Gnome Workstation 9: flatpak and gnome software selinux issue

Hi, when I run “flatpak install ” or any other flatpak command that requires polkit I get:

Warning: Failed to get revokefs-fuse socket from system-helper: Could not activate remote peer.

This happens even with users in wheel group.
If I run flatpak with sudo there is no such problem.
Installing flatpaks with gnome software also fails.

I have no experience with how polkit works on rhel distros, but on Fedora users outside of wheel group get password prompt for authorization by wheel user, that’s the setup I need.

It’s not a pressing issue by any means, any help is appreciated :slight_smile:

Ok, so I have tried disabling selinux and now the prompt works properly. O.o

After running:

ausearch -c '(m-helper)' --raw | audit2allow -M my-mhelper
and
semodule -X 300 -i my-mhelper.pp

as setroubleshoot recommended, the issue is gone. (I guess, there are still a lot of AVC denials and the software center doesn’t quite seem to work for flatpaks)

Edit: disabling selinux on boot fixes the software center, not an ideal solution obviously

Edit 2:
Solution:
Running fixfiles -F onboot (as root or with sudo) and rebooting seems to fix the issue entirely, so I guess it was purely a mislabeling issue. While I think this is a proper solution I will leave this open, as I don’t think this step should be necessary. So I’ll wait if anyone more knowledgeable can chime in as to why this is.

I thought the whole point of Flatpak was that you could install things without needing root access, but reading the site just now, it implies that they want to install “system wide” by default. If that means “as root”, this sounds like a security nightmare.

It would help to know the exact file locations that selinux didn’t like.

I’m not sure if Flatpak software is supported by RH.

I see flatpak as more of a “one platform to target” and safer in terms of not messing with system packages and having their own dependencies yet still sharing dependencies with each other. The installing “as root” thing (the way I understand it) is handled by polkit, therefore it’s not the same as just running flatpak with sudo, since users themselves are not doing any privilege escalation. (adding “remotes” or repositories to flatpak still requires root access or sudo, so users can’t install literally everything they want system-wide).

Anyway back to the problem:
I have followed the redhat docs on selinux (chapter 5.2) and produced the following log https://0x0.st/o3Ts.txt (I hope paste like this is fine here). Is this what you meant by exact file locations?
Note: This is with trying to use flatpak update, the sealerts around gnome software might be different and I will rerun it with gnome software if needed. Also this is all on clean install, and every test I run from the same snapshot, I am able to reproduce this on 2 separate clean installs.

Flatpak comes preinstalled by default with rocky workstation, don’t know if it’s the same case with RHEL workstation as I have never used it, but judging by this quote I assume it does too.

In this article, I offer an overview of Flatpak, its integration with Red Hat Enterprise Linux (RHEL) 8.2, and what developers can expect from the new Red Hat Enterprise Linux Flatpak runtime.

Edit: Source: Introducing the Red Hat Flatpak runtime for desktop containers | Red Hat Developer

The selinux messages don’t look like Flatpak to me, are you sure they were not there already? The article link in the color’d box, just looks like generic RHEL9, I can’t see anything about Flatpak.

Regarding Gnome software, I don’t think it’s expected to work. You have to use the packages in the official repos instead.

I have added the source of the quote, I initially forgot to.

The aforementioned RedHat docs recommend clearing the setroubleshoot cache, so I did that. One of the entries even has name="flatpak-system-helper", I don’t know about the other one, I would have to retest if it’s also triggered by the flatpak update. But all that isn’t the problem, it’s pointing to the problem of:

Some files, at least around flatpak, being mislabeled by SELinux (or not labeled at all) during install.
Running fixfiles -F onboot and rebooting (also from the RedHat docs) fixes the labeling and makes flatpak work without AVC denials.

So my question now is:
Why are some files mislabeled or not labeled during install (I have not at any point disabled SELinux manually)? Secondly, should I file this as a bug somewhere?

Edit:
If you look at the flatpak-system-helper in the log, it has tcontext=unconfined_u:object_r:unlabeled_t:s0, this does mean it’s unlabeled right? AFAIK this should not happen if you don’t disable SELinux at some point.