Can't install on fedora silverblue

[JeremiahSecrist]

Pre-Submit Checklist:

• Check applicable sources for existing issues:
  • [x] Windows Known Issues
  • [x] Linux Known Issues
  • [x] Github Issues
  • [x] New issue

What happened: Program failed to install. After install the prerequisites needed for protmaster and rebooted I downloaded the rpm and run rpm-ostree install /path/to/rpm During the installation it failed giving the following error. I understand silver-blue is more edge case scenario. That being said I'm willing to help test an any way possible.

What did you expect to happen?: The program to install properly.

How did you reproduce it?: Simply by downloading and installing into fedora silver-blue

Debug Information: error: Running %post for portmaster: bwrap(/bin/sh): Child process killed by signal 1; run journalctl -t 'rpm-ostree(portmaster.post)' for more information

Portmaster.log

[dhaavi]

Hey @arouzing, thanks for reporting this.

I think the problem is this line: chcon: failed to change context of '/opt/safing/portmaster/portmaster-start'

I believe this is similar, possibly a duplicate of https://github.com/safing/portmaster/issues/465.

We will look into this. Internall tracked with CC#2168.

[JeremiahSecrist]

Thanks! Silverblue works a bit differently then normal fedora. it may require slightly different packaging in order to get it to work. If you would like I could link you to the information and limitation of packaging for fedora Silverblue.

[dhaavi]

I see. Yes, a couple references would definitely be nice.

[JeremiahSecrist]

https://docs.fedoraproject.org/en-US/fedora-silverblue/troubleshooting/ Here in the FAQ is a section mentioning issues when installing into opt or local. It points to here If you need a tester for installing onto silverblue I'd be happy to test packages. As I would love to use postmaster on this machine!

[JeremiahSecrist]

As silver blue is mostly immutable certain most areas can not have dynamic data stored in them. The areas where mutable information is stored is located here

[dhaavi]

Thanks for the pointers!

silver blue is mostly immutable

Ah, yes. That would be a problem. But /opt seems to linked to /var/opt now, so maybe this isn't a problem after all.

[JeremiahSecrist]

chcon: failed to change context of '/opt/safing/portmaster/portmaster-start'

Does port-master make changes to /opt over time (I think you answered this before)? Do you think it would be possible to have the package detect silverblue and change directories? The github issue I linked before only works for chrome currently.

[dhaavi]

Does port-master make changes to /opt over time

Yes. All data is there: config, databases, updates, logs.

Do you think it would be possible to have the package detect silverblue and change directories?

Maybe. Does silverblue have a special system for this in place? Eg. to query if silverblue is there and ways to interact?

But if /opt is really linked to /var/opt, then this shouldn't be a problem, should it?

[JeremiahSecrist]

Yes. All data is there: config, databases, updates, logs. I'll have to look around more and see how different project accomplish this on fedora and still work with silverblue

But if /opt is really linked to /var/opt, then this shouldn't be a problem, should it? It should with the current workaround in place but something seams off with the current configuration that the patch cant handle. I did some testing on my system and found some packages that accomplished patching into /var/opt with no issue.

I am asking around for some guidelines to see if I can help further! I do have some packages that I have used that store in opt and work, let me link them here: Tabby vagrant

other information: https://www.pathname.com/fhs/pub/fhs-2.3.pdf

Thanks so much for taking the time to read all this I know you guys are busy!

[dhaavi]

I've looked into Tabby and Vagrant a bit and it seems they don't do automatic updates, which I think is causing the trouble here.

Another app I know does automatic updates and installs to /opt, is Google Chrome. Don't know if they have support for Silverblue.

https://www.pathname.com/fhs/pub/fhs-2.3.pdf

This is interesting. I haven't yet encountered such a detailed description yet.

I can say that we do not fully follow the definitions laid out here. Well, except if Silverblue really just links /opt to /var/opt - then we should be ok.

Can you find out how exactly Silverblue handles /opt and /var/opt?

Thanks so much for taking the time to read all this I know you guys are busy!

Thanks for the appreciation. It's always nice when someone understands.

[JeremiahSecrist]

I think I found a Potential fix to the issue. It might be worth trying on a fedora silverblue vm. change the paths and install the compiled rpm with rpm-ostree install custom-package.rpm

The solution may not even apply in this situation. Maybe I'll see if I can find someone working on the silverblue team to take a look at this project and give some guidance?

