After flatpak update from 1.8.2 to 1.10.0 (together with its selinux policy: flatpak-selinux), selinux denials flood like crazy. Worse, the selinux dbus daemon process setroubleshootd
run 100% cpu usage per thread (so happy that it is not multi-threaded! However, it cooperate with a SetroubleshootPrivileged
process, so it counts as two 100% running threads).
It seems to have a bugzilla report at https://bugzilla.redhat.com/show_bug.cgi?id=1916652
I already tried downgrading flatpak
package, and flatpak 1.8.2 (together with flatpak-selinux 1.8.2) does not trigger so much selinux denial. But flatpak update to 1.10 fix a CVE: https://github.com/flatpak/flatpak/releases/tag/1.10.0, so its not a good choice.
For now I have to disable selinux troubleshooting daemon so that it does not drain my poor battery:
systemctl mask system-dbus\\x2d:1.11\\x2dorg.fedoraproject.Setroubleshootd.slice
This bug is (although not a real, deliberate attack) in effect, no different from a local Denial of Service (DOS) attack. The gnome-shell keep visiting, selinux keep denying and setroubleshootd keep figuring out what happened, all sum up to my laptop fan keep running and terrible battery time.
Turns out Setroubleshootd is not as simple as a systemd service, it’s a system dbus, so the systemctl mask
above does not work.
How can I disable Setroubleshootd from running completely? I have to manually send -SIGSTOP to it for now (and of course doesn’t ‘stop’ it, just halt the process)
Hi @wseran , can you please give us the package versions for flatpak, selinux etc.? I’m not seeing the issue here (or I haven’t noticed it yet).
dnf
package?
flatpak-1.10.0-1.fc33.x86_64
flatpak-selinux-0:1.10.0-1.fc33.noarch
Hrm, same here:
$ rpm -qa \*flatpak\*
flatpak-selinux-1.10.0-1.fc33.noarch
flatpak-session-helper-1.10.0-1.fc33.x86_64
flatpak-1.10.0-1.fc33.x86_64
flatpak-libs-1.10.0-1.fc33.x86_64
Odd. Can you get a few lines from the journal to show us what these messages are?
Also, what flatpaks are you using? Perhaps it’s related to a specific Flatpak? If it’s a known bug then you’ll probably need to either wait for a fix, or use a workaround if one is available.
If it’s the same message each time, in your selinux troubleshooter UI, you should be able to ignore the notification, and maybe that’ll reduce the logging. Another rather extreme measure of course is to temporarily set selinux to permissive—but I wouldn’t recommend this unless absolutely necessary.
journal logs:
1月 20 20:44:34 willy-fedora audit[27281]: AVC avc: denied { map } for pid=27281 comm="gnome-shell" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-0" ino=1775771 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
1月 20 20:44:34 willy-fedora audit[27281]: AVC avc: denied { map } for pid=27281 comm="gnome-shell" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-0" ino=1775771 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
1月 20 20:44:34 willy-fedora audit[27281]: AVC avc: denied { map } for pid=27281 comm="gnome-shell" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-0" ino=1775771 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
1月 20 20:44:34 willy-fedora audit[27281]: AVC avc: denied { map } for pid=27281 comm="gnome-shell" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-0" ino=1775771 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
1月 20 20:44:34 willy-fedora audit[27257]: AVC avc: denied { read } for pid=27257 comm="dbus-daemon" name="org.gnome.Cheese.service" dev="dm-0" ino=1319999 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
1月 20 20:44:34 willy-fedora audit[27281]: AVC avc: denied { map } for pid=27281 comm="gnome-shell" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-0" ino=1775771 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
1月 20 20:44:34 willy-fedora audit[27257]: AVC avc: denied { read } for pid=27257 comm="dbus-daemon" name="org.gnome.FontManager.service" dev="dm-0" ino=1347360 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
1月 20 20:44:34 willy-fedora audit[27257]: AVC avc: denied { read } for pid=27257 comm="dbus-daemon" name="org.gnome.Devhelp.service" dev="dm-0" ino=1379035 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
1月 20 20:44:34 willy-fedora audit[27257]: AVC avc: denied { read } for pid=27257 comm="dbus-daemon" name="org.gnome.design.Palette.service" dev="dm-0" ino=1379704 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
1月 20 20:44:34 willy-fedora audit[27257]: AVC avc: denied { read } for pid=27257 comm="dbus-daemon" name="org.gnome.Builder.service" dev="dm-0" ino=1389091 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
1月 20 20:44:34 willy-fedora audit[27257]: AVC avc: denied { read } for pid=27257 comm="dbus-daemon" name="com.uploadedlobster.peek.service" dev="dm-0" ino=1389867 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
1月 20 20:44:34 willy-fedora audit[27257]: AVC avc: denied { read } for pid=27257 comm="dbus-daemon" name="ca.desrt.dconf-editor.service" dev="dm-0" ino=1726312 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
1月 20 20:44:34 willy-fedora audit[27281]: AVC avc: denied { map } for pid=27281 comm="gnome-shell" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-0" ino=1775771 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
selinux troubleshoot gui:
It doesn’t seem that it’s related to one specific flatpak:
SELinux is preventing dbus-daemon from read access on the lnk_file org.libreoffice.LibreOffice.writer.desktop.
