ID                         42af4b7a-b480-458b-9b4c-6108eb507c29

原始核查信息
type=AVC msg=audit(1611124711.251:768): avc:  denied  { read } for  pid=2516 comm="gnome-shell" name="org.libreoffice.LibreOffice.writer.desktop" dev="dm-0" ino=1555709 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0


Hash: dbus-daemon,xdm_t,var_lib_t,lnk_file,read
SELinux is preventing dbus-daemon from read access on the lnk_file org.gnome.FontManager.service.

*****  插件 catchall_labels (83.8 置信度) 建议  *************************************

如果你想允许 dbus-daemon有 read 访问 org.gnome.FontManager.service $TARGET_类
Then 必须更改 org.gnome.FontManager.service 中的标签
Do
# semanage fcontext -a -t FILE_TYPE 'org.gnome.FontManager.service'
其中 FILE_TYPE 为以下内容之一:NetworkManager_etc_rw_t, NetworkManager_etc_t, abrt_etc_t, abrt_var_cache_t, admin_home_t, aiccu_etc_t, alsa_etc_rw_t, antivirus_conf_t, asterisk_etc_t, bin_t, bitlbee_conf_t, bluetooth_conf_t, boot_t, bootloader_etc_t, cache_home_t, cert_t, cgconfig_etc_t, cgroup_t, cgrules_etc_t, cluster_conf_t, cobbler_etc_t, condor_conf_t, config_home_t, config_usr_t, conntrackd_conf_t, container_config_t, couchdb_conf_t, courier_etc_t, cpucontrol_conf_t, cupsd_etc_t, cupsd_rw_etc_t, data_home_t, dbus_home_t, dbusd_etc_t, ddclient_etc_t, device_t, devlog_t, dhcp_etc_t, dictd_etc_t, dnsmasq_etc_t, dovecot_etc_t, ecryptfs_t, etc_mail_t, etc_runtime_t, etc_t, exports_t, fetchmail_etc_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t, firstboot_etc_t, fonts_cache_t, fonts_t, ftpd_etc_t, gconf_etc_t, gconf_home_t, gdomap_conf_t, getty_etc_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gpm_conf_t, gstreamer_home_t, hddtemp_etc_t, home_root_t, hostname_etc_t, httpd_config_t, hwdata_t, ibacm_conf_t, icc_data_home_t, innd_etc_t, irc_conf_t, irssi_etc_t, kdump_etc_t, kmscon_conf_t, krb5_conf_t, krb5kdc_conf_t, l2tp_conf_t, ld_so_t, lib_t, likewise_etc_t, lircd_etc_t, locale_t, lvm_etc_t, machineid_t, man_cache_t, man_t, mcelog_etc_t, mdadm_conf_t, minidlna_conf_t, minissdpd_conf_t, mock_etc_t, modules_conf_t, mozilla_conf_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_etc_t, mplayer_etc_t, mrtg_etc_t, mscan_etc_t, munin_etc_t, mysqld_etc_t, nagios_etc_t, named_conf_t, net_conf_t, nrpe_etc_t, nslcd_conf_t, ntop_etc_t, ntp_conf_t, nut_conf_t, opendnssec_conf_t, openvpn_etc_rw_t, openvpn_etc_t, openvswitch_rw_t, oracleasm_conf_t, pads_config_t, pam_var_console_t, pdns_conf_t, pegasus_conf_t, pingd_etc_t, piranha_etc_rw_t, piranha_web_conf_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t, postfix_postdrop_t, postgresql_etc_t, postgrey_etc_t, pppd_etc_t, prelude_correlator_config_t, printconf_t, proc_t, psad_etc_t, ptal_etc_t, puppet_etc_t, qmail_etc_t, rabbitmq_conf_t, radiusd_etc_t, radvd_etc_t, redis_conf_t, rhnsd_conf_t, rhsmcertd_config_t, root_t, rpm_script_tmp_t, rpm_var_cache_t, rpm_var_lib_t, rsync_etc_t, samba_etc_t, sanlock_conf_t, security_t, selinux_config_t, selinux_login_config_t, shell_exec_t, shorewall_etc_t, slapd_etc_t, snapperd_conf_t, snort_etc_t, soundd_etc_t, spamd_etc_t, squid_conf_t, src_t, ssh_home_t, sslh_config_t, sssd_conf_t, sssd_var_lib_t, stunnel_etc_t, svc_conf_t, sysfs_t, syslog_conf_t, system_conf_t, system_db_t, system_dbusd_var_lib_t, systemd_hwdb_etc_t, systemd_userdbd_runtime_t, textrel_shlib_t, tftpd_etc_t, tmp_t, tor_etc_t, tuned_etc_t, tuned_rw_etc_t, udev_etc_t, udev_var_run_t, ulogd_etc_t, user_home_dir_t, user_home_t, user_tmp_t, userhelper_conf_t, usr_t, var_lock_t, var_run_t, var_t, varnishd_etc_t, virt_etc_t, virt_var_lib_t, virtlogd_etc_t, vmware_sys_conf_t, webalizer_etc_t, xdm_etc_t, xdm_log_t, xdm_rw_etc_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xserver_etc_t, xserver_log_t, ypserv_conf_t, zarafa_etc_t, zebra_conf_t。
然后执行:
restorecon -v 'org.gnome.FontManager.service'