I noticed they have a community section where you could reach out: https://discussion.fedoraproject.org/tag/silverblue

[JayDoubleu]

This issue is caused by https://github.com/safing/portmaster-packaging/blob/0284b11d5f68efca0a108d689d934d88391e2b6d/linux/templates/snippets/post-install.sh#L18..L20

chcon: failed to change context of '/opt/safing/portmaster/portmaster-start' to ‘system_u:object_r:bin_t:s0’: Operation not supported

Removing lines mentioned above makes it install with rpm-ostree just fine.

I'm not sure if chcon should be in postinstall. Perhaps you could try something like below instead:

if command -V getenforce >/dev/null 2>&1; then
    semanage fcontext -a -t bin_t /opt/safing/portmaster/portmaster-start
    restorecon -v /opt/safing/portmaster/portmaster-start
fi

[cjao]

Thanks for the pointers!

silver blue is mostly immutable

Ah, yes. That would be a problem. But /opt seems to linked to /var/opt now, so maybe this isn't a problem after all.

While /opt is ordinarily linked to /var/opt, rpm-ostree install actually redirects files in /opt to /usr/lib/opt. This is because rpm-ostree expects all system code tracked by rpm to live under /usr and reserves /opt strictly for programs with custom (non-rpm) installers.

[JeremiahSecrist]

This issue is caused by https://github.com/safing/portmaster-packaging/blob/0284b11d5f68efca0a108d689d934d88391e2b6d/linux/templates/snippets/post-install.sh#L18..L20

chcon: failed to change context of '/opt/safing/portmaster/portmaster-start' to ‘system_u:object_r:bin_t:s0’: Operation not supported

Removing lines mentioned above makes it install with rpm-ostree just fine.

I'm not sure if chcon should be in postinstall. Perhaps you could try something like below instead:

if command -V getenforce >/dev/null 2>&1; then
    semanage fcontext -a -t bin_t /opt/safing/portmaster/portmaster-start
    restorecon -v /opt/safing/portmaster/portmaster-start
fi

Would it be alright if I ask how you modified the rpm? Did you recompile or just modify the rpm? If the latter, how did you go about that. Thanks in advance!

[JayDoubleu]

This issue is caused by https://github.com/safing/portmaster-packaging/blob/0284b11d5f68efca0a108d689d934d88391e2b6d/linux/templates/snippets/post-install.sh#L18..L20 chcon: failed to change context of '/opt/safing/portmaster/portmaster-start' to ‘system_u:object_r:bin_t:s0’: Operation not supported Removing lines mentioned above makes it install with rpm-ostree just fine. I'm not sure if chcon should be in postinstall. Perhaps you could try something like below instead:

if command -V getenforce >/dev/null 2>&1; then
    semanage fcontext -a -t bin_t /opt/safing/portmaster/portmaster-start
    restorecon -v /opt/safing/portmaster/portmaster-start
fi

Would it be alright if I ask how you modified the rpm? Did you recompile or just modify the rpm? If the latter, how did you go about that. Thanks in advance!

@arouzing I cloned this repo, modified the mentioned lines and ran make rpm command. Before that would work I had to install bunch of weird golang deps as it looks like this RPM is being built by some lazy do it all magical go app.

FROM fedora:35
RUN dnf -y install '@Development tools'

RUN mkdir /tmp/build
RUN git clone https://github.com/JayDoubleu/portmaster-packaging.git /tmp/build

WORKDIR /tmp/build/linux

RUN dnf -y install ImageMagick

ADD https://github.com/hairyhenderson/gomplate/releases/download/v3.10.0/gomplate_linux-amd64 /usr/bin/gomplate
RUN chmod +x /usr/bin/gomplate

RUN echo [goreleaser] > /etc/yum.repos.d/goreleaser.repo
RUN echo name=GoReleaser >> /etc/yum.repos.d/goreleaser.repo
RUN echo baseurl=https://repo.goreleaser.com/yum/ >> /etc/yum.repos.d/goreleaser.repo 
RUN echo enabled=1 >> /etc/yum.repos.d/goreleaser.repo 
RUN echo gpgcheck=0 >> /etc/yum.repos.d/goreleaser.repo 

RUN dnf -y install nfpm

RUN make rpm

Add above to Containerfile

then run podman build -t portmaster . It will build you an rpm. Then you can extract it from container with : podman run -it -v $(pwd):/tmp/pwd:Z portmaster cp dist/portmaster-0.7.0~2.x86_64.rpm /tmp/pwd

You will end up with portmaster-0.7.0~2.x86_64.rpm in your current working directory. Then just simply install it with rpm-ostree install portmaster-0.7.0~2.x86_64.rpm

[JeremiahSecrist]

@JayDoubleu thankyou very much!