***** 插件 catchall_labels (83.8 置信度) 建议 *************************************
如果你想允许 dbus-daemon有 read 访问 org.libreoffice.LibreOffice.writer.desktop $TARGET_类
Then 必须更改 org.libreoffice.LibreOffice.writer.desktop 中的标签
Do
# semanage fcontext -a -t FILE_TYPE 'org.libreoffice.LibreOffice.writer.desktop'
其中 FILE_TYPE 为以下内容之一:NetworkManager_etc_rw_t, NetworkManager_etc_t, abrt_etc_t, abrt_var_cache_t, admin_home_t, aiccu_etc_t, alsa_etc_rw_t, antivirus_conf_t, asterisk_etc_t, bin_t, bitlbee_conf_t, bluetooth_conf_t, boot_t, bootloader_etc_t, cache_home_t, cert_t, cgconfig_etc_t, cgroup_t, cgrules_etc_t, cluster_conf_t, cobbler_etc_t, condor_conf_t, config_home_t, config_usr_t, conntrackd_conf_t, container_config_t, couchdb_conf_t, courier_etc_t, cpucontrol_conf_t, cupsd_etc_t, cupsd_rw_etc_t, data_home_t, dbus_home_t, dbusd_etc_t, ddclient_etc_t, device_t, devlog_t, dhcp_etc_t, dictd_etc_t, dnsmasq_etc_t, dovecot_etc_t, ecryptfs_t, etc_mail_t, etc_runtime_t, etc_t, exports_t, fetchmail_etc_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t, firstboot_etc_t, fonts_cache_t, fonts_t, ftpd_etc_t, gconf_etc_t, gconf_home_t, gdomap_conf_t, getty_etc_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gpm_conf_t, gstreamer_home_t, hddtemp_etc_t, home_root_t, hostname_etc_t, httpd_config_t, hwdata_t, ibacm_conf_t, icc_data_home_t, innd_etc_t, irc_conf_t, irssi_etc_t, kdump_etc_t, kmscon_conf_t, krb5_conf_t, krb5kdc_conf_t, l2tp_conf_t, ld_so_t, lib_t, likewise_etc_t, lircd_etc_t, locale_t, lvm_etc_t, machineid_t, man_cache_t, man_t, mcelog_etc_t, mdadm_conf_t, minidlna_conf_t, minissdpd_conf_t, mock_etc_t, modules_conf_t, mozilla_conf_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_etc_t, mplayer_etc_t, mrtg_etc_t, mscan_etc_t, munin_etc_t, mysqld_etc_t, nagios_etc_t, named_conf_t, net_conf_t, nrpe_etc_t, nslcd_conf_t, ntop_etc_t, ntp_conf_t, nut_conf_t, opendnssec_conf_t, openvpn_etc_rw_t, openvpn_etc_t, openvswitch_rw_t, oracleasm_conf_t, pads_config_t, pam_var_console_t, pdns_conf_t, pegasus_conf_t, pingd_etc_t, piranha_etc_rw_t, piranha_web_conf_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t, postfix_postdrop_t, postgresql_etc_t, postgrey_etc_t, pppd_etc_t, prelude_correlator_config_t, printconf_t, proc_t, psad_etc_t, ptal_etc_t, puppet_etc_t, qmail_etc_t, rabbitmq_conf_t, radiusd_etc_t, radvd_etc_t, redis_conf_t, rhnsd_conf_t, rhsmcertd_config_t, root_t, rpm_script_tmp_t, rpm_var_cache_t, rpm_var_lib_t, rsync_etc_t, samba_etc_t, sanlock_conf_t, security_t, selinux_config_t, selinux_login_config_t, shell_exec_t, shorewall_etc_t, slapd_etc_t, snapperd_conf_t, snort_etc_t, soundd_etc_t, spamd_etc_t, squid_conf_t, src_t, ssh_home_t, sslh_config_t, sssd_conf_t, sssd_var_lib_t, stunnel_etc_t, svc_conf_t, sysfs_t, syslog_conf_t, system_conf_t, system_db_t, system_dbusd_var_lib_t, systemd_hwdb_etc_t, systemd_userdbd_runtime_t, textrel_shlib_t, tftpd_etc_t, tmp_t, tor_etc_t, tuned_etc_t, tuned_rw_etc_t, udev_etc_t, udev_var_run_t, ulogd_etc_t, user_home_dir_t, user_home_t, user_tmp_t, userhelper_conf_t, usr_t, var_lock_t, var_run_t, var_t, varnishd_etc_t, virt_etc_t, virt_var_lib_t, virtlogd_etc_t, vmware_sys_conf_t, webalizer_etc_t, xdm_etc_t, xdm_log_t, xdm_rw_etc_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xserver_etc_t, xserver_log_t, ypserv_conf_t, zarafa_etc_t, zebra_conf_t。
然后执行:
restorecon -v 'org.libreoffice.LibreOffice.writer.desktop'
***** 插件 catchall (17.1 置信度) 建议 ********************************************
如果你相信 dbus-daemon应该允许_BASE_PATH read 访问 org.libreoffice.LibreOffice.writer.desktop lnk_file默认情况下。
Then 应该将这个情况作为 bug 报告。
可以生成本地策略模块以允许此访问。
Do
暂时允许此访问权限执行:#ausearch -c'dbus-daemon'--raw | audit2allow -M my-dbusdaemon#semodule -X 300 -i my-dbusdaemon.pp
更多信息:
源环境 (Context) system_u:system_r:xdm_t:s0-s0:c0.c1023
目标环境 system_u:object_r:var_lib_t:s0
目标对象 org.libreoffice.LibreOffice.writer.desktop [
lnk_file ]
源 dbus-daemon
源路径 dbus-daemon
端口 <未知>
主机 willy-fedora
源 RPM 软件包
目标 RPM 软件包
SELinux 策略 RPM selinux-policy-targeted-3.14.6-34.fc33.noarch
本地策略 RPM selinux-policy-targeted-3.14.6-34.fc33.noarch
Selinux 已启用 True
策略类型 targeted
强制模式 Enforcing
主机名 willy-fedora
平台 Linux willy-fedora 5.10.7-200.fc33.x86_64 #1 SMP
Tue Jan 12 20:20:11 UTC 2021 x86_64 x86_64
警报计数 2016
第一个 2021-01-18 01:02:20 CST
最后一个 2021-01-20 14:38:31 CST
本地 ID 42af4b7a-b480-458b-9b4c-6108eb507c29
原始核查信息
type=AVC msg=audit(1611124711.251:768): avc: denied { read } for pid=2516 comm="gnome-shell" name="org.libreoffice.LibreOffice.writer.desktop" dev="dm-0" ino=1555709 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
Hash: dbus-daemon,xdm_t,var_lib_t,lnk_file,read
SELinux is preventing dbus-daemon from read access on the lnk_file org.gnome.FontManager.service.
