Bug 1723308
| Summary: | SELinux is preventing rtkit-daemon from 'sys_ptrace' accesses on the cap_userns labeled rtkit_daemon_t. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Marcus Husar <marcus.husar> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 30 | CC: | as.maps, b.bellec, bztdlinux, dwalsh, extras-qa, jan.public, kcchouette+fedora, lvrabec, marinodiego.96+redhat, mgrepl, oliver.henshaw, plautrba, pv.bugzilla, rocket111185, samtygier, vkadlcik, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:5cb01176e79af3869e500df9de4f681f863d10f3b460ff1a84dafba720dcc387;VARIANT_ID=workstation; | ||
| Fixed In Version: | selinux-policy-3.14.3-40.fc30 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-07-13 01:06:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
commit 9feef6798e92a30233f9eec182d9935240771794 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date: Mon Jun 24 18:19:11 2019 +0200
Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability BZ(1723308)
Description of problem: starting firefox Version-Release number of selected component: selinux-policy-3.14.3-37.fc30.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.0.16-300.fc30.x86_64 type: libreport Description of problem: Downloaded firefox nightly firefox-69.0a1.en-US.linux-x86_64.tar.bz2 expand it in my download folder launched with ./firefox Version-Release number of selected component: selinux-policy-3.14.3-39.fc30.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.1.8-300.fc30.x86_64 type: libreport Description of problem: Launched Firefox Developers. Received AVC denials notifications. Version-Release number of selected component: selinux-policy-3.14.3-39.fc30.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.1.16-300.fc30.x86_64 type: libreport Description of problem: Firefox Nighly launch Version-Release number of selected component: selinux-policy-3.14.3-39.fc30.noarch Additional info: reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.1.16-300.fc30.x86_64 type: libreport FEDORA-2019-9c513c4cf8 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9c513c4cf8 selinux-policy-3.14.3-40.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9c513c4cf8 selinux-policy-3.14.3-40.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 1729647 has been marked as a duplicate of this bug. *** Just today I received a similar message:
SELinux is preventing rtkit-daemon from sys_nice access on the cap_userns labeled rtkit_daemon_t.
This after updating yesterday from 3.14.3-43.fc30 -> 3.14.3-45.fc30 :
---> Package selinux-policy.noarch 3.14.3-43.fc30 will be upgraded
---> Package selinux-policy.noarch 3.14.3-45.fc30 will be an upgrade
---> Package selinux-policy-targeted.noarch 3.14.3-43.fc30 will be upgraded
---> Package selinux-policy-targeted.noarch 3.14.3-45.fc30 will be an upgrade
"SETroubleshoot Details Window" reports:
SELinux is preventing rtkit-daemon from sys_nice access on the cap_userns labeled rtkit_daemon_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that rtkit-daemon should be allowed sys_nice access on cap_userns labeled rtkit_daemon_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon
# semodule -X 300 -i my-rtkitdaemon.pp
Additional Information:
Source Context system_u:system_r:rtkit_daemon_t:s0
Target Context system_u:system_r:rtkit_daemon_t:s0
Target Objects Unknown [ cap_userns ]
Source rtkit-daemon
Source Path rtkit-daemon
Port <Unknown>
Host red
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.3-45.fc30.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name red
Platform Linux red 5.2.11-200.fc30.x86_64 #1 SMP Thu Aug 29
12:43:20 UTC 2019 x86_64 x86_64
Alert Count 18
First Seen 2019-09-09 09:51:48 HKT
Last Seen 2019-09-09 09:51:48 HKT
Local ID e077715f-c977-4b86-8bd9-3fafb91d0b89
Raw Audit Messages
type=AVC msg=audit(1567993908.72:356): avc: denied { sys_nice } for pid=875 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_nice
Per bug #1752263 this happens on F29 too. For me, this started happening today after upgrading firefox to firefox-69.0.1-3.fc29.x86_64 - https://bugzilla.mozilla.org/show_bug.cgi?id=1560811 looks relevant. (In reply to Oliver Henshaw from comment #11) > Per bug #1752263 this happens on F29 too. > > For me, this started happening today after upgrading firefox to > firefox-69.0.1-3.fc29.x86_64 - > https://bugzilla.mozilla.org/show_bug.cgi?id=1560811 looks relevant. Hi Oliver, I observe it too and I think it would be better to have a new, F29-specific bug. I've just filed it: bz1759423 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |
Description of problem: This morning I updated my Fedora system. Since then I get system messages about SELinux problems. SELinux is preventing rtkit-daemon from 'sys_ptrace' accesses on the cap_userns labeled rtkit_daemon_t. ***** Plugin catchall (100. confidence) suggests ************************** Wenn du das glaubst rtkit-daemon sollte erlaubt sein sys_ptrace Zugriff auf cap_userns beschriftet rtkit_daemon_t standardmäßig. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon # semodule -X 300 -i my-rtkitdaemon.pp Additional Information: Source Context system_u:system_r:rtkit_daemon_t:s0 Target Context system_u:system_r:rtkit_daemon_t:s0 Target Objects Unknown [ cap_userns ] Source rtkit-daemon Source Path rtkit-daemon Port <Unbekannt> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.3-39.fc30.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.1.12-300.fc30.x86_64 #1 SMP Wed Jun 19 15:19:49 UTC 2019 x86_64 x86_64 Alert Count 18 First Seen 2019-06-24 10:49:04 CEST Last Seen 2019-06-24 10:55:35 CEST Local ID f76c9d69-05b9-4c5d-b036-b5045a296ce6 Raw Audit Messages type=AVC msg=audit(1561366535.376:321): avc: denied { sys_ptrace } for pid=828 comm="rtkit-daemon" capability=19 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_ptrace Version-Release number of selected component: selinux-policy-3.14.3-39.fc30.noarch Additional info: component: selinux-policy reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.1.12-300.fc30.x86_64 type: libreport