[JeremiahSecrist]

After a successful install and a reboot, it is however unable to startup. The desktop file is misconfigured, since it is trying to write data on startup. /opt/safing/portmaster/portmaster-start app --data=/opt/safing/portmaster (is the default command for portmaster.desktop) changing it to /var/opt does not seam to be the solution either. Error log

[JayDoubleu]

After a successful install and a reboot, it is however unable to startup. The desktop file is misconfigured, since it is trying to write data on startup. /opt/safing/portmaster/portmaster-start app --data=/opt/safing/portmaster (is the default command for portmaster.desktop) changing it to /var/opt does not seam to be the solution either. Error log

I would try getting fedora workstation in gnome boxes and see if it works at all in fedora.

Perks of being an early adopter for alpha software ;)

[JeremiahSecrist]

Perks of being an early adopter for alpha software ;) It certainly is. I came across this project and really want to see it work on silver blue. A worthy price to pay.

I have a vm up and running, let me give it a shot. edit: I know un-modded portmaster works just fine on fedora workstation.

[JayDoubleu]

I also noticed this :

Feb 06 00:27:26  rpm-ostree(portmaster.post)[12328]: portmaster: Failed to download modules
Feb 06 00:27:26  rpm-ostree(portmaster.post)[12328]: portmaster: Please run '/opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster update' manually.\n

So you could try running sudo /opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster update

[JeremiahSecrist]

That was attempted:

220205 19:29:58.159 ▶ BOF
220205 19:29:58.310 r/updating:099 ▶ WARN 001 updates: failed to save updated index stable.json: open /opt/safing/portmaster/updates/stable.json: permission denied
220205 19:29:58.310 r/updating:102 ▶ INFO 003 updates: updated index stable.json
220205 19:29:58.456 r/updating:092 ▶ WARN 004 updates: failed to ensure directory for updated index all/intel/intel.json: could not create dir /opt/safing/portmaster/updates/all: mkdir /opt/safing/portmaster/updates/all: permission denied
220205 19:29:58.456 r/updating:099 ▶ WARN 006 updates: failed to save updated index all/intel/intel.json: open /opt/safing/portmaster/updates/all/intel/intel.json: no such file or directory
220205 19:29:58.456 r/updating:102 ▶ INFO 008 updates: updated index all/intel/intel.json
220205 19:29:58.456 r/updating:144 ▶ INFO 009 updates: starting to download 12 updates
220205 19:30:03.457 r/updating:155 ▶ WARN 010 updates: failed to download all/ui/modules/assets.zip version 0.2.4: could not create updates folder: /opt/safing/portmaster/updates/all/ui/modules

[JayDoubleu]

Did you run it with sudo ?

[JeremiahSecrist]

I forgot sudo !! (I feel a bit stupid ) That being said, it does seam to hang at this phase, I'll let it set for a bit.

[JeremiahSecrist]

Currently hanging here:

220205 19:32:23.319 ▶ BOF
220205 19:32:23.448 r/updating:102 ▶ INFO 001 updates: updated index stable.json
220205 19:32:23.582 r/updating:102 ▶ INFO 002 updates: updated index all/intel/intel.json
220205 19:32:23.582 r/updating:144 ▶ INFO 003 updates: starting to download 12 updates

[JeremiahSecrist]

Update: workstation vm behaves almost the same way. Seems it may have been broken during compile or I / we are using the unstable branch during compile time? did you fork from master or https://github.com/safing/portmaster-packaging/releases/tag/v0.7.0 ?

[JayDoubleu]

Looks like it installs into read only part of system safing -> /usr/lib/opt/safing

[JayDoubleu]

Update: workstation vm behaves almost the same way. Seems it may have been broken during compile or I / we are using the unstable branch during compile time? did you fork from master or https://github.com/safing/portmaster-packaging/releases/tag/v0.7.0 ?

master

[JeremiahSecrist]

Would it be possible to revert your fork back to that release? Or shall I make a new fork from that release?

