Bug 1873658
| Summary: | rebased firefox produce SElinux AVC / denied sys_ptrace for rtkit-daemon | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Leon Fauster <leonfauster> | ||||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 8.2 | CC: | adam.winberg, amkulkar, bnater, ggr.seaton, lvrabec, mmalik, petr, plautrba, rmetrich, ssekidde, tpopela, zpytela | ||||||
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged | ||||||
| Target Release: | 8.4 | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | selinux-policy-3.14.3-55.el8 | Doc Type: | No Doc Update | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2021-05-18 14:57:54 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1894575 | ||||||||
| Attachments: |
|
||||||||
And dumped core : firefox-dumped-core.txt Created attachment 1713022 [details]
firefox-dumped-core.txt
Can confirm, since update to firefox-78.2.0-2.el8_2.x86_64 all of our users get this SELinux denial when using video conference - which we do a lot right now! ----
type=PROCTITLE msg=audit(09/07/2020 15:58:06.648:175) : proctitle=/usr/libexec/rtkit-daemon
type=PATH msg=audit(09/07/2020 15:58:06.648:175) : item=0 name=//3947/exe inode=67224 dev=00:04 mode=link,777 ouid=unconfined-user ogid=unconfined-user rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/07/2020 15:58:06.648:175) : cwd=/
type=SYSCALL msg=audit(09/07/2020 15:58:06.648:175) : arch=x86_64 syscall=readlink success=no exit=EACCES(Permission denied) a0=0x7ffd534d57a0 a1=0x7ffd534d5910 a2=0x7f a3=0x0 items=1 ppid=1 pid=1681 auid=unset uid=rtkit gid=rtkit euid=rtkit suid=rtkit fsuid=rtkit egid=rtkit sgid=rtkit fsgid=rtkit tty=(none) ses=unset comm=rtkit-daemon exe=/usr/libexec/rtkit-daemon subj=system_u:system_r:rtkit_daemon_t:s0 key=(null)
type=AVC msg=audit(09/07/2020 15:58:06.648:175) : avc: denied { sys_ptrace } for pid=1681 comm=rtkit-daemon capability=sys_ptrace scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
----
# rpm -qa firefox\* selinux-policy\* rtkit\* | sort
firefox-78.2.0-3.el8.x86_64
rtkit-0.11-19.el8.x86_64
selinux-policy-3.14.3-53.el8.noarch
selinux-policy-devel-3.14.3-53.el8.noarch
selinux-policy-doc-3.14.3-53.el8.noarch
selinux-policy-minimum-3.14.3-53.el8.noarch
selinux-policy-mls-3.14.3-53.el8.noarch
selinux-policy-sandbox-3.14.3-53.el8.noarch
selinux-policy-targeted-3.14.3-53.el8.noarch
#
As this is basically a clone of Fedora bz#1723308, switching component to selinux-policy. If you feel this needs rtkit developers attention, feel free to switch it back. Note there was also bz#1750024 for sys_nice capability which is not in RHEL 8 either atm. Are this coredumps related or should i open a new report? Created attachment 1714848 [details]
20200914 coredumped-firefox.txt
Leon, I cannot assess if it is related. You can create a custom selinux policy module to allow the permission and check further. # cat local_firefox_rtkit.cil (allow rtkit_daemon_t self (cap_userns (sys_ptrace))) # semodule -i local_firefox_rtkit.cil *** Bug 1873695 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1639 |
Description of problem: Since the update to 78: Playing videos on websites in firefox triggers SElinux deny AVC. Version-Release number of selected component (if applicable): $ rpm -q firefox firefox-78.2.0-2.el8_2.x86_64 Actual results: # journalctl -f Aug 29 00:30:54 stand.localdomain xdg-desktop-por[9312]: Failed to get application states: GDBus.Error:org.freedesktop.portal.Error.Failed: Could not get window list: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: App introspection not allowed Aug 29 00:30:56 stand.localdomain rtkit-daemon[2052]: Supervising 5 threads of 3 processes of 1 users. Aug 29 00:30:56 stand.localdomain rtkit-daemon[2052]: Supervising 5 threads of 3 processes of 1 users. Aug 29 00:30:56 stand.localdomain rtkit-daemon[2052]: Supervising 5 threads of 3 processes of 1 users. Aug 29 00:30:56 stand.localdomain rtkit-daemon[2052]: Supervising 5 threads of 3 processes of 1 users. Aug 29 00:30:56 stand.localdomain rtkit-daemon[2052]: Successfully made thread 16396 of process 14519 (n/a) owned by '1200' RT at priority 10. Aug 29 00:30:56 stand.localdomain rtkit-daemon[2052]: Supervising 6 threads of 4 processes of 1 users. Aug 29 00:30:59 stand.localdomain dbus-daemon[2025]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.1202' (uid=0 pid=1993 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using servicehelper) Aug 29 00:30:59 stand.localdomain dbus-daemon[16410]: [system] Failed to reset fd limit before activating service: org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit: Operation not permitted Aug 29 00:31:00 stand.localdomain dbus-daemon[2025]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Aug 29 00:31:01 stand.localdomain setroubleshoot[16410]: SELinux is preventing /usr/libexec/rtkit-daemon from sys_ptrace access on the cap_userns labeled rtkit_daemon_t. For complete SELinux messages run: sealert -l da049452-7ae1-4211-a105-d320cb78ee45 Aug 29 00:31:01 stand.localdomain platform-python[16410]: SELinux is preventing /usr/libexec/rtkit-daemon from sys_ptrace access on the cap_userns labeled rtkit_daemon_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rtkit-daemon should be allowed sys_ptrace access on cap_userns labeled rtkit_daemon_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon # semodule -X 300 -i my-rtkitdaemon.pp Aug 29 00:31:09 stand.localdomain org.gnome.Shell.desktop[7139]: libinput error: client bug: timer event8 debounce short: offset negative (-0ms) Aug 29 00:31:45 stand.localdomain org.gnome.Shell.desktop[7139]: libinput error: client bug: timer event8 debounce short: offset negative (-10ms) # ausearch -m avc |tail ---- time->Sat Aug 29 00:30:56 2020 type=PROCTITLE msg=audit(1598653856.832:453): proctitle="/usr/libexec/rtkit-daemon" type=SYSCALL msg=audit(1598653856.832:453): arch=c000003e syscall=89 success=no exit=-13 a0=7ffe30821fb0 a1=7ffe30822120 a2=7f a3=0 items=0 ppid=1 pid=2052 auid=4294967295 uid=172 gid=172 euid=172 suid=172 fsuid=172 egid=172 sgid=172 fsgid=172 tty=(none) ses=4294967295 comm="rtkit-daemon" exe="/usr/libexec/rtkit-daemon" subj=system_u:system_r:rtkit_daemon_t:s0 key=(null) type=AVC msg=audit(1598653856.832:453): avc: denied { sys_ptrace } for pid=2052 comm="rtkit-daemon" capability=19 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0