Flatpak issue after system-upgrade to F36

augenauf · March 31, 2022, 7:30am

edited
Quick question, has anyone else experienced problems with flatpak update after system-upgrade to f36 beta?

Warning: Failed to get revokefs-fuse socket from system-helper: User flatpak does not exist in password file entry
Warning: Can't open system repo default: While opening repository /var/lib/flatpak/repo: opening repo: opendir(/var/lib/flatpak/repo): Permission denied
Warning: Failed to get revokefs-fuse socket from system-helper: User flatpak does not exist in password file entry
Warning: Can't open system repo default: While opening repository /var/lib/flatpak/repo: opening repo: opendir(/var/lib/flatpak/repo): Permission denied
Warning: Failed to get revokefs-fuse socket from system-helper: User flatpak does not exist in password file entry
Error: Can't open system repo default: While opening repository /var/lib/flatpak/repo: opening repo: opendir(/var/lib/flatpak/repo): Permission denied
Warning: Failed to get revokefs-fuse socket from system-helper: User flatpak does not exist in password file entry
Error: Can't open system repo default: While opening repository /var/lib/flatpak/repo: opening repo: opendir(/var/lib/flatpak/repo): Permission denied
Warning: Failed to get revokefs-fuse socket from system-helper: User flatpak does not exist in password file entry
Error: Can't open system repo default: While opening repository /var/lib/flatpak/repo: opening repo: opendir(/var/lib/flatpak/repo): Permission denied
Warning: Failed to get revokefs-fuse socket from system-helper: User flatpak does not exist in password file entry
Warning: Can't open system repo default: While opening repository /var/lib/flatpak/repo: opening repo: opendir(/var/lib/flatpak/repo): Permission denied
Warning: Failed to get revokefs-fuse socket from system-helper: User flatpak does not exist in password file entry
Error: Can't open system repo default: While opening repository /var/lib/flatpak/repo: opening repo: opendir(/var/lib/flatpak/repo): Permission denied
Updates complete.

In F35 and all previous releases I was able to flatpak install and flatpak update without using sudo.

/etc/passwd has the following entry (equal to another F36 VM where I am not experiencing this issue)

....
flatpak:x:985:982:User for flatpak system helper:/:/sbin/nologin
....

ls -laZ /var/lib/flatpak/reposhows:

total 36
drwxr-xr-x.   7 root root system_u:object_r:var_lib_t:s0 4096 Mar 28 22:16 ./
drwxr-xr-x.   9 root root system_u:object_r:var_lib_t:s0 4096 Mar 17 23:45 ../
-rw-r--r--.   1 root root system_u:object_r:var_lib_t:s0  626 Sep 14  2021 config
drwxr-xr-x.   2 root root system_u:object_r:var_lib_t:s0 4096 Aug 17  2021 extensions/
-rw-r--r--.   1 root root system_u:object_r:var_lib_t:s0 2888 Sep 14  2021 flathub.trustedkeys.gpg
-rw-r-----.   1 root root system_u:object_r:var_lib_t:s0    0 Sep 14  2021 .lock
drwxr-xr-x. 258 root root system_u:object_r:var_lib_t:s0 4096 Sep 14  2021 objects/
drwxr-xr-x.   5 root root system_u:object_r:var_lib_t:s0 4096 Aug 17  2021 refs/
drwxr-xr-x.   2 root root system_u:object_r:var_lib_t:s0 4096 Mar 28 22:16 state/
drwxr-xr-x.   3 root root system_u:object_r:var_lib_t:s0 4096 Mar 28 22:16 tmp/

Reinstalling the flatpak package didn’t help either. Any ideas?

fedelibre · March 31, 2022, 9:43am

I had a different error yesterday, but maybe it was due to no disk space left.
I did a lot of cleaning (including old flatpak packages) and today the update works.

Sorry, the problem was with rpm-ostree update actually, as it needs at least 3% disk space left while I’m at 1% (4.5 GB).

augenauf · March 31, 2022, 7:24pm

I guess SELinux is the issue here.
It has been reported as BZ #2070350 and BZ 2053631, and BZ #2070739

SELinux is preventing flatpak-system- from read access on the file /etc/passwd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that flatpak-system- should be allowed read access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'flatpak-system-' --raw | audit2allow -M my-flatpaksystem
# semodule -X 300 -i my-flatpaksystem.pp

Additional Information:
Source Context                system_u:system_r:flatpak_helper_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/passwd [ file ]
Source                        flatpak-system-
Source Path                   flatpak-system-
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           setup-2.13.9.1-3.fc36.noarch
SELinux Policy RPM            selinux-policy-targeted-36.5-1.fc36.noarch
Local Policy RPM              flatpak-selinux-1.12.7-1.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux fedora 5.17.0-300.fc36.x86_64 #1 SMP PREEMPT
                              Wed Mar 23 22:00:40 UTC 2022 x86_64 x86_64
Alert Count                   22
First Seen                    2022-03-31 19:34:29 CEST
Last Seen                     2022-03-31 19:41:49 CEST
Local ID                      fc946152-35fc-4a45-a3cb-7bf5907a69a3

Raw Audit Messages
type=AVC msg=audit(1648748509.54:891): avc:  denied  { read } for  pid=3734 comm="pool-/usr/libex" name="passwd" dev="dm-1" ino=2884699 scontext=system_u:system_r:flatpak_helper_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0


Hash: flatpak-system-,flatpak_helper_t,passwd_file_t,file,read

There was a bunch of subsequent selinux-policy errors, which I didn’t manage to fix by creating local policy modules unfortunately.

List of bugs reported: https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&bug_status=VERIFIED&bug_status=RELEASE_PENDING&component=flatpak&component=selinux-policy&f0=OP&f1=OP&f10=OP&f11=product&f12=component&f13=keywords&f14=alias&f15=short_desc&f16=status_whiteboard&f17=CP&f18=CP&f2=product&f3=component&f4=alias&f5=short_desc&f6=status_whiteboard&f7=CP&f8=CP&f9=OP&j1=OR&j10=OR&list_id=12527638&o11=substring&o12=substring&o13=substring&o14=substring&o15=substring&o16=substring&o2=substring&o3=substring&o4=substring&o5=substring&o6=substring&product=Fedora&query_format=advanced&short_desc=flatpak%20selinux&short_desc_type=allwordssubstr&v11=selinux&v12=selinux&v13=selinux&v14=selinux&v15=selinux&v16=selinux&v2=flatpak&v3=flatpak&v4=flatpak&v5=flatpak&v6=flatpak

computersavvy · April 1, 2022, 5:35pm

This is likely related to a recent discussion about boot failures after an update that was selinux related. I have posted to that discussion but unfortunately at the moment I cannot find it.

In any case the command sudo restorecon -vR / should relabel everything and may fix the selinux errors you are seeing.

I did that command and had a lot of flatpak files/packages relabeled on 3 different systems.

augenauf · April 1, 2022, 5:43pm

I have proposed that bug as a blocker bug for F36 Final

https://bugzilla.redhat.com/show_bug.cgi?id=2070764

https://qa.fedoraproject.org/blockerbugs/milestone/36/final/buglist

augenauf · April 1, 2022, 7:14pm

restorecon didn’t fix it.