[JayDoubleu]

I've just rebased it to 0.7.0

[JeremiahSecrist]

Awesome, I'll recompile and see how it goes.

[JayDoubleu]

I don't think thats the issue here.

I moved it from /usr/lib/opt to /var/opt and looks like its launching ok.

[jaydoubleu@thinkXPS updates]$ sudo /opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster update
[sudo] password for jaydoubleu: 
220206 00:48:53.250 ▶ BOF
220206 00:48:53.282 r/updating:102 ▶ INFO 001 updates: updated index stable.json
220206 00:48:53.313 r/updating:102 ▶ INFO 002 updates: updated index all/intel/intel.json
220206 00:48:53.313 r/updating:144 ▶ INFO 003 updates: starting to download 12 updates
220206 00:48:55.142 ater/fetch:073 ▶ INFO 004 updates: fetched https://updates.safing.io/linux_amd64/core/portmaster-core_v0-7-18 (stored to /opt/safing/portmaster/updates/linux_amd64/core/portmaster-core_v0-7-18)
220206 00:49:08.130 ater/fetch:073 ▶ INFO 005 updates: fetched https://updates.safing.io/linux_amd64/app/portmaster-app_v0-2-2.zip (stored to /opt/safing/portmaster/updates/linux_amd64/app/portmaster-app_v0-2-2.zip)
220206 00:49:08.217 ater/fetch:073 ▶ INFO 006 updates: fetched https://updates.safing.io/all/intel/lists/urgent_v20220205-20-0.dsdl (stored to /opt/safing/portmaster/updates/all/intel/lists/urgent_v20220205-20-0.dsdl)
220206 00:49:09.546 ater/fetch:073 ▶ INFO 007 updates: fetched https://updates.safing.io/linux_amd64/notifier/portmaster-notifier_v0-2-3 (stored to /opt/safing/portmaster/updates/linux_amd64/notifier/portmaster-notifier_v0-2-3)
220206 00:49:11.910 ater/fetch:073 ▶ INFO 008 updates: fetched https://updates.safing.io/linux_amd64/start/portmaster-start_v0-7-0 (stored to /opt/safing/portmaster/updates/linux_amd64/start/portmaster-start_v0-7-0)
220206 00:49:11.993 ater/fetch:073 ▶ INFO 009 updates: fetched https://updates.safing.io/all/intel/lists/intermediate_v20220205-23-0.dsdl (stored to /opt/safing/portmaster/updates/all/intel/lists/intermediate_v20220205-23-0.dsdl)
220206 00:49:12.026 ater/fetch:073 ▶ INFO 010 updates: fetched https://updates.safing.io/all/intel/lists/index_v2022-2-3.dsd (stored to /opt/safing/portmaster/updates/all/intel/lists/index_v2022-2-3.dsd)
220206 00:49:19.227 ater/fetch:073 ▶ INFO 011 updates: fetched https://updates.safing.io/all/intel/geoip/geoipv6_v20210929-18-58.mmdb.gz (stored to /opt/safing/portmaster/updates/all/intel/geoip/geoipv6_v20210929-18-58.mmdb.gz)
220206 00:49:22.066 ater/fetch:073 ▶ INFO 012 updates: fetched https://updates.safing.io/all/intel/geoip/geoipv4_v20210929-18-58.mmdb.gz (stored to /opt/safing/portmaster/updates/all/intel/geoip/geoipv4_v20210929-18-58.mmdb.gz)
220206 00:49:22.454 ater/fetch:073 ▶ INFO 013 updates: fetched https://updates.safing.io/all/ui/modules/assets_v0-2-4.zip (stored to /opt/safing/portmaster/updates/all/ui/modules/assets_v0-2-4.zip)
220206 00:49:22.545 ater/fetch:073 ▶ INFO 014 updates: fetched https://updates.safing.io/all/ui/modules/portmaster_v0-1-24.zip (stored to /opt/safing/portmaster/updates/all/ui/modules/portmaster_v0-1-24.zip)
220206 00:49:23.555 ater/fetch:073 ▶ INFO 015 updates: fetched https://updates.safing.io/all/intel/lists/base_v20220131-23-0.dsdl (stored to /opt/safing/portmaster/updates/all/intel/lists/base_v20220131-23-0.dsdl)
220206 00:49:23.555 r/updating:158 ▶ INFO 016 updates: finished downloading updates
220206 00:49:23.555 r/resource:256 ▶ TRAC 017 updater: selected version 0.3.18 for resource linux_amd64/hub/spn-hub
220206 00:49:23.555 r/resource:256 ▶ TRAC 018 updater: selected version 1.0.11 for resource windows_amd64/kext/portmaster-kext.sys
220206 00:49:23.555 r/resource:256 ▶ TRAC 019 updater: selected version 0.7.18 for resource darwin_amd64/core/portmaster-core
220206 00:49:23.555 r/resource:256 ▶ TRAC 020 updater: selected version 0.7.0 for resource linux_amd64/packages/portmaster-installer.deb
220206 00:49:23.555 r/resource:256 ▶ TRAC 021 updater: selected version 0.7.0 for resource darwin_amd64/start/portmaster-start
220206 00:49:23.555 r/resource:256 ▶ TRAC 022 updater: selected version 20220131.23.0 for resource all/intel/lists/base.dsdl
220206 00:49:23.555 r/resource:256 ▶ TRAC 023 updater: selected version 0.1.11 for resource all/ui/modules/console.zip
220206 00:49:23.555 r/resource:256 ▶ TRAC 024 updater: selected version 0.7.18 for resource linux_amd64/core/portmaster-core
