Description of problem: This morning I updated my Fedora system. Since then I get system messages about SELinux problems. SELinux is preventing rtkit-daemon from 'sys_ptrace' accesses on the cap_userns labeled rtkit_daemon_t. ***** Plugin catchall (100. confidence) suggests ************************** Wenn du das glaubst rtkit-daemon sollte erlaubt sein sys_ptrace Zugriff auf cap_userns beschriftet rtkit_daemon_t standardmäßig. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon # semodule -X 300 -i my-rtkitdaemon.pp Additional Information: Source Context system_u:system_r:rtkit_daemon_t:s0 Target Context system_u:system_r:rtkit_daemon_t:s0 Target Objects Unknown [ cap_userns ] Source rtkit-daemon Source Path rtkit-daemon Port <Unbekannt> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.3-39.fc30.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.1.12-300.fc30.x86_64 #1 SMP Wed Jun 19 15:19:49 UTC 2019 x86_64 x86_64 Alert Count 18 First Seen 2019-06-24 10:49:04 CEST Last Seen 2019-06-24 10:55:35 CEST Local ID f76c9d69-05b9-4c5d-b036-b5045a296ce6 Raw Audit Messages type=AVC msg=audit(1561366535.376:321): avc: denied { sys_ptrace } for pid=828 comm="rtkit-daemon" capability=19 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_ptrace Version-Release number of selected component: selinux-policy-3.14.3-39.fc30.noarch Additional info: component: selinux-policy reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.1.12-300.fc30.x86_64 type: libreport
commit 9feef6798e92a30233f9eec182d9935240771794 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Mon Jun 24 18:19:11 2019 +0200 Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability BZ(1723308)
Description of problem: starting firefox Version-Release number of selected component: selinux-policy-3.14.3-37.fc30.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.0.16-300.fc30.x86_64 type: libreport
Description of problem: Downloaded firefox nightly firefox-69.0a1.en-US.linux-x86_64.tar.bz2 expand it in my download folder launched with ./firefox Version-Release number of selected component: selinux-policy-3.14.3-39.fc30.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.1.8-300.fc30.x86_64 type: libreport
Description of problem: Launched Firefox Developers. Received AVC denials notifications. Version-Release number of selected component: selinux-policy-3.14.3-39.fc30.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.1.16-300.fc30.x86_64 type: libreport
Description of problem: Firefox Nighly launch Version-Release number of selected component: selinux-policy-3.14.3-39.fc30.noarch Additional info: reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.1.16-300.fc30.x86_64 type: libreport
FEDORA-2019-9c513c4cf8 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9c513c4cf8
selinux-policy-3.14.3-40.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9c513c4cf8
selinux-policy-3.14.3-40.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 1729647 has been marked as a duplicate of this bug. ***
Just today I received a similar message: SELinux is preventing rtkit-daemon from sys_nice access on the cap_userns labeled rtkit_daemon_t. This after updating yesterday from 3.14.3-43.fc30 -> 3.14.3-45.fc30 : ---> Package selinux-policy.noarch 3.14.3-43.fc30 will be upgraded ---> Package selinux-policy.noarch 3.14.3-45.fc30 will be an upgrade ---> Package selinux-policy-targeted.noarch 3.14.3-43.fc30 will be upgraded ---> Package selinux-policy-targeted.noarch 3.14.3-45.fc30 will be an upgrade "SETroubleshoot Details Window" reports: SELinux is preventing rtkit-daemon from sys_nice access on the cap_userns labeled rtkit_daemon_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rtkit-daemon should be allowed sys_nice access on cap_userns labeled rtkit_daemon_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon # semodule -X 300 -i my-rtkitdaemon.pp Additional Information: Source Context system_u:system_r:rtkit_daemon_t:s0 Target Context system_u:system_r:rtkit_daemon_t:s0 Target Objects Unknown [ cap_userns ] Source rtkit-daemon Source Path rtkit-daemon Port <Unknown> Host red Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.3-45.fc30.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name red Platform Linux red 5.2.11-200.fc30.x86_64 #1 SMP Thu Aug 29 12:43:20 UTC 2019 x86_64 x86_64 Alert Count 18 First Seen 2019-09-09 09:51:48 HKT Last Seen 2019-09-09 09:51:48 HKT Local ID e077715f-c977-4b86-8bd9-3fafb91d0b89 Raw Audit Messages type=AVC msg=audit(1567993908.72:356): avc: denied { sys_nice } for pid=875 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_nice
Per bug #1752263 this happens on F29 too. For me, this started happening today after upgrading firefox to firefox-69.0.1-3.fc29.x86_64 - https://bugzilla.mozilla.org/show_bug.cgi?id=1560811 looks relevant.
(In reply to Oliver Henshaw from comment #11) > Per bug #1752263 this happens on F29 too. > > For me, this started happening today after upgrading firefox to > firefox-69.0.1-3.fc29.x86_64 - > https://bugzilla.mozilla.org/show_bug.cgi?id=1560811 looks relevant. Hi Oliver, I observe it too and I think it would be better to have a new, F29-specific bug. I've just filed it: bz1759423
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days