*****  插件 catchall (17.1 置信度) 建议  ********************************************

如果你相信 dbus-daemon应该允许_BASE_PATH read 访问 org.gnome.FontManager.service lnk_file默认情况下。
Then 应该将这个情况作为 bug 报告。
可以生成本地策略模块以允许此访问。
Do
暂时允许此访问权限执行:#ausearch -c'dbus-daemon'--raw | audit2allow -M my-dbusdaemon#semodule -X 300 -i my-dbusdaemon.pp

更多信息:
源环境 (Context)                 system_u:system_r:xdm_t:s0-s0:c0.c1023
目标环境                          system_u:object_r:var_lib_t:s0
目标对象                          org.gnome.FontManager.service [ lnk_file ]
源                             dbus-daemon
源路径                           dbus-daemon
端口                            <未知>
主机                            willy-fedora
源 RPM 软件包                     
目标 RPM 软件包                    
SELinux 策略 RPM                selinux-policy-targeted-3.14.6-34.fc33.noarch
本地策略 RPM                      selinux-policy-targeted-3.14.6-34.fc33.noarch
Selinux 已启用                   True
策略类型                          targeted
强制模式                          Enforcing
主机名                           willy-fedora
平台                            Linux willy-fedora 5.10.7-200.fc33.x86_64 #1 SMP
                              Tue Jan 12 20:20:11 UTC 2021 x86_64 x86_64
警报计数                          2060
第一个                           2021-01-18 01:02:20 CST
最后一个                          2021-01-20 14:38:31 CST
本地 ID                         42af4b7a-b480-458b-9b4c-6108eb507c29

原始核查信息
type=AVC msg=audit(1611124711.591:822): avc:  denied  { read } for  pid=2474 comm="dbus-daemon" name="org.gnome.FontManager.service" dev="dm-0" ino=1347360 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0


Hash: dbus-daemon,xdm_t,var_lib_t,lnk_file,read

SELinux is preventing dbus-daemon from read access on the lnk_file org.gnome.Builder.service.