220206 00:49:23.555 r/resource:256 ▶ TRAC 025 updater: selected version 0.3.18 for resource windows_amd64/hub/spn-hub.exe
220206 00:49:23.555 r/resource:256 ▶ TRAC 026 updater: selected version 0.0.5 for resource all/spn/bootstrap.dsd
220206 00:49:23.555 r/resource:256 ▶ TRAC 027 updater: selected version 0.6.0 for resource windows_amd64/notifier/portmaster-snoretoast.exe
220206 00:49:23.555 r/resource:256 ▶ TRAC 028 updater: selected version 0.7.0 for resource windows_amd64/packages/portmaster-installer.exe
220206 00:49:23.555 r/resource:256 ▶ TRAC 029 updater: selected version 0.1.8 for resource all/ui/modules/settings.zip
220206 00:49:23.555 r/resource:256 ▶ TRAC 030 updater: selected version 0.2.2 for resource linux_amd64/app/portmaster-app.zip
220206 00:49:23.555 r/resource:256 ▶ TRAC 031 updater: selected version 1.0.11 for resource windows_amd64/kext/portmaster-kext.dll
220206 00:49:23.555 r/resource:256 ▶ TRAC 032 updater: selected version 20220205.20.0 for resource all/intel/lists/urgent.dsdl
220206 00:49:23.555 r/resource:256 ▶ TRAC 033 updater: selected version 20220113.8.47 for resource all/intel/spn/main-intel.json
220206 00:49:23.555 r/resource:256 ▶ TRAC 034 updater: selected version 20211214.14.13 for resource all/intel/portmaster/notifications.json
220206 00:49:23.555 r/resource:256 ▶ TRAC 035 updater: selected version 0.2.2 for resource windows_amd64/app/portmaster-app.zip
220206 00:49:23.555 r/resource:256 ▶ TRAC 036 updater: selected version 0.7.0 for resource linux_amd64/packages/portmaster-installer.rpm
220206 00:49:23.555 r/resource:256 ▶ TRAC 037 updater: selected version 1.0.11 for resource windows_amd64/kext/portmaster-kext.pdb
220206 00:49:23.555 r/resource:256 ▶ TRAC 038 updater: selected version 0.2.3 for resource linux_amd64/notifier/portmaster-notifier
220206 00:49:23.555 r/resource:256 ▶ TRAC 039 updater: selected version 0.7.0 for resource windows_amd64/start/portmaster-start.exe
220206 00:49:23.555 r/resource:256 ▶ TRAC 040 updater: selected version 0.2.11 for resource all/ui/modules/base.zip
220206 00:49:23.555 r/resource:256 ▶ TRAC 041 updater: selected version 20220113.13.47 for resource all/intel/portmaster/notifications.yaml
220206 00:49:23.555 r/resource:256 ▶ TRAC 042 updater: selected version 0.7.0 for resource linux_amd64/start/portmaster-start
220206 00:49:23.555 r/resource:256 ▶ TRAC 043 updater: selected version 0.3.18 for resource darwin_amd64/hub/spn-hub
220206 00:49:23.555 r/resource:256 ▶ TRAC 044 updater: selected version 20220205.23.0 for resource all/intel/lists/intermediate.dsdl
220206 00:49:23.555 r/resource:256 ▶ TRAC 045 updater: selected version 2022.2.3 for resource all/intel/lists/index.dsd
220206 00:49:23.555 r/resource:256 ▶ TRAC 046 updater: selected version 20210929.18.58 for resource all/intel/geoip/geoipv6.mmdb.gz
220206 00:49:23.555 r/resource:256 ▶ TRAC 047 updater: selected version 0.1.7 for resource all/ui/modules/profilemgr.zip
220206 00:49:23.555 r/resource:256 ▶ TRAC 048 updater: selected version 0.7.18 for resource windows_amd64/core/portmaster-core.exe
220206 00:49:23.555 r/resource:256 ▶ TRAC 049 updater: selected version 0.2.3 for resource windows_amd64/notifier/portmaster-notifier.exe
220206 00:49:23.555 r/resource:256 ▶ TRAC 050 updater: selected version 20220127.9.46 for resource all/intel/spn/main-intel.yaml
220206 00:49:23.555 r/resource:256 ▶ TRAC 051 updater: selected version 20210929.18.58 for resource all/intel/geoip/geoipv4.mmdb.gz
220206 00:49:23.555 r/resource:256 ▶ TRAC 052 updater: selected version 0.2.4 for resource all/ui/modules/assets.zip
220206 00:49:23.555 r/resource:256 ▶ TRAC 053 updater: selected version 0.2.4 for resource all/ui/modules/monitor.zip
220206 00:49:23.555 r/resource:256 ▶ TRAC 054 updater: selected version 0.1.24 for resource all/ui/modules/portmaster.zip
220206 00:49:23.555 r/resource:256 ▶ TRAC 055 updater: selected version 20220111.16.57 for resource all/intel/spn/main-intel.dsd
220206 00:49:24.582 /unpacking:142 ▶ INFO 056 updates: unpacked linux_amd64/app/portmaster-app_v0-2-2.zip
220206 00:49:24.582 r/electron:036 ▶ DEBU 057 updates: kernel support for unprivileged USERNS_CLONE disabled
220206 00:49:24.582 dater/file:060 ▶ DEBU 058 updater: setting active version of resource linux_amd64/app/portmaster-app.zip from <nil> to 0.2.2
220206 00:49:24.582 r/electron:051 ▶ INFO 059 updates: fixed SUID permission for chrome-sandbox
220206 00:49:24.592 ◀ EOF

