Bug 1795034
| Summary: | SELinux is preventing accounts-daemon from using the 'sys_nice' capabilities. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mikhail <mikhail.v.gavrilov> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | dwalsh, grepl.miroslav, lslebodn, lvrabec, plautrba, sopwith, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:8389d3f402e32b0dbe518c4789beb8f2efd57c4a9feeae87e691dd091f747348;VARIANT_ID=workstation; | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-02-05 16:10:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi, Thank you for reporting the issue. I've sent a PR to address it: https://github.com/fedora-selinux/selinux-policy-contrib/pull/189 Is this operation expected? I can also see another AVC for capability
type=AVC msg=audit(01/30/2020 17:47:34.676:85) : avc: denied { setsched } for pid=1137 comm=accounts-daemon scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=process permissive=1
Full output in enforcing and permissive mode
type=PROCTITLE msg=audit(01/30/2020 17:43:58.310:129) : proctitle=/usr/libexec/accounts-daemon
type=SYSCALL msg=audit(01/30/2020 17:43:58.310:129) : arch=x86_64 syscall=sched_setattr success=no exit=EACCES(Permission denied) a0=0x54c a1=0x5587f7e36d90 a2=0x0 a3=0x7f2f7b977700 items=0 ppid=1 pid=1354 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null)
type=AVC msg=audit(01/30/2020 17:43:58.310:129) : avc: denied { setsched } for pid=1354 comm=accounts-daemon scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=process permissive=0
type=AVC msg=audit(01/30/2020 17:43:58.310:129) : avc: denied { sys_nice } for pid=1354 comm=accounts-daemon capability=sys_nice scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=0
----
type=PROCTITLE msg=audit(01/30/2020 17:46:38.548:240) : proctitle=/usr/libexec/accounts-daemon
type=SYSCALL msg=audit(01/30/2020 17:46:38.548:240) : arch=x86_64 syscall=sched_setattr success=yes exit=0 a0=0x77a a1=0x564358d92d90 a2=0x0 a3=0x7f7555240700 items=0 ppid=1 pid=1912 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null)
type=AVC msg=audit(01/30/2020 17:46:38.548:240) : avc: denied { setsched } for pid=1912 comm=accounts-daemon scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=process permissive=1
type=AVC msg=audit(01/30/2020 17:46:38.548:240) : avc: denied { sys_nice } for pid=1912 comm=accounts-daemon capability=sys_nice scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1
Reproducer:
systemctl restart accounts-daemon.service
Because GNOME Display Manager (gdm) depends on accounts-daemon, and this problem causes accounts-daemon to exit with an error, users can't login to their system due to this bug. It probably should have a higher priority and severity. Also, this problem is not limited to just accounts-daemon. ModemManager has the same issue, as does anything else that uses glib2's GThreadPool system. So I don't think Zdenek's proposed patch is sufficient to really fix the root issue. It appears that on the glib2 side of things, they should probably not make this a fatal (breakpoint-inducing) g_debug() log message. See bug #1795524 for their side of things. Oops, s/g_debug/g_error/ in my last comment. *** This bug has been marked as a duplicate of bug 1795524 *** |
Description of problem: happens when I start virtual machine or build package in mock SELinux is preventing accounts-daemon from using the 'sys_nice' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that accounts-daemon should have the sys_nice capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon # semodule -X 300 -i my-accountsdaemon.pp Additional Information: Source Context system_u:system_r:accountsd_t:s0 Target Context system_u:system_r:accountsd_t:s0 Target Objects Unknown [ capability ] Source accounts-daemon Source Path accounts-daemon Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.5-20.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.5.0-0.rc7.git0.2.fc32.x86_64 #1 SMP Mon Jan 20 22:22:45 +05 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-01-25 23:50:37 +05 Last Seen 2020-01-25 23:50:37 +05 Local ID 1e630b67-6a5a-467c-8db5-a8d0d37ce9af Raw Audit Messages type=AVC msg=audit(1579978237.369:96): avc: denied { sys_nice } for pid=1249 comm="accounts-daemon" capability=23 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1 Hash: accounts-daemon,accountsd_t,accountsd_t,capability,sys_nice Version-Release number of selected component: selinux-policy-3.14.5-20.fc32.noarch Additional info: component: selinux-policy reporter: libreport-2.11.3 hashmarkername: setroubleshoot kernel: 5.5.0-0.rc7.git0.2.fc32.x86_64 type: libreport