*****  插件 catchall_labels (83.8 置信度) 建议  *************************************

如果你想允许 dbus-daemon有 read 访问 org.gnome.Builder.service $TARGET_类
Then 必须更改 org.gnome.Builder.service 中的标签
Do
# semanage fcontext -a -t FILE_TYPE 'org.gnome.Builder.service'
其中 FILE_TYPE 为以下内容之一:NetworkManager_etc_rw_t, NetworkManager_etc_t, abrt_etc_t, abrt_var_cache_t, admin_home_t, aiccu_etc_t, alsa_etc_rw_t, antivirus_conf_t, asterisk_etc_t, bin_t, bitlbee_conf_t, bluetooth_conf_t, boot_t, bootloader_etc_t, cache_home_t, cert_t, cgconfig_etc_t, cgroup_t, cgrules_etc_t, cluster_conf_t, cobbler_etc_t, condor_conf_t, config_home_t, config_usr_t, conntrackd_conf_t, container_config_t, couchdb_conf_t, courier_etc_t, cpucontrol_conf_t, cupsd_etc_t, cupsd_rw_etc_t, data_home_t, dbus_home_t, dbusd_etc_t, ddclient_etc_t, device_t, devlog_t, dhcp_etc_t, dictd_etc_t, dnsmasq_etc_t, dovecot_etc_t, ecryptfs_t, etc_mail_t, etc_runtime_t, etc_t, exports_t, fetchmail_etc_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t, firstboot_etc_t, fonts_cache_t, fonts_t, ftpd_etc_t, gconf_etc_t, gconf_home_t, gdomap_conf_t, getty_etc_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gpm_conf_t, gstreamer_home_t, hddtemp_etc_t, home_root_t, hostname_etc_t, httpd_config_t, hwdata_t, ibacm_conf_t, icc_data_home_t, innd_etc_t, irc_conf_t, irssi_etc_t, kdump_etc_t, kmscon_conf_t, krb5_conf_t, krb5kdc_conf_t, l2tp_conf_t, ld_so_t, lib_t, likewise_etc_t, lircd_etc_t, locale_t, lvm_etc_t, machineid_t, man_cache_t, man_t, mcelog_etc_t, mdadm_conf_t, minidlna_conf_t, minissdpd_conf_t, mock_etc_t, modules_conf_t, mozilla_conf_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_etc_t, mplayer_etc_t, mrtg_etc_t, mscan_etc_t, munin_etc_t, mysqld_etc_t, nagios_etc_t, named_conf_t, net_conf_t, nrpe_etc_t, nslcd_conf_t, ntop_etc_t, ntp_conf_t, nut_conf_t, opendnssec_conf_t, openvpn_etc_rw_t, openvpn_etc_t, openvswitch_rw_t, oracleasm_conf_t, pads_config_t, pam_var_console_t, pdns_conf_t, pegasus_conf_t, pingd_etc_t, piranha_etc_rw_t, piranha_web_conf_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t, postfix_postdrop_t, postgresql_etc_t, postgrey_etc_t, pppd_etc_t, prelude_correlator_config_t, printconf_t, proc_t, psad_etc_t, ptal_etc_t, puppet_etc_t, qmail_etc_t, rabbitmq_conf_t, radiusd_etc_t, radvd_etc_t, redis_conf_t, rhnsd_conf_t, rhsmcertd_config_t, root_t, rpm_script_tmp_t, rpm_var_cache_t, rpm_var_lib_t, rsync_etc_t, samba_etc_t, sanlock_conf_t, security_t, selinux_config_t, selinux_login_config_t, shell_exec_t, shorewall_etc_t, slapd_etc_t, snapperd_conf_t, snort_etc_t, soundd_etc_t, spamd_etc_t, squid_conf_t, src_t, ssh_home_t, sslh_config_t, sssd_conf_t, sssd_var_lib_t, stunnel_etc_t, svc_conf_t, sysfs_t, syslog_conf_t, system_conf_t, system_db_t, system_dbusd_var_lib_t, systemd_hwdb_etc_t, systemd_userdbd_runtime_t, textrel_shlib_t, tftpd_etc_t, tmp_t, tor_etc_t, tuned_etc_t, tuned_rw_etc_t, udev_etc_t, udev_var_run_t, ulogd_etc_t, user_home_dir_t, user_home_t, user_tmp_t, userhelper_conf_t, usr_t, var_lock_t, var_run_t, var_t, varnishd_etc_t, virt_etc_t, virt_var_lib_t, virtlogd_etc_t, vmware_sys_conf_t, webalizer_etc_t, xdm_etc_t, xdm_log_t, xdm_rw_etc_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xserver_etc_t, xserver_log_t, ypserv_conf_t, zarafa_etc_t, zebra_conf_t。
然后执行:
restorecon -v 'org.gnome.Builder.service'


*****  插件 catchall (17.1 置信度) 建议  ********************************************

如果你相信 dbus-daemon应该允许_BASE_PATH read 访问 org.gnome.Builder.service lnk_file默认情况下。
Then 应该将这个情况作为 bug 报告。
可以生成本地策略模块以允许此访问。
Do
暂时允许此访问权限执行:#ausearch -c'dbus-daemon'--raw | audit2allow -M my-dbusdaemon#semodule -X 300 -i my-dbusdaemon.pp

更多信息:
源环境 (Context)                 system_u:system_r:xdm_t:s0-s0:c0.c1023
目标环境                          system_u:object_r:var_lib_t:s0
目标对象                          org.gnome.Builder.service [ lnk_file ]
源                             dbus-daemon
源路径                           dbus-daemon
端口                            <未知>
主机                            willy-fedora
源 RPM 软件包                     
目标 RPM 软件包                    
SELinux 策略 RPM                selinux-policy-targeted-3.14.6-34.fc33.noarch
本地策略 RPM                      selinux-policy-targeted-3.14.6-34.fc33.noarch
Selinux 已启用                   True
策略类型                          targeted
强制模式                          Enforcing
主机名                           willy-fedora
平台                            Linux willy-fedora 5.10.7-200.fc33.x86_64 #1 SMP
                              Tue Jan 12 20:20:11 UTC 2021 x86_64 x86_64
警报计数                          2
第一个                           2021-01-20 14:38:32 CST
最后一个                          2021-01-20 14:38:32 CST
本地 ID                         b2f9b6b8-6289-4213-b2fd-05d391b67f4d

原始核查信息
type=AVC msg=audit(1611124712.93:938): avc:  denied  { read } for  pid=2474 comm="dbus-daemon" name="org.gnome.Builder.service" dev="dm-0" ino=1389091 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0


Hash: dbus-daemon,xdm_t,var_lib_t,lnk_file,read


SELinux is preventing dbus-daemon from read access on the lnk_file org.gnome.Cheese.service.