Well, at least it's trying.

Its getting blocked by selinux

[JeremiahSecrist]

Progress!!! Now to figure out the SELinux issue, right?

[JayDoubleu]

I did restorecon on it + changed the portmaster-start label with chcon as well. It looks like it was launching but GUI coudnt connect to it, looks like it was denying itself from accessing it lol.

Ill try to build only without rpm out of curiosity to see if that makes it any better

[JeremiahSecrist]

Is the postmaster service actually running? I noticed it was disabled even though it is in the post install script to enable it.

[JayDoubleu]

yeah GUI starts running the service properly when you move it to proper /opt

[JayDoubleu]

TBH you might have better luck just extracting the deb file from release and sticking it to your /var/opt.

Just did that and looks like its working fine

[JeremiahSecrist]

TBH you might have better luck just extracting the deb file from release and sticking it to your /var/opt.

Just did that and looks like its working fine

I could be wrong but how would that work on silverblue?

[JayDoubleu]

Its just a binary file. Makefile included in this repo just builds the same binary to deb and rpm. deb files can be extracted using archive manager so you could just play with it that way.

But probably best solution here would be waiting for at least beta version of this software.

[JayDoubleu]

And if you desperately need software like this I can highly recommend opensnitch. Works on silverblue without any modifications and it's based on eBPF

[JeremiahSecrist]

Understood, thanks for the work you have done though! Hopefully this may shed some light for them on how to package this in the future.

[dhaavi]

Hey @arouzing and @JayDoubleu, thanks for all the effort here!

I think there are two issues here (please correct me):

• We're not setting the SELinux context correctly.
  • We are working on this, but unsure how to do this best for all SELinux platforms. Any suggestions?
• The silverblue read only fs.
  • We have already been thinking about creating a plain scripted installer, so you could just install to /opt in this case, without going through the package manager. What do you think about that?

