Bug 1873658
Summary: | rebased firefox produce SElinux AVC / denied sys_ptrace for rtkit-daemon | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Leon Fauster <leonfauster> | ||||||
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 8.2 | CC: | adam.winberg, amkulkar, bnater, ggr.seaton, lvrabec, mmalik, petr, plautrba, rmetrich, ssekidde, tpopela, zpytela | ||||||
Target Milestone: | rc | Keywords: | AutoVerified, Triaged | ||||||
Target Release: | 8.4 | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | selinux-policy-3.14.3-55.el8 | Doc Type: | No Doc Update | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2021-05-18 14:57:54 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 1894575 | ||||||||
Attachments: |
|
Description
Leon Fauster
2020-08-28 22:40:20 UTC
And dumped core : firefox-dumped-core.txt Created attachment 1713022 [details]
firefox-dumped-core.txt
Can confirm, since update to firefox-78.2.0-2.el8_2.x86_64 all of our users get this SELinux denial when using video conference - which we do a lot right now! ---- type=PROCTITLE msg=audit(09/07/2020 15:58:06.648:175) : proctitle=/usr/libexec/rtkit-daemon type=PATH msg=audit(09/07/2020 15:58:06.648:175) : item=0 name=//3947/exe inode=67224 dev=00:04 mode=link,777 ouid=unconfined-user ogid=unconfined-user rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/07/2020 15:58:06.648:175) : cwd=/ type=SYSCALL msg=audit(09/07/2020 15:58:06.648:175) : arch=x86_64 syscall=readlink success=no exit=EACCES(Permission denied) a0=0x7ffd534d57a0 a1=0x7ffd534d5910 a2=0x7f a3=0x0 items=1 ppid=1 pid=1681 auid=unset uid=rtkit gid=rtkit euid=rtkit suid=rtkit fsuid=rtkit egid=rtkit sgid=rtkit fsgid=rtkit tty=(none) ses=unset comm=rtkit-daemon exe=/usr/libexec/rtkit-daemon subj=system_u:system_r:rtkit_daemon_t:s0 key=(null) type=AVC msg=audit(09/07/2020 15:58:06.648:175) : avc: denied { sys_ptrace } for pid=1681 comm=rtkit-daemon capability=sys_ptrace scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 ---- # rpm -qa firefox\* selinux-policy\* rtkit\* | sort firefox-78.2.0-3.el8.x86_64 rtkit-0.11-19.el8.x86_64 selinux-policy-3.14.3-53.el8.noarch selinux-policy-devel-3.14.3-53.el8.noarch selinux-policy-doc-3.14.3-53.el8.noarch selinux-policy-minimum-3.14.3-53.el8.noarch selinux-policy-mls-3.14.3-53.el8.noarch selinux-policy-sandbox-3.14.3-53.el8.noarch selinux-policy-targeted-3.14.3-53.el8.noarch # As this is basically a clone of Fedora bz#1723308, switching component to selinux-policy. If you feel this needs rtkit developers attention, feel free to switch it back. Note there was also bz#1750024 for sys_nice capability which is not in RHEL 8 either atm. Are this coredumps related or should i open a new report? Created attachment 1714848 [details]
20200914 coredumped-firefox.txt
Leon, I cannot assess if it is related. You can create a custom selinux policy module to allow the permission and check further. # cat local_firefox_rtkit.cil (allow rtkit_daemon_t self (cap_userns (sys_ptrace))) # semodule -i local_firefox_rtkit.cil *** Bug 1873695 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1639 |