Skip to content

bug: flatpak install from OCI remote requires sudo on wheel users due to missing metadata-update polkit action #27

Open
Open
bug: flatpak install from OCI remote requires sudo on wheel users due to missing metadata-update polkit action#27
Labels
bugSomething isn't working
@castrojo

Description

@castrojo
castrojo
opened on Mar 13, 2026

Summary

Installing any app from the testhub OCI remote fails with a permission error for users in the wheel group, even with an active local session:

```
error: Unable to load summary from remote testhub: Flatpak system operation GenerateOciSummary not allowed for user
```

The same user can install from Flathub without sudo on the same machine. The fix requires sudo flatpak install for testhub, which is unexpected and undocumented.

Root cause

When flatpak installs from an OCI remote (like testhub), it calls the D-Bus method `GenerateOciSummary` on the flatpak system helper. In the flatpak source, this method maps to the polkit action `org.freedesktop.Flatpak.metadata-update`:

// system-helper/flatpak-system-helper.c
else if (g_strcmp0 (method_name, "UpdateSummary") == 0 ||
         g_strcmp0 (method_name, "GenerateOciSummary") == 0)
  {
    action = "org.freedesktop.Flatpak.metadata-update";
  }

Reference: https://github.com/flatpak/flatpak/blob/main/system-helper/flatpak-system-helper.c

Bluefin ships a polkit rules file that grants wheel users passwordless access to flatpak operations:

File: /usr/share/polkit-1/rules.d/org.freedesktop.Flatpak.rules
Owned by package: flatpak-1.16.0-9.el10.x86_64
Upstream source: https://github.com/flatpak/flatpak/blob/main/system-helper/org.freedesktop.Flatpak.rules.in

Current content:

polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.Flatpak.app-install" ||
         action.id == "org.freedesktop.Flatpak.runtime-install"||
         action.id == "org.freedesktop.Flatpak.app-uninstall" ||
         action.id == "org.freedesktop.Flatpak.runtime-uninstall" ||
         action.id == "org.freedesktop.Flatpak.modify-repo") &&
        subject.active == true && subject.local == true &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
    }
    return polkit.Result.NOT_HANDLED;
});

org.freedesktop.Flatpak.metadata-update is not in this list. Its default polkit policy is active=yes (no auth needed), but the system helper enforces an explicit polkit check for GenerateOciSummary that fails when no rule matches and the default is overridden by the system helper's own authorization logic.

Flathub uses the OSTree transport, which never calls GenerateOciSummary — so wheel users can install from Flathub without hitting this. OCI remotes (testhub) always hit this code path on every install and update.

Affected versions

  • Bluefin LTS 10 (Coughlan), flatpak 1.16.0
  • Any Bluefin system where the user is in wheel but not running as root

Fix

Add org.freedesktop.Flatpak.metadata-update to the wheel grant in the polkit rules. This should be applied as a system file override in the Bluefin image.

Proposed change to /usr/share/polkit-1/rules.d/org.freedesktop.Flatpak.rules (or as /etc/polkit-1/rules.d/org.freedesktop.Flatpak.rules on existing machines):

polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.Flatpak.app-install" ||
         action.id == "org.freedesktop.Flatpak.runtime-install"||
         action.id == "org.freedesktop.Flatpak.app-uninstall" ||
         action.id == "org.freedesktop.Flatpak.runtime-uninstall" ||
         action.id == "org.freedesktop.Flatpak.modify-repo" ||
         action.id == "org.freedesktop.Flatpak.metadata-update") &&
        subject.active == true && subject.local == true &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
    }
    return polkit.Result.NOT_HANDLED;
});

The same fix applies to all Bluefin and Universal Blue systems using OCI-based Flatpak remotes. This may also be worth filing upstream against the flatpak package in Fedora/RHEL since the upstream rules template (org.freedesktop.Flatpak.rules.in) has the same omission.

Workaround

Until fixed in the image, on any affected machine:

```bash
sudo tee /etc/polkit-1/rules.d/org.freedesktop.Flatpak.rules << 'RULE'
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.Flatpak.app-install" ||
action.id == "org.freedesktop.Flatpak.runtime-install"||
action.id == "org.freedesktop.Flatpak.app-uninstall" ||
action.id == "org.freedesktop.Flatpak.runtime-uninstall" ||
action.id == "org.freedesktop.Flatpak.modify-repo" ||
action.id == "org.freedesktop.Flatpak.metadata-update") &&
subject.active == true && subject.local == true &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
return polkit.Result.NOT_HANDLED;
});
RULE
```

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions