Bug 524026

Summary: setroubleshoot: SELinux is preventing rtkit-daemon "getcap" access.
Product: [Fedora] Fedora Reporter: David <idht4n>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, jkubin, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:e7482cdab26d42cac292fed29bd1c2c78611b700147d9d02e34ac755f918fcd4
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-17 20:00:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description David 2009-09-17 16:18:29 UTC
The following was filed automatically by setroubleshoot:


SELinux is preventing rtkit-daemon "getcap" access.

Detailed Description:

SELinux denied access requested by rtkit-daemon. It is not expected that this
access is required by rtkit-daemon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug

Additional Information:

Source Context                system_u:system_r:initrc_t:s0-s0:c0.c1023
Target Context                system_u:system_r:initrc_t:s0-s0:c0.c1023
Target Objects                None [ process ]
Source                        rtkit-daemon
Source Path                   rtkit-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-1.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31-23.fc12.i686.PAE #1 SMP Wed Sep 16 15:53:47
                              EDT 2009 i686 i686
Alert Count                   1
First Seen                    Thu 17 Sep 2009 09:17:00 AM PDT
Last Seen                     Thu 17 Sep 2009 09:17:00 AM PDT
Local ID                      f26b17a2-12dc-4e49-a31c-b656f0e80b58
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1253204220.126:47): avc:  denied  { getcap } for  pid=1519 comm="rtkit-daemon" scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s0:c0.c1023 tclass=process

audit2allow suggests:

#============= initrc_t ==============
allow initrc_t self:process getcap;

Comment 1 Daniel Walsh 2009-09-17 20:00:32 UTC
You seem to be having a labeling problem on the rtkit-daemon

restorecon -R -v /usr/libexec

Comment 2 Daniel Walsh 2009-09-17 20:01:01 UTC
*** Bug 524027 has been marked as a duplicate of this bug. ***

Comment 3 Daniel Walsh 2009-09-17 20:01:14 UTC
*** Bug 524028 has been marked as a duplicate of this bug. ***

Comment 4 Daniel Walsh 2009-09-17 20:01:28 UTC
*** Bug 524029 has been marked as a duplicate of this bug. ***

Comment 5 Daniel Walsh 2009-09-17 20:01:41 UTC
*** Bug 524030 has been marked as a duplicate of this bug. ***

Comment 6 David 2009-09-17 20:16:04 UTC
I've had a few selinux reports closed as not a bug.  My naive understanding of selinux errors is that they are always bugs unless a user has done something bad to screw up labelling.  As far as I know, I've done no such things.  I installed f12 alpha and updated it periodically.  The only things I've done as root have been to copy a few individual files (ldap.conf, auto.master) from my f11 partition, yum installs, yum updates, and restarting autofs.  I am running as a normal local user that was created from scratch after the alpha install, so I don't have any f11 user configuration baggage hanging around.  If you want me to stop filing reports, let me know.  I usually disable selinux when the official release comes out anyway... in the mean time, I'm just trying to be a good citizen.

Comment 7 Daniel Walsh 2009-09-17 21:02:58 UTC
Right but if the labeling gets messed up, probably do to rawhide failures, there is nothing I can do to fix the labeling.

In this case did you check the labeling on this file?  

During rawhide, selinux got broken by dracut and some labeling got messed up. This could have been the problem.  Also if you are going to report the bugs, and you find a bunch that look the same, please do not keep pushing the report the bug button.  I know this is difficult, but some times I get hundreds of bugs all to do with the same labeling issue.

Comment 8 David 2009-09-17 21:25:44 UTC
(In reply to comment #7)
> Right but if the labeling gets messed up, probably do to rawhide failures,
> there is nothing I can do to fix the labeling.
> In this case did you check the labeling on this file?  
Honestly, I'm not up to speed on selinux and labeling.
I was just told to report all errors I see by somebody
on the test mailing list, so I have been.  If something
like dracut can screw up labelling, it seems that there
should be a mechanism for a future yum update to fix it.
I guess the danger is that automated fixing of labels will
mask real security problems?  But I'm not sure that's any
different from what I do now which is to blindly run commands
to fix labels when bugzilla tells me to.  I'll try to fix
my labelling and filter out similar looking reports... I
had assumed that sealert was smart enough to add to an existing
report when there was only one small change between reports.

Comment 9 Daniel Walsh 2009-09-17 21:31:50 UTC
Well we are working on it.

dracut/selinux lots of bugs happen in Rawhide and some never get cleaned up without user intervention.  That is what makes Rawhide fun.  :^)

fixfiles restore 
and reboot
should clean everything up.

yum -y upgrade
tomorrow, because todays selinux-policy is broken.