*****  插件 catchall_labels (83.8 置信度) 建议  *************************************

如果你想允许 dbus-daemon有 read 访问 org.gnome.Cheese.service $TARGET_类
Then 必须更改 org.gnome.Cheese.service 中的标签
Do
# semanage fcontext -a -t FILE_TYPE 'org.gnome.Cheese.service'
其中 FILE_TYPE 为以下内容之一:NetworkManager_etc_rw_t, NetworkManager_etc_t, abrt_etc_t, abrt_var_cache_t, admin_home_t, aiccu_etc_t, alsa_etc_rw_t, antivirus_conf_t, asterisk_etc_t, bin_t, bitlbee_conf_t, bluetooth_conf_t, boot_t, bootloader_etc_t, cache_home_t, cert_t, cgconfig_etc_t, cgroup_t, cgrules_etc_t, cluster_conf_t, cobbler_etc_t, condor_conf_t, config_home_t, config_usr_t, conntrackd_conf_t, container_config_t, couchdb_conf_t, courier_etc_t, cpucontrol_conf_t, cupsd_etc_t, cupsd_rw_etc_t, data_home_t, dbus_home_t, dbusd_etc_t, ddclient_etc_t, device_t, devlog_t, dhcp_etc_t, dictd_etc_t, dnsmasq_etc_t, dovecot_etc_t, ecryptfs_t, etc_mail_t, etc_runtime_t, etc_t, exports_t, fetchmail_etc_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t, firstboot_etc_t, fonts_cache_t, fonts_t, ftpd_etc_t, gconf_etc_t, gconf_home_t, gdomap_conf_t, getty_etc_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gpm_conf_t, gstreamer_home_t, hddtemp_etc_t, home_root_t, hostname_etc_t, httpd_config_t, hwdata_t, ibacm_conf_t, icc_data_home_t, innd_etc_t, irc_conf_t, irssi_etc_t, kdump_etc_t, kmscon_conf_t, krb5_conf_t, krb5kdc_conf_t, l2tp_conf_t, ld_so_t, lib_t, likewise_etc_t, lircd_etc_t, locale_t, lvm_etc_t, machineid_t, man_cache_t, man_t, mcelog_etc_t, mdadm_conf_t, minidlna_conf_t, minissdpd_conf_t, mock_etc_t, modules_conf_t, mozilla_conf_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_etc_t, mplayer_etc_t, mrtg_etc_t, mscan_etc_t, munin_etc_t, mysqld_etc_t, nagios_etc_t, named_conf_t, net_conf_t, nrpe_etc_t, nslcd_conf_t, ntop_etc_t, ntp_conf_t, nut_conf_t, opendnssec_conf_t, openvpn_etc_rw_t, openvpn_etc_t, openvswitch_rw_t, oracleasm_conf_t, pads_config_t, pam_var_console_t, pdns_conf_t, pegasus_conf_t, pingd_etc_t, piranha_etc_rw_t, piranha_web_conf_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t, postfix_postdrop_t, postgresql_etc_t, postgrey_etc_t, pppd_etc_t, prelude_correlator_config_t, printconf_t, proc_t, psad_etc_t, ptal_etc_t, puppet_etc_t, qmail_etc_t, rabbitmq_conf_t, radiusd_etc_t, radvd_etc_t, redis_conf_t, rhnsd_conf_t, rhsmcertd_config_t, root_t, rpm_script_tmp_t, rpm_var_cache_t, rpm_var_lib_t, rsync_etc_t, samba_etc_t, sanlock_conf_t, security_t, selinux_config_t, selinux_login_config_t, shell_exec_t, shorewall_etc_t, slapd_etc_t, snapperd_conf_t, snort_etc_t, soundd_etc_t, spamd_etc_t, squid_conf_t, src_t, ssh_home_t, sslh_config_t, sssd_conf_t, sssd_var_lib_t, stunnel_etc_t, svc_conf_t, sysfs_t, syslog_conf_t, system_conf_t, system_db_t, system_dbusd_var_lib_t, systemd_hwdb_etc_t, systemd_userdbd_runtime_t, textrel_shlib_t, tftpd_etc_t, tmp_t, tor_etc_t, tuned_etc_t, tuned_rw_etc_t, udev_etc_t, udev_var_run_t, ulogd_etc_t, user_home_dir_t, user_home_t, user_tmp_t, userhelper_conf_t, usr_t, var_lock_t, var_run_t, var_t, varnishd_etc_t, virt_etc_t, virt_var_lib_t, virtlogd_etc_t, vmware_sys_conf_t, webalizer_etc_t, xdm_etc_t, xdm_log_t, xdm_rw_etc_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xserver_etc_t, xserver_log_t, ypserv_conf_t, zarafa_etc_t, zebra_conf_t。
然后执行:
restorecon -v 'org.gnome.Cheese.service'


*****  插件 catchall (17.1 置信度) 建议  ********************************************

如果你相信 dbus-daemon应该允许_BASE_PATH read 访问 org.gnome.Cheese.service lnk_file默认情况下。
Then 应该将这个情况作为 bug 报告。
可以生成本地策略模块以允许此访问。
Do
暂时允许此访问权限执行:#ausearch -c'dbus-daemon'--raw | audit2allow -M my-dbusdaemon#semodule -X 300 -i my-dbusdaemon.pp

