Request summary

I ran into an issue when I install Anki on Fedora 35. I could mitigate the issue with a workarround. I suggest that developers implement the workaround if they’d like. The impact is small, so developers can take their time.

Issue

Anki seems to be installed with inappropriate owners and SELinux labels.

setroubleshoot program generates the some error syslogs intermittently.
Since the logs are so long, it is attached at the bottom of this post.

Steps to reproduce

1. Download Anki from https://apps.ankiweb.net/.
2. Execute the following command to install Anki as written in Install & Upgrade - Anki Manual.

tar xjf Downloads/anki-2.1.49-linux.tar.bz2
cd anki-2.1.49-linux
sudo ./install.sh

3. You can verify that ownership and labels are inappropreate with following commands, which shows the owner is not root and the type is user_home_t. They should be root and usr_t.

ls -lZ /usr/local/share/man/man1/anki.1 
# -rw-r--r--. 1 myuser mygroup unconfined_u:object_r:user_home_t:s0 2212 Oct 26 12:24 /usr/local/share/man/man1/anki.1

4. Some days later, reboot the system, auditd.service starts, and error logs are generated.

Impact

Almost nothing. I just see errors from setroubleshoot less than once a month. I can still use Anki normally.

Reason

Installation files might be downloaded and decompressed by non-root users. If the download directory is under /home, then SELinux labels it with user_home_t. After that users execute sudo ./install.sh to install Anki.
The script installs necessary files using cp and mv command with following options.

• cp -av, which preserves all including ownership and SELinux contexts
• mv, which preserves all

Finally files are generated with non-root owners and user_home_t labels.
They are both inappropreate in terms of security and SELinux compatibility.

Workaround

• cp command should not preserve ownership and contexts.
• mv command should not preserve contexts.

So edit install.sh like following:

# cp -av * "$PREFIX"/share/anki/
cp -av --no-preserve=owner,context * "$PREFIX"/share/anki/

# mv anki.xpm anki.png "$PREFIX"/share/pixmaps/;\
# mv anki.desktop "$PREFIX"/share/applications/;\
# mv anki.1 "$PREFIX"/share/man/man1/)
mv -Z anki.xpm anki.png "$PREFIX"/share/pixmaps/;\
mv -Z anki.desktop "$PREFIX"/share/applications/;\
mv -Z anki.1 "$PREFIX"/share/man/man1/)

Then sudo ./install.sh again.
Now verify that ownership and SELinux contexts are configured correctly.

ls -lZ /usr/local/share/man/man1/anki.1 
-rw-r--r--. 1 root root unconfined_u:object_r:usr_t:s0 2212 Oct 26 12:24 /usr/local/share/man/man1/anki.1

If the default install.sh is updated like above, I guess that’d be great to SELinux users.

*) Users just can execute /sbin/restorecon -v /usr/local/share/man/man1/anki.1 to mitigate errors, but that’s not enough.

My environment

Anki 2.1.49 (dc80804a) Python 3.8.1 Qt 5.15.1 PyQt 5.15.1
Platform: Linux
Flags: frz=True ao=True sv=2
Add-ons, last update check: 2021-11-21 16:45:00

Fedora 35, with system-wide Python 3.10

Error logs

The error logs can be confirmed with journalctl command, or /var/log/messages.

Nov 21 17:29:44 hostname setroubleshoot[11309]: AnalyzeThread.run(): Cancel pending alarm
Nov 21 17:29:44 hostname setroubleshoot[11309]: failed to retrieve rpm info for /usr/local/share/man/man1/anki.1
Nov 21 17:29:44 hostname systemd[1]: Created slice Slice /system/dbus-:1.2-org.fedoraproject.SetroubleshootPrivileged.
Nov 21 17:29:44 hostname systemd[1]: Started dbus-:1.2-org.fedoraproject.SetroubleshootPrivileged@0.service.
Nov 21 17:29:44 hostname audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.2-org.fedoraproject.SetroubleshootPrivileged@0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 21 17:29:45 hostname setroubleshoot[11309]: SELinux is preventing mandb from read access on the file /usr/local/share/man/man1/anki.1. For complete SELinux messages run: sealert -l 5fe15040-2828-45d4-9e8c-ba8ef5781937
Nov 21 17:29:45 hostname setroubleshoot[11309]: SELinux is preventing mandb from read access on the file /usr/local/share/man/man1/anki.1.
                                          
                                          *****  Plugin restorecon (99.5 confidence) suggests   ************************
                                          
                                          If you want to fix the label. 
                                          /usr/local/share/man/man1/anki.1 default label should be usr_t.
                                          Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
                                          Do
                                          # /sbin/restorecon -v /usr/local/share/man/man1/anki.1
                                          
                                          *****  Plugin catchall (1.49 confidence) suggests   **************************
                                          
                                          If you believe that mandb should be allowed read access on the anki.1 file by default.
                                          Then you should report this as a bug.
                                          You can generate a local policy module to allow this access.
                                          Do
                                          allow this access for now by executing:
                                          # ausearch -c 'mandb' --raw | audit2allow -M my-mandb
                                          # semodule -X 300 -i my-mandb.pp
                                          
Nov 21 17:29:45 hostname setroubleshoot[11309]: AnalyzeThread.run(): Set alarm timeout to 10

Thanks for the detailed report, I will look into making these changes for the next update.

Thank you so much for your prompt and kind reply! I’m looking forward to the future release.