I'm not sure if chcon should be in postinstall.

Do rpms have a way to set SELinux context instead? Don't know where else we should but that.

looks like this RPM is being built by some lazy do it all magical go app.

Yes, our experience has been much smoother since we switched.

I'm also assigning this to @ppacher, as he is much more versed in this space than I am.

[JeremiahSecrist]

We have already been thinking about creating a plain scripted installer, so you could just install to /opt in this case, without going through the package manager. What do you think about that?

This wont exactly be a solution. System modificarions should be done with rpms if the package cant run as a flatpak or toolbox.

from what @JayDoubleu mentioned the installer from what he could compile put it in the wrong directory via the rpm. If the selinux is fixed (which was with his suggested edit) and the install directory is fixed it may just work out of the box for silverblue. minus requiring manually starting services.

Run down of issues: Install location is incorrect with current rpm packaging causing it to break. Selinux needs to be adjusted.

Feel free to correct my statements @JayDoubleu

[CheariX]

I just found this issue since I had experienced the same problem (cf. https://github.com/fedora-silverblue/issue-tracker/issues/317). According to that issue, the problem seems to be related to the non standard packaging tool (nfpm)

Since you did a deep investigation of the RPM and the installation process, I thought this could be useful to find a solution.

[travier]

Another option would be to change https://github.com/safing/portmaster-packaging/blob/master/linux/templates/snippets/post-install.sh#L18 to check for the presence of /run/ostree-booted (indicates an rpm-ostree managed system) and change the path for the chcon / skip it.

[S7venLights]

Flatpak is suggested in Fedora

But I tried to install the RPM on Fedora Silverblue today by opening the rpm file in Software and it succeeded in layering the package and networkmanager is installed. But opening the app does nothing and after setting the SE Linux policy this is what error I get:

portmaster.service - Portmaster by Safing Loaded: loaded (/usr/lib/systemd/system/portmaster.service; disabled; vendor preset: disabled) Active: activating (auto-restart) (Result: exit-code) since Wed 2022-11-02 16:42:03 EET; 8s ago Docs: https://safing.io https://docs.safing.io Process: 21224 ExecStart=/opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster core -- $PORTMASTER_ARGS (code=exited, status=1/FAILURE) Process: 21271 ExecStopPost=/opt/safing/portmaster/portmaster-start recover-iptables (code=exited, status=1/FAILURE) Main PID: 21224 (code=exited, status=1/FAILURE) CPU: 186ms

Outside variables , I have FirewallD installed and this was in X11 windowing not wayland.

[Pryka]

Everything is working fine if one install Portmaster manually in home dir. I'm currently running it on Silverblue that way without issues.

And to avoid SELinux problems just do sudo chcon -t bin_t /path/to/portmaster-start

[S7venLights]

Really! How does one go about this manual home dir install?

[Pryka]

Really! How does one go about this manual home dir install?

Just follow official guide - https://docs.safing.io/portmaster/install/linux#manual-install-and-launching and change all directories in commands to some folder in your home dir instead /opt/

Also remove sudo from command lines, it's needed only for SELinux sudo chcon -t bin_t in case of home install + for creating systemd service.

If you want autostart via systemd you need create portmaster.service according to manual install guide and change dirs to your new home location.

The point is, that you only need to alter dir paths to point your location instead of /opt

I have everything in here /var/home/pryka/Portmaster All work fine for 2 days now.

[S7venLights]

Okay thanks so much, I got it working but there are some problems to mention:

1. The download was very slow and the only way to check that it was still going was to watch the folder size until it stopped increasing.

