| Summary: | SELinux is preventing abrt-hook-ccpp from 'sys_ptrace' accesses on the cap_userns Unknown. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | sheepdestroyer <sheepdestroyer> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 24 | CC: | aflinta, a.lloyd.flanagan, bucky, cyberdak095, danielsun3164, dimapunk80, dominick.grift, dwalsh, fischer.d.r, geral, jonha87, joseluisxd, joshuaward, lvrabec, mgmackoul, mgrepl, mikhail.v.gavrilov, peljasz, plautrba, samuelmarqueslima1, talipdurmus1, tcarlin, thomas, tomasz.urbanski, vangjelstavro |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:9ee0657824a337cf1fd752078363dd2c4d0be995b0b3357592821cd3fe0b5c76;VARIANT_ID=workstation; | ||
| Fixed In Version: | selinux-policy-3.13.1-191.20.fc24 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-10 03:29:39 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Description of problem: While using Google-Chrome Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.2-201.fc24.x86_64 type: libreport *** Bug 1374829 has been marked as a duplicate of this bug. *** Description of problem: Working on Chrome, open a new page and the red light from bit defender stop working Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.3-200.fc24.x86_64 type: libreport Description of problem: Starting `GDK_BACKEND=X11 flatpak run org.libreoffice.LibreOffice` Version-Release number of selected component: selinux-policy-3.13.1-191.16.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.3-200.fc24.x86_64 type: libreport Description of problem: It's only just started doing this right after boot. But it happens every time. Version-Release number of selected component: selinux-policy-3.13.1-191.16.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.4-200.fc24.x86_64 type: libreport I see Chrome in the other comments, and it didn't start happening to me until I installed Firefox 49 and visited Netflix. I wonder if Widevine is involved somehow. It seems to happen in pairs with with the alert: SELinux is preventing plugin-containe from sys_admin access on the cap_userns Unknown. I can't help but notice cap_userns is in that one too. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. Description of problem: Just logged in to gnome classic desktop. Version-Release number of selected component: selinux-policy-3.13.1-191.16.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.5-200.fc24.x86_64 type: libreport Description of problem: Clicked on "Enable DRM" in Firefox at http://www.nbcnews.com/storyline/aleppos-children/hospital-aleppo-evidence-detested-weapon-n657621. Version-Release number of selected component: selinux-policy-3.13.1-191.17.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.4-200.fc24.x86_64 type: libreport Plus one:
SELinux is preventing abrt-hook-ccpp from sys_ptrace access on the cap_userns Unknown.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that abrt-hook-ccpp should be allowed sys_ptrace access on the Unknown cap_userns by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'abrt-hook-ccpp' --raw | audit2allow -M my-abrthookccpp
# semodule -X 300 -i my-abrthookccpp.pp
Additional Information:
Source Context system_u:system_r:abrt_dump_oops_t:s0
Target Context system_u:system_r:abrt_dump_oops_t:s0
Target Objects Unknown [ cap_userns ]
Source abrt-hook-ccpp
Source Path abrt-hook-ccpp
Port <Unknown>
Host eldenador.giftdigital
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-191.17.fc24.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name eldenador.giftdigital
Platform Linux eldenador.giftdigital 4.7.5-200.fc24.x86_64
#1 SMP Mon Sep 26 21:25:47 UTC 2016 x86_64 x86_64
Alert Count 2
First Seen 2016-10-08 15:11:45 AEST
Last Seen 2016-10-08 15:11:45 AEST
Local ID ab91b83a-8c84-42ca-a82c-7f6e84b42e61
Raw Audit Messages
type=AVC msg=audit(1475903505.996:330): avc: denied { sys_ptrace } for pid=15399 comm="abrt-hook-ccpp" capability=19 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:system_r:abrt_dump_oops_t:s0 tclass=cap_userns permissive=0
Hash: abrt-hook-ccpp,abrt_dump_oops_t,abrt_dump_oops_t,cap_userns,sys_ptrace
Description of problem: running latest chrome Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.5-200.fc24.x86_64 type: libreport selinux-policy-3.13.1-191.20.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3 selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3 selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: SELinux is preventing abrt-hook-ccpp from 'sys_ptrace' accesses on the cap_userns Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that abrt-hook-ccpp should be allowed sys_ptrace access on the Unknown cap_userns by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'abrt-hook-ccpp' --raw | audit2allow -M my-abrthookccpp # semodule -X 300 -i my-abrthookccpp.pp Additional Information: Source Context system_u:system_r:abrt_dump_oops_t:s0 Target Context system_u:system_r:abrt_dump_oops_t:s0 Target Objects Unknown [ cap_userns ] Source abrt-hook-ccpp Source Path abrt-hook-ccpp Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.12.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.7.2+ #3 SMP Sun Aug 21 23:08:59 JST 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-08-24 01:05:42 JST Last Seen 2016-08-25 16:58:34 JST Local ID 843d9086-a615-44c8-9b9f-faf48bf20278 Raw Audit Messages type=AVC msg=audit(1472111914.606:401): avc: denied { sys_ptrace } for pid=13353 comm="abrt-hook-ccpp" capability=19 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:system_r:abrt_dump_oops_t:s0 tclass=cap_userns permissive=0 Hash: abrt-hook-ccpp,abrt_dump_oops_t,abrt_dump_oops_t,cap_userns,sys_ptrace Version-Release number of selected component: selinux-policy-3.13.1-191.12.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.2+ type: libreport