***** 插件 catchall_labels (83.8 置信度) 建议 *************************************
如果你想允许 dbus-daemon有 read 访问 org.gnome.FontManager.service $TARGET_类
Then 必须更改 org.gnome.FontManager.service 中的标签
Do
# semanage fcontext -a -t FILE_TYPE 'org.gnome.FontManager.service'
其中 FILE_TYPE 为以下内容之一:NetworkManager_etc_rw_t, NetworkManager_etc_t, abrt_etc_t, abrt_var_cache_t, admin_home_t, aiccu_etc_t, alsa_etc_rw_t, antivirus_conf_t, asterisk_etc_t, bin_t, bitlbee_conf_t, bluetooth_conf_t, boot_t, bootloader_etc_t, cache_home_t, cert_t, cgconfig_etc_t, cgroup_t, cgrules_etc_t, cluster_conf_t, cobbler_etc_t, condor_conf_t, config_home_t, config_usr_t, conntrackd_conf_t, container_config_t, couchdb_conf_t, courier_etc_t, cpucontrol_conf_t, cupsd_etc_t, cupsd_rw_etc_t, data_home_t, dbus_home_t, dbusd_etc_t, ddclient_etc_t, device_t, devlog_t, dhcp_etc_t, dictd_etc_t, dnsmasq_etc_t, dovecot_etc_t, ecryptfs_t, etc_mail_t, etc_runtime_t, etc_t, exports_t, fetchmail_etc_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t, firstboot_etc_t, fonts_cache_t, fonts_t, ftpd_etc_t, gconf_etc_t, gconf_home_t, gdomap_conf_t, getty_etc_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gpm_conf_t, gstreamer_home_t, hddtemp_etc_t, home_root_t, hostname_etc_t, httpd_config_t, hwdata_t, ibacm_conf_t, icc_data_home_t, innd_etc_t, irc_conf_t, irssi_etc_t, kdump_etc_t, kmscon_conf_t, krb5_conf_t, krb5kdc_conf_t, l2tp_conf_t, ld_so_t, lib_t, likewise_etc_t, lircd_etc_t, locale_t, lvm_etc_t, machineid_t, man_cache_t, man_t, mcelog_etc_t, mdadm_conf_t, minidlna_conf_t, minissdpd_conf_t, mock_etc_t, modules_conf_t, mozilla_conf_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_etc_t, mplayer_etc_t, mrtg_etc_t, mscan_etc_t, munin_etc_t, mysqld_etc_t, nagios_etc_t, named_conf_t, net_conf_t, nrpe_etc_t, nslcd_conf_t, ntop_etc_t, ntp_conf_t, nut_conf_t, opendnssec_conf_t, openvpn_etc_rw_t, openvpn_etc_t, openvswitch_rw_t, oracleasm_conf_t, pads_config_t, pam_var_console_t, pdns_conf_t, pegasus_conf_t, pingd_etc_t, piranha_etc_rw_t, piranha_web_conf_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t, postfix_postdrop_t, postgresql_etc_t, postgrey_etc_t, pppd_etc_t, prelude_correlator_config_t, printconf_t, proc_t, psad_etc_t, ptal_etc_t, puppet_etc_t, qmail_etc_t, rabbitmq_conf_t, radiusd_etc_t, radvd_etc_t, redis_conf_t, rhnsd_conf_t, rhsmcertd_config_t, root_t, rpm_script_tmp_t, rpm_var_cache_t, rpm_var_lib_t, rsync_etc_t, samba_etc_t, sanlock_conf_t, security_t, selinux_config_t, selinux_login_config_t, shell_exec_t, shorewall_etc_t, slapd_etc_t, snapperd_conf_t, snort_etc_t, soundd_etc_t, spamd_etc_t, squid_conf_t, src_t, ssh_home_t, sslh_config_t, sssd_conf_t, sssd_var_lib_t, stunnel_etc_t, svc_conf_t, sysfs_t, syslog_conf_t, system_conf_t, system_db_t, system_dbusd_var_lib_t, systemd_hwdb_etc_t, systemd_userdbd_runtime_t, textrel_shlib_t, tftpd_etc_t, tmp_t, tor_etc_t, tuned_etc_t, tuned_rw_etc_t, udev_etc_t, udev_var_run_t, ulogd_etc_t, user_home_dir_t, user_home_t, user_tmp_t, userhelper_conf_t, usr_t, var_lock_t, var_run_t, var_t, varnishd_etc_t, virt_etc_t, virt_var_lib_t, virtlogd_etc_t, vmware_sys_conf_t, webalizer_etc_t, xdm_etc_t, xdm_log_t, xdm_rw_etc_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xserver_etc_t, xserver_log_t, ypserv_conf_t, zarafa_etc_t, zebra_conf_t。
然后执行:
restorecon -v 'org.gnome.FontManager.service'
***** 插件 catchall (17.1 置信度) 建议 ********************************************
如果你相信 dbus-daemon应该允许_BASE_PATH read 访问 org.gnome.FontManager.service lnk_file默认情况下。
Then 应该将这个情况作为 bug 报告。
可以生成本地策略模块以允许此访问。
Do
暂时允许此访问权限执行:#ausearch -c'dbus-daemon'--raw | audit2allow -M my-dbusdaemon#semodule -X 300 -i my-dbusdaemon.pp
更多信息:
源环境 (Context) system_u:system_r:xdm_t:s0-s0:c0.c1023
目标环境 system_u:object_r:var_lib_t:s0
目标对象 org.gnome.FontManager.service [ lnk_file ]
源 dbus-daemon
源路径 dbus-daemon
端口 <未知>
主机 willy-fedora
源 RPM 软件包
目标 RPM 软件包
SELinux 策略 RPM selinux-policy-targeted-3.14.6-34.fc33.noarch
本地策略 RPM selinux-policy-targeted-3.14.6-34.fc33.noarch
Selinux 已启用 True
策略类型 targeted
强制模式 Enforcing
主机名 willy-fedora
平台 Linux willy-fedora 5.10.7-200.fc33.x86_64 #1 SMP
Tue Jan 12 20:20:11 UTC 2021 x86_64 x86_64
警报计数 2060
第一个 2021-01-18 01:02:20 CST
最后一个 2021-01-20 14:38:31 CST
本地 ID 42af4b7a-b480-458b-9b4c-6108eb507c29
原始核查信息
type=AVC msg=audit(1611124711.591:822): avc: denied { read } for pid=2474 comm="dbus-daemon" name="org.gnome.FontManager.service" dev="dm-0" ino=1347360 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
Hash: dbus-daemon,xdm_t,var_lib_t,lnk_file,read
SELinux is preventing dbus-daemon from read access on the lnk_file org.gnome.Builder.service.
***** 插件 catchall_labels (83.8 置信度) 建议 *************************************
如果你想允许 dbus-daemon有 read 访问 org.gnome.Builder.service $TARGET_类
Then 必须更改 org.gnome.Builder.service 中的标签
Do
# semanage fcontext -a -t FILE_TYPE 'org.gnome.Builder.service'
其中 FILE_TYPE 为以下内容之一:NetworkManager_etc_rw_t, NetworkManager_etc_t, abrt_etc_t, abrt_var_cache_t, admin_home_t, aiccu_etc_t, alsa_etc_rw_t, antivirus_conf_t, asterisk_etc_t, bin_t, bitlbee_conf_t, bluetooth_conf_t, boot_t, bootloader_etc_t, cache_home_t, cert_t, cgconfig_etc_t, cgroup_t, cgrules_etc_t, cluster_conf_t, cobbler_etc_t, condor_conf_t, config_home_t, config_usr_t, conntrackd_conf_t, container_config_t, couchdb_conf_t, courier_etc_t, cpucontrol_conf_t, cupsd_etc_t, cupsd_rw_etc_t, data_home_t, dbus_home_t, dbusd_etc_t, ddclient_etc_t, device_t, devlog_t, dhcp_etc_t, dictd_etc_t, dnsmasq_etc_t, dovecot_etc_t, ecryptfs_t, etc_mail_t, etc_runtime_t, etc_t, exports_t, fetchmail_etc_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t, firstboot_etc_t, fonts_cache_t, fonts_t, ftpd_etc_t, gconf_etc_t, gconf_home_t, gdomap_conf_t, getty_etc_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gpm_conf_t, gstreamer_home_t, hddtemp_etc_t, home_root_t, hostname_etc_t, httpd_config_t, hwdata_t, ibacm_conf_t, icc_data_home_t, innd_etc_t, irc_conf_t, irssi_etc_t, kdump_etc_t, kmscon_conf_t, krb5_conf_t, krb5kdc_conf_t, l2tp_conf_t, ld_so_t, lib_t, likewise_etc_t, lircd_etc_t, locale_t, lvm_etc_t, machineid_t, man_cache_t, man_t, mcelog_etc_t, mdadm_conf_t