2. I had to stop nextdns cli to avoid issues.

3. Had some errors running sudo /var/home/user/Applications/Portmaster/portmaster-start core

[sudo] password for user: [control] 2022/11/07 07:18:45 starting /var/home/user/Applications/Portmaster/updates/linux_amd64/core/portmaster-core_v1-0-0 --data /var/home/user/Applications/Portmaster 221107 09:18:45.771 ▶ BOF 221107 09:18:46.183 v/location:299 ▶ WARN 001 netenv: failed to get IPv4 device location from traceroute: failed to send icmp packet: write ip4 0.0.0.0->1.1.1.1: sendto: operation not permitted 221107 10:12:38.218 nameserver:286 ▶ WARN 003 nameserver: failed to resolve noreply-watch-gjib39.go.dnscheck.tools.A: all 5 query-compliant resolvers failed, last error: read udp [fdc6:ff62:38b1::87e]:48529->[fdc6:ff62:38b1::1]:53: i/o timeout This kept failing a number of times

4. Had some errors running /var/home/user/Applications/Portmaster/portmaster-start app

[control] 2022/11/07 07:19:20 starting /var/home/user/Applications/Portmaster/updates/linux_amd64/app/portmaster-app_v0-2-5/portmaster-app_v0-2-5 --data /var/home/user/Applications/Portmaster Portmaster data directory: /var/home/user/Applications/Portmaster [10229:1107/091921.407643:ERROR:gl_surface_egl.cc(783)] No suitable EGL configs found. [10229:1107/091921.407785:ERROR:gl_context_egl.cc(138)] eglGetConfigAttrib failed with error EGL_BAD_CONFIG [10229:1107/091921.475387:ERROR:gl_surface_egl.cc(783)] No suitable EGL configs found. [10229:1107/091921.475554:ERROR:gl_surface_egl.cc(2113)] eglCreatePbufferSurface failed with error EGL_BAD_CONFIG [10229:1107/091921.475649:ERROR:gpu_info_collector.cc(80)] gl::GLContext::CreateOffscreenGLSurface failed [10229:1107/091921.475744:ERROR:gpu_info_collector.cc(348)] Could not create surface for info collection. [10229:1107/091921.475811:ERROR:gpu_init.cc(86)] CollectGraphicsInfo failed. [10229:1107/091921.477681:ERROR:viz_main_impl.cc(186)] Exiting GPU process due to errors during initialization [10255:1107/091921.689442:ERROR:command_buffer_proxy_impl.cc(128)] ContextResult::kTransientFailure: Failed to send GpuControl.CreateCommandBuffer. TypeError [ERR_INVALID_URL]: Invalid URL at new NodeError (node:internal/errors:372:5) at URL.onParseError (node:internal/url:553:9) at new URL (node:internal/url:629:5) at AppAPI. (/var/home/user/Applications/Portmaster/updates/linux_amd64/app/portmaster-app_v0-2-5/resources/app.asar/api.js:131:25) at step (/var/home/user/Applications/Portmaster/updates/linux_amd64/app/portmaster-app_v0-2-5/resources/app.asar/api.js:42:23) at Object.next (/var/home/user/Applications/Portmaster/updates/linux_amd64/app/portmaster-app_v0-2-5/resources/app.asar/api.js:23:53) at /var/home/user/Applications/Portmaster/updates/linux_amd64/app/portmaster-app_v0-2-5/resources/app.asar/api.js:17:71 at new Promise () at __awaiter (/var/home/user/Applications/Portmaster/updates/linux_amd64/app/portmaster-app_v0-2-5/resources/app.asar/api.js:13:12) at AppAPI.openExternal (/var/home/user/Applications/Portmaster/updates/linux_amd64/app/portmaster-app_v0-2-5/resources/app.asar/api.js:124:16) { input: '/ui/modules/portmaster/settings?setting=filter%2FpreventBypassing', code: 'ERR_INVALID_URL' } opening external: file:///ui/modules/portmaster/settings?setting=filter%252FpreventBypassing gio: file:///ui/modules/portmaster/settings?setting=filter%252FpreventBypassing: Error when getting information for file “/ui/modules/portmaster/settings?setting=filter%2FpreventBypassing”: No such file or directory

5. After Restart the PC, postmaster isn't running, how do I make it start before other apps?
6. How will portmaster update if it's not a layered package? Will it use the in app updating?
7. How can I add a shortcut to the UI?
8. Result running: systemctl status portmaster Unit portmaster.service could not be found.

[Pryka]

1. I have only this warning 221107 11:42:25.499 v/location:299 ▶ WARN 001 netenv: failed to get IPv4 device location from traceroute: failed to send icmp packet: write ip4 0.0.0.0->1.1.1.1: sendto: operation not permitted

2. For me it only prompts some MESA-LOADER errors.

3. I think so.

4. You must create .desktop file in /var/home/user/.local/share/applications you can find in web how to do it.

5. Create portmaster.service manually, it's in the installation guide.