Bug 2166509
Summary: | SELinux is preventing (sd-worker) from using the 'sys_resource' capabilities. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matt Fagnani <matt.fagnani> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 37 | CC: | agurenko, dwalsh, lvrabec, mmalik, nberrehouc, omosnacek, pkoncity, vmojzis, zbyszek, zpytela |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:28e9f5c7b8f7461924d6cc7a7a60f82191caec142c8596bcfe2b18c208b88847;VARIANT_ID=kde; | ||
Fixed In Version: | selinux-policy-37.19-1.fc37 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-02-05 01:46:38 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matt Fagnani
2023-02-02 03:40:34 UTC
I searched for systemd-userdbd in the systemd-stable repository and found a commit units: allow systemd-userdbd to change process name which makes the following change adding the CAP_SYS_RESOURCE capability to the systemd-userdbd.service file https://github.com/systemd/systemd-stable/commit/9357d2342981a8b4fcfa2d170b7749c27d364fdd - CapabilityBoundingSet=CAP_DAC_READ_SEARCH + CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE That change might be where these denials are coming from. Correct, and it's already in rawhide, so backporting. Oh, great. I was about to do a build with the revert, but I'll wait for the selinux-policy update instead. Please add it to the bodhi update so they go out together. FEDORA-2023-7bf3639a5d has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-7bf3639a5d Similar problem has been detected: Since last upgrade # dnf history info 824 Identifiant de transaction : 824 Temps de début : ven. 03 févr. 2023 05:41:11 Début de RPMDB : 709e8388798c21330990c7d8f5b9166291777fd5b29bb9538896062e66b81716 Temps de fin : ven. 03 févr. 2023 05:41:32 (21 secondes) Fin de RPMDB : 12ba79557295978e554e669238e3dc64938ba1ee8e12de5b4a17a55d59ca760e Utilisateur : Nicosss <nicosss> Code de retour : Réussi Version : 37 Ligne de commande : upgrade --refresh --enablerepo=*testing Commentaire : Paquets modifiés : Upgrade cifs-utils-7.0-1.fc37.x86_64 @updates-testing Upgraded cifs-utils-6.15-2.fc37.x86_64 @@System Upgrade cifs-utils-info-7.0-1.fc37.x86_64 @updates-testing Upgraded cifs-utils-info-6.15-2.fc37.x86_64 @@System Upgrade gnome-shell-43.2-2.fc37.x86_64 @updates-testing Upgraded gnome-shell-43.2-1.fc37.x86_64 @@System Upgrade libhandy-1.8.1-1.fc37.x86_64 @updates-testing Upgraded libhandy-1.8.0-1.fc37.x86_64 @@System Upgrade libpwquality-1.4.5-3.fc37.x86_64 @updates-testing Upgraded libpwquality-1.4.5-1.fc37.x86_64 @@System Upgrade llvm11-libs-11.1.0-10.fc37.x86_64 @updates-testing Upgraded llvm11-libs-11.1.0-6.fc35.x86_64 @@System Upgrade mutter-43.2-2.fc37.x86_64 @updates-testing Upgraded mutter-43.2-1.fc37.x86_64 @@System Upgrade perl-HTML-Parser-3.81-1.fc37.x86_64 @updates-testing Upgraded perl-HTML-Parser-3.80-1.fc37.x86_64 @@System Upgrade python3-pwquality-1.4.5-3.fc37.x86_64 @updates-testing Upgraded python3-pwquality-1.4.5-1.fc37.x86_64 @@System Upgrade systemd-251.11-1.fc37.x86_64 @updates-testing Upgraded systemd-251.10-588.fc37.x86_64 @@System Upgrade systemd-container-251.11-1.fc37.x86_64 @updates-testing Upgraded systemd-container-251.10-588.fc37.x86_64 @@System Upgrade systemd-libs-251.11-1.fc37.x86_64 @updates-testing Upgraded systemd-libs-251.10-588.fc37.x86_64 @@System Upgrade systemd-networkd-251.11-1.fc37.x86_64 @updates-testing Upgraded systemd-networkd-251.10-588.fc37.x86_64 @@System Upgrade systemd-oomd-defaults-251.11-1.fc37.noarch @updates-testing Upgraded systemd-oomd-defaults-251.10-588.fc37.noarch @@System Upgrade systemd-pam-251.11-1.fc37.x86_64 @updates-testing Upgraded systemd-pam-251.10-588.fc37.x86_64 @@System Upgrade systemd-resolved-251.11-1.fc37.x86_64 @updates-testing Upgraded systemd-resolved-251.10-588.fc37.x86_64 @@System Upgrade systemd-rpm-macros-251.11-1.fc37.noarch @updates-testing Upgraded systemd-rpm-macros-251.10-588.fc37.noarch @@System Upgrade systemd-udev-251.11-1.fc37.x86_64 @updates-testing Upgraded systemd-udev-251.10-588.fc37.x86_64 @@System Upgrade thunderbird-102.7.1-2.fc37.x86_64 @updates-testing Upgraded thunderbird-102.6.0-2.fc37.x86_64 @@System Upgrade thunderbird-librnp-rnp-102.7.1-2.fc37.x86_64 @updates-testing Upgraded thunderbird-librnp-rnp-102.6.0-2.fc37.x86_64 @@System Upgrade thunderbird-wayland-102.7.1-2.fc37.x86_64 @updates-testing Upgraded thunderbird-wayland-102.6.0-2.fc37.x86_64 @@System Upgrade tpm2-tss-3.2.2-1.fc37.x86_64 @updates-testing Upgraded tpm2-tss-3.2.1-1.fc37.x86_64 @@System hashmarkername: setroubleshoot kernel: 6.1.9-200.fc37.x86_64 package: selinux-policy-targeted-37.18-1.fc37.noarch reason: SELinux is preventing (sd-worker) from using the 'sys_resource' capabilities. type: libreport (In reply to Nicolas Berrehouc from comment #5) > Similar problem has been detected: > > Since last upgrade > > # dnf history info 824 > Identifiant de transaction : 824 > Temps de début : ven. 03 févr. 2023 05:41:11 > Début de RPMDB : > 709e8388798c21330990c7d8f5b9166291777fd5b29bb9538896062e66b81716 > Temps de fin : ven. 03 févr. 2023 05:41:32 (21 secondes) > Fin de RPMDB : > 12ba79557295978e554e669238e3dc64938ba1ee8e12de5b4a17a55d59ca760e > Utilisateur : Nicosss <nicosss> > Code de retour : Réussi > Version : 37 > Ligne de commande : upgrade --refresh --enablerepo=*testing > Commentaire : > Paquets modifiés : > Upgrade cifs-utils-7.0-1.fc37.x86_64 @updates-testing > Upgraded cifs-utils-6.15-2.fc37.x86_64 @@System > Upgrade cifs-utils-info-7.0-1.fc37.x86_64 @updates-testing > Upgraded cifs-utils-info-6.15-2.fc37.x86_64 @@System > Upgrade gnome-shell-43.2-2.fc37.x86_64 @updates-testing > Upgraded gnome-shell-43.2-1.fc37.x86_64 @@System > Upgrade libhandy-1.8.1-1.fc37.x86_64 @updates-testing > Upgraded libhandy-1.8.0-1.fc37.x86_64 @@System > Upgrade libpwquality-1.4.5-3.fc37.x86_64 @updates-testing > Upgraded libpwquality-1.4.5-1.fc37.x86_64 @@System > Upgrade llvm11-libs-11.1.0-10.fc37.x86_64 @updates-testing > Upgraded llvm11-libs-11.1.0-6.fc35.x86_64 @@System > Upgrade mutter-43.2-2.fc37.x86_64 @updates-testing > Upgraded mutter-43.2-1.fc37.x86_64 @@System > Upgrade perl-HTML-Parser-3.81-1.fc37.x86_64 @updates-testing > Upgraded perl-HTML-Parser-3.80-1.fc37.x86_64 @@System > Upgrade python3-pwquality-1.4.5-3.fc37.x86_64 @updates-testing > Upgraded python3-pwquality-1.4.5-1.fc37.x86_64 @@System > Upgrade systemd-251.11-1.fc37.x86_64 @updates-testing > Upgraded systemd-251.10-588.fc37.x86_64 @@System > Upgrade systemd-container-251.11-1.fc37.x86_64 @updates-testing > Upgraded systemd-container-251.10-588.fc37.x86_64 @@System > Upgrade systemd-libs-251.11-1.fc37.x86_64 @updates-testing > Upgraded systemd-libs-251.10-588.fc37.x86_64 @@System > Upgrade systemd-networkd-251.11-1.fc37.x86_64 @updates-testing > Upgraded systemd-networkd-251.10-588.fc37.x86_64 @@System > Upgrade systemd-oomd-defaults-251.11-1.fc37.noarch @updates-testing > Upgraded systemd-oomd-defaults-251.10-588.fc37.noarch @@System > Upgrade systemd-pam-251.11-1.fc37.x86_64 @updates-testing > Upgraded systemd-pam-251.10-588.fc37.x86_64 @@System > Upgrade systemd-resolved-251.11-1.fc37.x86_64 @updates-testing > Upgraded systemd-resolved-251.10-588.fc37.x86_64 @@System > Upgrade systemd-rpm-macros-251.11-1.fc37.noarch @updates-testing > Upgraded systemd-rpm-macros-251.10-588.fc37.noarch @@System > Upgrade systemd-udev-251.11-1.fc37.x86_64 @updates-testing > Upgraded systemd-udev-251.10-588.fc37.x86_64 @@System > Upgrade thunderbird-102.7.1-2.fc37.x86_64 @updates-testing > Upgraded thunderbird-102.6.0-2.fc37.x86_64 @@System > Upgrade thunderbird-librnp-rnp-102.7.1-2.fc37.x86_64 @updates-testing > Upgraded thunderbird-librnp-rnp-102.6.0-2.fc37.x86_64 @@System > Upgrade thunderbird-wayland-102.7.1-2.fc37.x86_64 @updates-testing > Upgraded thunderbird-wayland-102.6.0-2.fc37.x86_64 @@System > Upgrade tpm2-tss-3.2.2-1.fc37.x86_64 @updates-testing > Upgraded tpm2-tss-3.2.1-1.fc37.x86_64 @@System > > hashmarkername: setroubleshoot > kernel: 6.1.9-200.fc37.x86_64 > package: selinux-policy-targeted-37.18-1.fc37.noarch > reason: SELinux is preventing (sd-worker) from using the > 'sys_resource' capabilities. > type: libreport Sorry, there are no more alerts after applying the new F37 version of selinux-policy. FEDORA-2023-7bf3639a5d has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-7bf3639a5d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-7bf3639a5d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-7bf3639a5d has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report. |