Bug 1723308 - SELinux is preventing rtkit-daemon from 'sys_ptrace' accesses on the cap_userns labeled rtkit_daemon_t. [NEEDINFO]
Summary: SELinux is preventing rtkit-daemon from 'sys_ptrace' accesses on the cap_user...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 30
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:5cb01176e79af3869e500df9de4...
: 1729647 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-24 08:58 UTC by Marcus Husar
Modified: 2019-10-08 06:52 UTC (History)
17 users (show)

Fixed In Version: selinux-policy-3.14.3-40.fc30
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-13 01:06:43 UTC
pv.bugzilla: needinfo? (extras-qa)


Attachments (Terms of Use)

Description Marcus Husar 2019-06-24 08:58:52 UTC
Description of problem:
This morning I updated my Fedora system. Since then I get system messages about SELinux problems.
SELinux is preventing rtkit-daemon from 'sys_ptrace' accesses on the cap_userns labeled rtkit_daemon_t.

*****  Plugin catchall (100. confidence) suggests   **************************

Wenn du das glaubst rtkit-daemon sollte erlaubt sein sys_ptrace Zugriff auf cap_userns beschriftet rtkit_daemon_t standardmäßig.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon
# semodule -X 300 -i my-rtkitdaemon.pp

Additional Information:
Source Context                system_u:system_r:rtkit_daemon_t:s0
Target Context                system_u:system_r:rtkit_daemon_t:s0
Target Objects                Unknown [ cap_userns ]
Source                        rtkit-daemon
Source Path                   rtkit-daemon
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-39.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.1.12-300.fc30.x86_64 #1 SMP Wed
                              Jun 19 15:19:49 UTC 2019 x86_64 x86_64
Alert Count                   18
First Seen                    2019-06-24 10:49:04 CEST
Last Seen                     2019-06-24 10:55:35 CEST
Local ID                      f76c9d69-05b9-4c5d-b036-b5045a296ce6

Raw Audit Messages
type=AVC msg=audit(1561366535.376:321): avc:  denied  { sys_ptrace } for  pid=828 comm="rtkit-daemon" capability=19  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0


Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_ptrace

Version-Release number of selected component:
selinux-policy-3.14.3-39.fc30.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.1.12-300.fc30.x86_64
type:           libreport

Comment 1 Lukas Vrabec 2019-06-24 16:19:26 UTC
commit 9feef6798e92a30233f9eec182d9935240771794 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Jun 24 18:19:11 2019 +0200

    Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability BZ(1723308)

Comment 2 bztdlinux 2019-06-24 23:35:34 UTC
Description of problem:
starting firefox

Version-Release number of selected component:
selinux-policy-3.14.3-37.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.0.16-300.fc30.x86_64
type:           libreport

Comment 3 Sam Tygier 2019-07-02 19:06:59 UTC
Description of problem:
Downloaded firefox nightly firefox-69.0a1.en-US.linux-x86_64.tar.bz2
expand it in my download folder
launched with ./firefox

Version-Release number of selected component:
selinux-policy-3.14.3-39.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.1.8-300.fc30.x86_64
type:           libreport

Comment 4 Diego Marino 2019-07-06 10:24:16 UTC
Description of problem:
Launched Firefox Developers.
Received AVC denials notifications.

Version-Release number of selected component:
selinux-policy-3.14.3-39.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.1.16-300.fc30.x86_64
type:           libreport

Comment 5 Andreas Schöneck 2019-07-09 14:33:03 UTC
Description of problem:
Firefox Nighly launch

Version-Release number of selected component:
selinux-policy-3.14.3-39.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.1.16-300.fc30.x86_64
type:           libreport

Comment 6 Fedora Update System 2019-07-10 12:46:25 UTC
FEDORA-2019-9c513c4cf8 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9c513c4cf8

Comment 7 Fedora Update System 2019-07-11 00:50:27 UTC
selinux-policy-3.14.3-40.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9c513c4cf8

Comment 8 Fedora Update System 2019-07-13 01:06:43 UTC
selinux-policy-3.14.3-40.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Jeremy 2019-07-13 07:51:13 UTC
*** Bug 1729647 has been marked as a duplicate of this bug. ***

Comment 10 Phil V 2019-09-09 02:10:34 UTC
Just today I received a similar message: 
SELinux is preventing rtkit-daemon from sys_nice access on the cap_userns labeled rtkit_daemon_t.

This after updating yesterday from 3.14.3-43.fc30 -> 3.14.3-45.fc30 :
---> Package selinux-policy.noarch 3.14.3-43.fc30 will be upgraded
---> Package selinux-policy.noarch 3.14.3-45.fc30 will be an upgrade
---> Package selinux-policy-targeted.noarch 3.14.3-43.fc30 will be upgraded
---> Package selinux-policy-targeted.noarch 3.14.3-45.fc30 will be an upgrade



"SETroubleshoot Details Window" reports:

SELinux is preventing rtkit-daemon from sys_nice access on the cap_userns labeled rtkit_daemon_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rtkit-daemon should be allowed sys_nice access on cap_userns labeled rtkit_daemon_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon
# semodule -X 300 -i my-rtkitdaemon.pp

Additional Information:
Source Context                system_u:system_r:rtkit_daemon_t:s0
Target Context                system_u:system_r:rtkit_daemon_t:s0
Target Objects                Unknown [ cap_userns ]
Source                        rtkit-daemon
Source Path                   rtkit-daemon
Port                          <Unknown>
Host                          red
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-45.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     red
Platform                      Linux red 5.2.11-200.fc30.x86_64 #1 SMP Thu Aug 29
                              12:43:20 UTC 2019 x86_64 x86_64
Alert Count                   18
First Seen                    2019-09-09 09:51:48 HKT
Last Seen                     2019-09-09 09:51:48 HKT
Local ID                      e077715f-c977-4b86-8bd9-3fafb91d0b89

Raw Audit Messages
type=AVC msg=audit(1567993908.72:356): avc:  denied  { sys_nice } for  pid=875 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0


Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_nice

Comment 11 Oliver Henshaw 2019-10-06 13:03:07 UTC
Per bug #1752263 this happens on F29 too.

For me, this started happening today after upgrading firefox to firefox-69.0.1-3.fc29.x86_64 - 
https://bugzilla.mozilla.org/show_bug.cgi?id=1560811 looks relevant.

Comment 12 Václav Kadlčík 2019-10-08 06:52:35 UTC
(In reply to Oliver Henshaw from comment #11)
> Per bug #1752263 this happens on F29 too.
> 
> For me, this started happening today after upgrading firefox to
> firefox-69.0.1-3.fc29.x86_64 - 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1560811 looks relevant.

Hi Oliver, I observe it too and I think it would be better to have
a new, F29-specific bug. I've just filed it: bz1759423


Note You need to log in before you can comment on or make changes to this bug.