| Summary: | SELinux is preventing pcscd from using the 'wake_alarm' capabilities. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Karel Volný <kvolny> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 25 | CC: | bjwyman, dominick.grift, dwalsh, fedora, lvrabec, marcvanwageningen, mgrepl, motoskov, pbonzini, plarsen, plautrba, pmoore, sam.bristow, sjenning, swadeley |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:629cace1d9c7775e9048b25b001091a458bdf08d8ea9003811b840cea078707f; | ||
| Fixed In Version: | selinux-policy-3.13.1-222.fc25 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-10 16:37:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
SELinux is preventing pcscd from using the wake_alarm capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that pcscd should have the wake_alarm capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pcscd' --raw | audit2allow -M my-pcscd
# semodule -X 300 -i my-pcscd.pp
Additional Information:
Source Context system_u:system_r:pcscd_t:s0
Target Context system_u:system_r:pcscd_t:s0
Target Objects Unknown [ capability2 ]
Source pcscd
Source Path pcscd
Port <Unknown>
Host dragonfly.XXX.net
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-218.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name dragonfly.XXX.net
Platform Linux dragonfly.saguna.net
4.8.0-0.rc8.git0.1.fc25.x86_64 #1 SMP Mon Sep 26
17:12:24 UTC 2016 x86_64 x86_64
Alert Count 4157
First Seen 2016-09-16 17:25:40 IDT
Last Seen 2016-10-09 11:47:19 IDT
Local ID 081e847e-f0f4-4a63-aa6c-b782a51fd077
Raw Audit Messages
type=AVC msg=audit(1476002839.695:278): avc: denied { wake_alarm } for pid=4204 comm="pcscd" capability=35 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability2 permissive=0
Hash: pcscd,pcscd_t,pcscd_t,capability2,wake_alarm
Description of problem: This happens everytime after starting pscd after some seconds. Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.3-300.fc25.x86_64 type: libreport I have started noticing this in Fedora 24, probably after some recent update in the passed week or two. selinux-policy-3.13.1-222.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-d1908bac81 selinux-policy-3.13.1-222.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-d1908bac81 selinux-policy-3.13.1-222.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. Description of problem: Ran "ykneomgr -m" with a Yubikey NEO. Version-Release number of selected component: selinux-policy-3.13.1-220.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.4-301.fc25.x86_64 type: libreport Same issue on Fedora 24. Is this going to be backported? |
Description of problem: I do not know what this means and if the application should be allowed or rather fixed, however, what seems suspicios to me is that I'm getting the alert usually after an application crash when abrt pops up ... what is the connection here??? SELinux is preventing pcscd from using the 'wake_alarm' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pcscd should have the wake_alarm capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pcscd' --raw | audit2allow -M my-pcscd # semodule -X 300 -i my-pcscd.pp Additional Information: Source Context system_u:system_r:pcscd_t:s0 Target Context system_u:system_r:pcscd_t:s0 Target Objects Unknown [ capability2 ] Source pcscd Source Path pcscd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-215.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.8.0-0.rc7.git0.1.fc25.x86_64 #1 SMP Mon Sep 19 15:24:06 UTC 2016 x86_64 x86_64 Alert Count 28 First Seen 2016-10-04 12:54:44 CEST Last Seen 2016-10-04 12:54:47 CEST Local ID ac9cddef-b823-441e-89f0-bacfeb3d2547 Raw Audit Messages type=AVC msg=audit(1475578487.871:844): avc: denied { wake_alarm } for pid=30852 comm="pcscd" capability=35 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability2 permissive=0 Hash: pcscd,pcscd_t,pcscd_t,capability2,wake_alarm Version-Release number of selected component: selinux-policy-3.13.1-215.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc7.git0.1.fc25.x86_64 type: libreport