更多信息:
源环境 (Context)                 system_u:system_r:xdm_t:s0-s0:c0.c1023
目标环境                          system_u:object_r:var_lib_t:s0
目标对象                          org.gnome.Cheese.service [ lnk_file ]
源                             dbus-daemon
源路径                           dbus-daemon
端口                            <未知>
主机                            willy-fedora
源 RPM 软件包                     
目标 RPM 软件包                    
SELinux 策略 RPM                selinux-policy-targeted-3.14.6-34.fc33.noarch
本地策略 RPM                      selinux-policy-targeted-3.14.6-34.fc33.noarch
Selinux 已启用                   True
策略类型                          targeted
强制模式                          Enforcing
主机名                           willy-fedora
平台                            Linux willy-fedora 5.10.7-200.fc33.x86_64 #1 SMP
                              Tue Jan 12 20:20:11 UTC 2021 x86_64 x86_64
警报计数                          12
第一个                           2021-01-20 14:38:32 CST
最后一个                          2021-01-20 14:38:32 CST
本地 ID                         b2f9b6b8-6289-4213-b2fd-05d391b67f4d

原始核查信息
type=AVC msg=audit(1611124712.100:948): avc:  denied  { read } for  pid=2474 comm="dbus-daemon" name="org.gnome.Cheese.service" dev="dm-0" ino=1319999 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0


Hash: dbus-daemon,xdm_t,var_lib_t,lnk_file,read

1 Like

Quite confusion, @wseran could you please teach your terminal to speak english:

Regards.,

1 Like

@FranciscoD

Odd. Can you get a few lines from the journal to show us what these messages are?

Also, what flatpaks are you using? Perhaps it’s related to a specific Flatpak? If it’s a known bug then you’ll probably need to either wait for a fix, or use a workaround if one is available.

Looking from the log message above (just a tiny from the flood, I only pasted a few samples), this is not specific to any particular flatpak.

If it’s the same message each time, in your selinux troubleshooter UI, you should be able to ignore the notification, and maybe that’ll reduce the logging. Another rather extreme measure of course is to temporarily set selinux to permissive—but I wouldn’t recommend this unless absolutely necessary.

Set sudo setenforce=0 does not stop setroubleshootd from running. It just make SELinux does not deny programs, but it still logs and tracks what happened. Also, what bugs me is the background setroubleshootd from running out my cpu, because unlike the gui notification, I cannot easily stop it from running.

1 Like

LANG=C journalctl -b does not make selinux log in english. In fact, it always log in my local language, even in terminal.
Raw audit messages are always in english, however.

2 Likes

Yeh—are all of these flatpaks? Builder, Font manager, Libre Office?

When you do have the time, perhaps a relabel would be worth trying. That may sort some of these out.

Another workaround worth trying, if you’re the sole user of the system, could be to install flatpaks as user flatpaks instead of system flatpaks (run all flatpak commands with --user so it does all its work in your home directory and doesn’t touch any system directories).

It it really is an issue with the selinux policy for flatpaks, there’s unfortunately no solution but to wait for a fix to be released. You could generate policies for all these in the meatime—the selinux troubleshooter will tell you how to do that—and then when an updated selinux policy is released, you install that and run a relabel.

I’m having the same problem. When I run journalctl -f, I see:

Jan 22 23:54:46 localhost.localdomain setroubleshoot[896]: failed to retrieve rpm info for /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Chess.service
Jan 22 23:54:50 localhost.localdomain setroubleshoot[896]: SELinux is preventing dbus-daemon from read access on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Chess.service. For complete SELinux messages run: sealert -l 87d78921-c097-4d0d-9012-193e14be1114
Jan 22 23:54:50 localhost.localdomain setroubleshoot[896]: SELinux is preventing dbus-daemon from read access on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Chess.service.

Same for other flatpak apps.

I think this issue is being tracked over in https://bugzilla.redhat.com/show_bug.cgi?id=1916652

1 Like

I copy here a potential (I did not try it) workaround:

quick local workaround, do chcon -R -t usr_t /var/lib/flatpak/exports/

from the correponding Flatpak issue: SELinux alerts · Issue #4128 · flatpak/flatpak · GitHub

I’m having the same problem. I don’t understand selinux policies. What should I do now?