This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1480121 - SELinux is preventing userdel from sys_ptrace access on the cap_userns Unknown.
SELinux is preventing userdel from sys_ptrace access on the cap_userns Unknown.
Status: POST
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2017-08-10 04:47 EDT by Paweł
Modified: 2017-08-31 10:47 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Paweł 2017-08-10 04:47:41 EDT
Description of problem:
After deleting user via GUI in System Settings, this thing popped up. Details below.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:
SELinux is preventing userdel from sys_ptrace access on the cap_userns Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If aby userdel powinno mieć domyślnie sys_ptrace dostęp do Unknown cap_userns.
Then proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
allow this access for now by executing:
# ausearch -c 'userdel' --raw | audit2allow -M my-userdel
# semodule -X 300 -i my-userdel.pp

Additional Information:
Source Context                system_u:system_r:useradd_t:s0
Target Context                system_u:system_r:useradd_t:s0
Target Objects                Unknown [ cap_userns ]
Source                        userdel
Source Path                   userdel
Port                          <Nieznane>
Host                          e320pw
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-225.19.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     e320pw
Platform                      Linux e320pw 4.11.12-200.fc25.x86_64 #1 SMP Fri
                              Jul 21 16:41:43 UTC 2017 x86_64 x86_64
Alert Count                   26
First Seen                    2017-08-10 10:46:02 CEST
Last Seen                     2017-08-10 10:46:02 CEST
Local ID                      c7e54b55-f563-46c1-8ee8-95998a024cc4

Raw Audit Messages
type=AVC msg=audit(1502354762.592:302): avc:  denied  { sys_ptrace } for  pid=6816 comm="userdel" capability=19  scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=cap_userns permissive=0

Hash: userdel,useradd_t,useradd_t,cap_userns,sys_ptrace
Comment 1 Daniel Walsh 2017-08-14 09:40:13 EDT
Should be dontaudited.
Comment 2 Paweł 2017-08-30 09:41:47 EDT
Hi Daniel, I'm not familiar with SELinux. Is that (dontaudit) something I should do on my system, or is that something to fix in SELinux code?

Note You need to log in before you can comment on or make changes to this bug.