Bug 1794959
| Summary: | SELinux is preventing accounts-daemon from using the 'setsched' accesses on a process. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matt Fagnani <matt.fagnani> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | dwalsh, grepl.miroslav, lvrabec, mikhail.v.gavrilov, plautrba, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:575ec141e95739a84ae1e2df157f6bf41c264d48bdbf66db592b5fa6fd4ec329; | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-01-28 08:48:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
accounts-daemon was denied sysnice at the same time with the following audit message
type=AVC msg=audit(1579980595.135:220): avc: denied { sys_nice } for pid=985 comm="accounts-daemon" capability=23 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=0
The accounts-daemon crash had errors like "Failed to set scheduler settings: Permission denied" in frame 2 g_logv at ../glib/gmessages.c:1350 in glib2-2.63.4-1.fc32.x86_64 and in frame 3. Those errors might be due to the denials
Core was generated by `/usr/libexec/accounts-daemon'.
Program terminated with signal SIGTRAP, Trace/breakpoint trap.
accountsservice-0.6.55-1.fc32.x86_64
#0 _g_log_abort (breakpoint=1) at ../glib/gmessages.c:554
554 G_BREAKPOINT ();
[Current thread is 1 (Thread 0x7fc6ef9bf700 (LWP 999))]
(gdb) bt full
#0 _g_log_abort (breakpoint=1) at ../glib/gmessages.c:554
debugger_present = 1
#1 0x00007fc6fd911e89 in g_log_default_handler
(log_domain=<optimized out>, log_level=<optimized out>, message=<optimized out>, unused_data=<optimized out>) at ../glib/gmessages.c:3123
fields =
{{key = 0x7fc6fd963666 "GLIB_OLD_LOG_API", value = 0x7fc6fd9bc850, length = -1}, {key = 0x7fc6fd9635a1 "MESSAGE", value = 0x7fc6e0002b30, length = -1}, {key = 0x7fc6fd9635b4 "PRIORITY", value = 0x7fc6fd963462, length = -1}, {key = 0x7fc6fd96360e "GLIB_DOMAIN", value = 0x7fc6fd95900e, length = -1}}
n_fields = <optimized out>
#2 0x00007fc6fd9120bb in g_logv
(log_domain=0x7fc6fd95900e "GLib", log_level=G_LOG_LEVEL_ERROR, format=<optimized out>, args=args@entry=0x7fc6ef9bec90) at ../glib/gmessages.c:1350
domain = 0x0
data = 0x0
depth = 1
log_func = 0x560e68cd65d0 <log_handler>
domain_fatal_mask = <optimized out>
masquerade_fatal = 0
test_level = 6
was_fatal = 0
was_recursion = 0
msg = 0x7fc6e0002b30 "Failed to set scheduler settings: Permission denied"
msg_alloc = 0x7fc6e0002b30 "Failed to set scheduler settings: Permission denied"
--Type <RET> for more, q to quit, c to continue without paging--c
i = 2
#3 0x00007fc6fd9122a3 in g_log (log_domain=log_domain@entry=0x7fc6fd95900e "GLib", log_level=log_level@entry=G_LOG_LEVEL_ERROR, format=format@entry=0x7fc6fd9bee70 "Failed to set scheduler settings: %s") at ../glib/gmessages.c:1415
args = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7fc6ef9bed70, reg_save_area = 0x7fc6ef9becb0}}
#4 0x00007fc6fd95752b in linux_pthread_proxy (data=0x560e69e67060) at ../glib/gthread-posix.c:1238
tid = <optimized out>
flags = 0
res = <optimized out>
thread = 0x560e69e67060
#5 0x00007fc6fd5aa432 in start_thread (arg=<optimized out>) at pthread_create.c:477
ret = <optimized out>
pd = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140492400228096, -7997416898972201573, 140731737061774, 140731737061775, 140731737061920, 140492400228096, 7966490075805404571, 7966459850453175707}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = 0
#6 0x00007fc6fd7a2873 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Those errors are the same as those from the ModemManager crashes at https://bugzilla.redhat.com/show_bug.cgi?id=1794964
Similar problem has been detected: happens when I start virtual machine or build package in mock hashmarkername: setroubleshoot kernel: 5.5.0-0.rc7.git0.2.fc32.x86_64 package: selinux-policy-3.14.5-20.fc32.noarch reason: SELinux is preventing accounts-daemon from using the 'setsched' accesses on a process. type: libreport *** This bug has been marked as a duplicate of bug 1795524 *** |
Description of problem: I ran sudo dnf upgrade --refresh on the Rawhide KDE Plasma spin on 2020-1-25. The upgrade included about ~300 rpms including glib2-2.63.4-1.fc32.x86_64, gcc-10.0.1-0.5.fc32.x86_64, sssd-2.2.2-5.fc32.x86_64, annobin-9.01-2.fc32.x86_64, binutils-2.33.1-12.fc32.x86_64, colord-1.4.4-3.fc32.x86_64, elfutils-0.178-8.fc32.x86_64. I rebooted. The plymouth output showed lines like Failed to start ModemManager Failed to start Accounts Service The journal and audit logs had denials of ModemManager using setsched on a process with modemmanager_t possibly itself repeated many times. ModemManager restarted and was sent the trap signal. ModemManager crashed 9 times in total. There were also denials of accounts-daemon using setsched and sysnice followed by accounts-daemon getting the trap signal and crashing once. colord was denied setsched and crashed with the trap signal also. So the denials might be due to a change in a package that ModemManager, accounts-daemon, and colord were all using. glib2-2.63.4-1.fc32.x86_64 is in the traces of the crashing threads of each of them so glib might be involved. I'll submit the other denials and crashes separately and put the links here. The same denials and crashes happened on 2 consecutive boots. SELinux is preventing accounts-daemon from using the 'setsched' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that accounts-daemon should be allowed setsched access on processes labeled accountsd_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon # semodule -X 300 -i my-accountsdaemon.pp Additional Information: Source Context system_u:system_r:accountsd_t:s0 Target Context system_u:system_r:accountsd_t:s0 Target Objects Unknown [ process ] Source accounts-daemon Source Path accounts-daemon Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.5-20.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.5.0-0.rc6.git3.1.fc32.x86_64 #1 SMP Fri Jan 17 18:29:51 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-01-25 14:29:55 EST Last Seen 2020-01-25 14:29:55 EST Local ID 6f28eecf-d2a2-42a2-997c-6ddf43eb7a8f Raw Audit Messages type=AVC msg=audit(1579980595.135:221): avc: denied { setsched } for pid=985 comm="accounts-daemon" scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=process permissive=0 Hash: accounts-daemon,accountsd_t,accountsd_t,process,setsched Version-Release number of selected component: selinux-policy-3.14.5-20.fc32.noarch Additional info: component: selinux-policy reporter: libreport-2.11.3 hashmarkername: setroubleshoot kernel: 5.5.0-0.rc6.git3.1.fc32.x86_64 type: libreport