, minidlna_conf_t, minissdpd_conf_t, mock_etc_t, modules_conf_t, mozilla_conf_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_etc_t, mplayer_etc_t, mrtg_etc_t, mscan_etc_t, munin_etc_t, mysqld_etc_t, nagios_etc_t, named_conf_t, net_conf_t, nrpe_etc_t, nslcd_conf_t, ntop_etc_t, ntp_conf_t, nut_conf_t, opendnssec_conf_t, openvpn_etc_rw_t, openvpn_etc_t, openvswitch_rw_t, oracleasm_conf_t, pads_config_t, pam_var_console_t, pdns_conf_t, pegasus_conf_t, pingd_etc_t, piranha_etc_rw_t, piranha_web_conf_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t, postfix_postdrop_t, postgresql_etc_t, postgrey_etc_t, pppd_etc_t, prelude_correlator_config_t, printconf_t, proc_t, psad_etc_t, ptal_etc_t, puppet_etc_t, qmail_etc_t, rabbitmq_conf_t, radiusd_etc_t, radvd_etc_t, redis_conf_t, rhnsd_conf_t, rhsmcertd_config_t, root_t, rpm_script_tmp_t, rpm_var_cache_t, rpm_var_lib_t, rsync_etc_t, samba_etc_t, sanlock_conf_t, security_t, selinux_config_t, selinux_login_config_t, shell_exec_t, shorewall_etc_t, slapd_etc_t, snapperd_conf_t, snort_etc_t, soundd_etc_t, spamd_etc_t, squid_conf_t, src_t, ssh_home_t, sslh_config_t, sssd_conf_t, sssd_var_lib_t, stunnel_etc_t, svc_conf_t, sysfs_t, syslog_conf_t, system_conf_t, system_db_t, system_dbusd_var_lib_t, systemd_hwdb_etc_t, systemd_userdbd_runtime_t, textrel_shlib_t, tftpd_etc_t, tmp_t, tor_etc_t, tuned_etc_t, tuned_rw_etc_t, udev_etc_t, udev_var_run_t, ulogd_etc_t, user_home_dir_t, user_home_t, user_tmp_t, userhelper_conf_t, usr_t, var_lock_t, var_run_t, var_t, varnishd_etc_t, virt_etc_t, virt_var_lib_t, virtlogd_etc_t, vmware_sys_conf_t, webalizer_etc_t, xdm_etc_t, xdm_log_t, xdm_rw_etc_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xserver_etc_t, xserver_log_t, ypserv_conf_t, zarafa_etc_t, zebra_conf_t。
然后执行:
restorecon -v 'org.gnome.Builder.service'
***** 插件 catchall (17.1 置信度) 建议 ********************************************
如果你相信 dbus-daemon应该允许_BASE_PATH read 访问 org.gnome.Builder.service lnk_file默认情况下。
Then 应该将这个情况作为 bug 报告。
可以生成本地策略模块以允许此访问。
Do
暂时允许此访问权限执行:#ausearch -c'dbus-daemon'--raw | audit2allow -M my-dbusdaemon#semodule -X 300 -i my-dbusdaemon.pp
更多信息:
源环境 (Context) system_u:system_r:xdm_t:s0-s0:c0.c1023
目标环境 system_u:object_r:var_lib_t:s0
目标对象 org.gnome.Builder.service [ lnk_file ]
源 dbus-daemon
源路径 dbus-daemon
端口 <未知>
主机 willy-fedora
源 RPM 软件包
目标 RPM 软件包
SELinux 策略 RPM selinux-policy-targeted-3.14.6-34.fc33.noarch
本地策略 RPM selinux-policy-targeted-3.14.6-34.fc33.noarch
Selinux 已启用 True
策略类型 targeted
强制模式 Enforcing
主机名 willy-fedora
平台 Linux willy-fedora 5.10.7-200.fc33.x86_64 #1 SMP
Tue Jan 12 20:20:11 UTC 2021 x86_64 x86_64
警报计数 2
第一个 2021-01-20 14:38:32 CST
最后一个 2021-01-20 14:38:32 CST
本地 ID b2f9b6b8-6289-4213-b2fd-05d391b67f4d
原始核查信息
type=AVC msg=audit(1611124712.93:938): avc: denied { read } for pid=2474 comm="dbus-daemon" name="org.gnome.Builder.service" dev="dm-0" ino=1389091 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
Hash: dbus-daemon,xdm_t,var_lib_t,lnk_file,read
SELinux is preventing dbus-daemon from read access on the lnk_file org.gnome.Cheese.service.
***** 插件 catchall_labels (83.8 置信度) 建议 *************************************
如果你想允许 dbus-daemon有 read 访问 org.gnome.Cheese.service $TARGET_类
Then 必须更改 org.gnome.Cheese.service 中的标签
Do
# semanage fcontext -a -t FILE_TYPE 'org.gnome.Cheese.service'
其中 FILE_TYPE 为以下内容之一:NetworkManager_etc_rw_t, NetworkManager_etc_t, abrt_etc_t, abrt_var_cache_t, admin_home_t, aiccu_etc_t, alsa_etc_rw_t, antivirus_conf_t, asterisk_etc_t, bin_t, bitlbee_conf_t, bluetooth_conf_t, boot_t, bootloader_etc_t, cache_home_t, cert_t, cgconfig_etc_t, cgroup_t, cgrules_etc_t, cluster_conf_t, cobbler_etc_t, condor_conf_t, config_home_t, config_usr_t, conntrackd_conf_t, container_config_t, couchdb_conf_t, courier_etc_t, cpucontrol_conf_t, cupsd_etc_t, cupsd_rw_etc_t, data_home_t, dbus_home_t, dbusd_etc_t, ddclient_etc_t, device_t, devlog_t, dhcp_etc_t, dictd_etc_t, dnsmasq_etc_t, dovecot_etc_t, ecryptfs_t, etc_mail_t, etc_runtime_t, etc_t, exports_t, fetchmail_etc_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t, firstboot_etc_t, fonts_cache_t, fonts_t, ftpd_etc_t, gconf_etc_t, gconf_home_t, gdomap_conf_t, getty_etc_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gpm_conf_t, gstreamer_home_t, hddtemp_etc_t, home_root_t, hostname_etc_t, httpd_config_t, hwdata_t, ibacm_conf_t, icc_data_home_t, innd_etc_t, irc_conf_t, irssi_etc_t, kdump_etc_t, kmscon_conf_t, krb5_conf_t, krb5kdc_conf_t, l2tp_conf_t, ld_so_t, lib_t, likewise_etc_t, lircd_etc_t, locale_t, lvm_etc_t, machineid_t, man_cache_t, man_t, mcelog_etc_t, mdadm_conf_t, minidlna_conf_t, minissdpd_conf_t, mock_etc_t, modules_conf_t, mozilla_conf_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_etc_t, mplayer_etc_t, mrtg_etc_t, mscan_etc_t, munin_etc_t, mysqld_etc_t, nagios_etc_t, named_conf_t, net_conf_t, nrpe_etc_t, nslcd_conf_t, ntop_etc_t, ntp_conf_t, nut_conf_t, opendnssec_conf_t, openvpn_etc_rw_t, openvpn_etc_t, openvswitch_rw_t, oracleasm_conf_t, pads_config_t, pam_var_console_t, pdns_conf_t, pegasus_conf_t, pingd_etc_t, piranha_etc_rw_t, piranha_web_conf_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t, postfix_postdrop_t, postgresql_etc_t, postgrey_etc_t, pppd_etc_t, prelude_correlator_config_t, printconf_t, proc_t, psad_etc_t, ptal_etc_t, puppet_etc_t, qmail_etc_t, rabbitmq_conf_t, radiusd_etc_t, radvd_etc_t, redis_conf_t, rhnsd_conf_t, rhsmcertd_config_t, root_t, rpm_script_tmp_t, rpm_var_cache_t, rpm_var_lib_t, rsync_etc_t, samba_etc_t, sanlock_conf_t, security_t, selinux_config_t, selinux_login_config_t, shell_exec_t, shorewall_etc_t, slapd_etc_t, snapperd_conf_t, snort_etc_t, soundd_etc_t, spamd_etc_t, squid_conf_t, src_t, ssh_home_t, sslh_config_t, sssd_conf_t, sssd_var_lib_t, stunnel_etc_t, svc_conf_t, sysfs_t, syslog_conf_t, system_conf_t, system_db_t, system_dbusd_var_lib_t, systemd_hwdb_etc_t, systemd_userdbd_runtime_t, textrel_shlib_t, tftpd_etc_t, tmp_t, tor_etc_t, tuned_etc_t, tuned_rw_etc_t, udev_etc_t, udev_var_run_t, ulogd_etc_t, user_home_dir_t, user_home_t, user_tmp_t, userhelper_conf_t, usr_t, var_lock_t, var_run_t, var_t, varnishd_etc_t, virt_etc_t, virt_var_lib_t, virtlogd_etc_t, vmware_sys_conf_t, webalizer_etc_t, xdm_etc_t, xdm_log_t, xdm_rw_etc_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xserver_etc_t, xserver_log_t, ypserv_conf_t, zarafa_etc_t, zebra_conf_t。
然后执行:
restorecon -v 'org.gnome.Cheese.service'
***** 插件 catchall (17.1 置信度) 建议 ********************************************
如果你相信 dbus-daemon应该允许_BASE_PATH read 访问 org.gnome.Cheese.service lnk_file默认情况下。
Then 应该将这个情况作为 bug 报告。
可以生成本地策略模块以允许此访问。
Do
暂时允许此访问权限执行:#ausearch -c'dbus-daemon'--raw | audit2allow -M my-dbusdaemon#semodule -X 300 -i my-dbusdaemon.pp
更多信息:
源环境 (Context) system_u:system_r:xdm_t:s0-s0:c0.c1023
目标环境 system_u:object_r:var_lib_t:s0
目标对象 org.gnome.Cheese.service [ lnk_file ]
源 dbus-daemon
源路径 dbus-daemon
端口 <未知>
主机 willy-fedora
源 RPM 软件包
目标 RPM 软件包
SELinux 策略 RPM selinux-policy-targeted-3.14.6-34.fc33.noarch
本地策略 RPM selinux-policy-targeted-3.14.6-34.fc33.noarch
Selinux 已启用 True
策略类型 targeted
强制模式 Enforcing
主机名 willy-fedora
平台 Linux willy-fedora 5.10.7-200.fc33.x86_64 #1 SMP
Tue Jan 12 20:20:11 UTC 2021 x86_64 x86_64
警报计数 12
第一个 2021-01-20 14:38:32 CST
最后一个 2021-01-20 14:38:32 CST
本地 ID b2f9b6b8-6289-4213-b2fd-05d391b67f4d
原始核查信息
type=AVC msg=audit(1611124712.100:948): avc: denied { read } for pid=2474 comm="dbus-daemon" name="org.gnome.Cheese.service" dev="dm-0" ino=1319999 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
Hash: dbus-daemon,xdm_t,var_lib_t,lnk_file,read
Quite confusion, @wseran could you please teach your terminal to speak english:
https://discussion.fedoraproject.org/t/how-to-make-my-terminal-speak-english/75251
Regards.,
@FranciscoD
Odd. Can you get a few lines from the journal to show us what these messages are?
Also, what flatpaks are you using? Perhaps it’s related to a specific Flatpak? If it’s a known bug then you’ll probably need to either wait for a fix, or use a workaround if one is available.
Looking from the log message above (just a tiny from the flood, I only pasted a few samples), this is not specific to any particular flatpak.
If it’s the same message each time, in your selinux troubleshooter UI, you should be able to ignore the notification, and maybe that’ll reduce the logging. Another rather extreme measure of course is to temporarily set selinux to permissive—but I wouldn’t recommend this unless absolutely necessary.
Set sudo setenforce=0
does not stop setroubleshootd from running. It just make SELinux does not deny programs, but it still logs and tracks what happened. Also, what bugs me is the background setroubleshootd from running out my cpu, because unlike the gui notification, I cannot easily stop it from running.
LANG=C journalctl -b
does not make selinux log in english. In fact, it always log in my local language, even in terminal.
Raw audit messages are always in english, however.
Yeh—are all of these flatpaks? Builder, Font manager, Libre Office?
When you do have the time, perhaps a relabel would be worth trying. That may sort some of these out.
Another workaround worth trying, if you’re the sole user of the system, could be to install flatpaks as user flatpaks instead of system flatpaks (run all flatpak commands with --user
so it does all its work in your home directory and doesn’t touch any system directories).
It it really is an issue with the selinux policy for flatpaks, there’s unfortunately no solution but to wait for a fix to be released. You could generate policies for all these in the meatime—the selinux troubleshooter will tell you how to do that—and then when an updated selinux policy is released, you install that and run a relabel.
I’m having the same problem. When I run journalctl -f
, I see:
Jan 22 23:54:46 localhost.localdomain setroubleshoot[896]: failed to retrieve rpm info for /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Chess.service
Jan 22 23:54:50 localhost.localdomain setroubleshoot[896]: SELinux is preventing dbus-daemon from read access on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Chess.service. For complete SELinux messages run: sealert -l 87d78921-c097-4d0d-9012-193e14be1114
Jan 22 23:54:50 localhost.localdomain setroubleshoot[896]: SELinux is preventing dbus-daemon from read access on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.Chess.service.
Same for other flatpak apps.
I think this issue is being tracked over in https://bugzilla.redhat.com/show_bug.cgi?id=1916652
I copy here a potential (I did not try it) workaround:
quick local workaround, do
chcon -R -t usr_t /var/lib/flatpak/exports/
from the correponding Flatpak issue: SELinux alerts · Issue #4128 · flatpak/flatpak · GitHub
I’m having the same problem. I don’t understand selinux policies. What should I do now?