1723308 – SELinux is preventing rtkit-daemon from 'sys_ptrace' accesses on the cap_userns labeled rtkit_daemon_t.

Bug 1723308 - SELinux is preventing rtkit-daemon from 'sys_ptrace' accesses on the cap_userns labeled rtkit_daemon_t.

Summary: SELinux is preventing rtkit-daemon from 'sys_ptrace' accesses on the cap_user...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	30
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:5cb01176e79af3869e500df9de4...
Duplicates (1):	1729647 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-06-24 08:58 UTC by Marcus Husar
Modified:	2023-09-14 05:30 UTC (History)
CC List:	17 users (show)
Fixed In Version:	selinux-policy-3.14.3-40.fc30
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-07-13 01:06:43 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Marcus Husar 2019-06-24 08:58:52 UTC

Description of problem:
This morning I updated my Fedora system. Since then I get system messages about SELinux problems.
SELinux is preventing rtkit-daemon from 'sys_ptrace' accesses on the cap_userns labeled rtkit_daemon_t.

*****  Plugin catchall (100. confidence) suggests   **************************

Wenn du das glaubst rtkit-daemon sollte erlaubt sein sys_ptrace Zugriff auf cap_userns beschriftet rtkit_daemon_t standardmäßig.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon
# semodule -X 300 -i my-rtkitdaemon.pp

Additional Information:
Source Context                system_u:system_r:rtkit_daemon_t:s0
Target Context                system_u:system_r:rtkit_daemon_t:s0
Target Objects                Unknown [ cap_userns ]
Source                        rtkit-daemon
Source Path                   rtkit-daemon
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-39.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.1.12-300.fc30.x86_64 #1 SMP Wed
                              Jun 19 15:19:49 UTC 2019 x86_64 x86_64
Alert Count                   18
First Seen                    2019-06-24 10:49:04 CEST
Last Seen                     2019-06-24 10:55:35 CEST
Local ID                      f76c9d69-05b9-4c5d-b036-b5045a296ce6

Raw Audit Messages
type=AVC msg=audit(1561366535.376:321): avc:  denied  { sys_ptrace } for  pid=828 comm="rtkit-daemon" capability=19  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0


Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_ptrace

Version-Release number of selected component:
selinux-policy-3.14.3-39.fc30.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.1.12-300.fc30.x86_64
type:           libreport

Comment 1 Lukas Vrabec 2019-06-24 16:19:26 UTC

commit 9feef6798e92a30233f9eec182d9935240771794 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Mon Jun 24 18:19:11 2019 +0200

    Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability BZ(1723308)

Comment 2 bztdlinux 2019-06-24 23:35:34 UTC

Description of problem:
starting firefox

Version-Release number of selected component:
selinux-policy-3.14.3-37.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.0.16-300.fc30.x86_64
type:           libreport

Comment 3 Sam Tygier 2019-07-02 19:06:59 UTC

Description of problem:
Downloaded firefox nightly firefox-69.0a1.en-US.linux-x86_64.tar.bz2
expand it in my download folder
launched with ./firefox

Version-Release number of selected component:
selinux-policy-3.14.3-39.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.1.8-300.fc30.x86_64
type:           libreport

Comment 4 Diego Marino 2019-07-06 10:24:16 UTC

Description of problem:
Launched Firefox Developers.
Received AVC denials notifications.

Version-Release number of selected component:
selinux-policy-3.14.3-39.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.1.16-300.fc30.x86_64
type:           libreport

Comment 5 Andreas Schöneck 2019-07-09 14:33:03 UTC

Description of problem:
Firefox Nighly launch

Version-Release number of selected component:
selinux-policy-3.14.3-39.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.1.16-300.fc30.x86_64
type:           libreport

Comment 6 Fedora Update System 2019-07-10 12:46:25 UTC

FEDORA-2019-9c513c4cf8 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9c513c4cf8

Comment 7 Fedora Update System 2019-07-11 00:50:27 UTC

selinux-policy-3.14.3-40.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9c513c4cf8

Comment 8 Fedora Update System 2019-07-13 01:06:43 UTC

selinux-policy-3.14.3-40.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Jeremy 2019-07-13 07:51:13 UTC

*** Bug 1729647 has been marked as a duplicate of this bug. ***

Comment 10 Phil V 2019-09-09 02:10:34 UTC

Just today I received a similar message: 
SELinux is preventing rtkit-daemon from sys_nice access on the cap_userns labeled rtkit_daemon_t.

This after updating yesterday from 3.14.3-43.fc30 -> 3.14.3-45.fc30 :
---> Package selinux-policy.noarch 3.14.3-43.fc30 will be upgraded
---> Package selinux-policy.noarch 3.14.3-45.fc30 will be an upgrade
---> Package selinux-policy-targeted.noarch 3.14.3-43.fc30 will be upgraded
---> Package selinux-policy-targeted.noarch 3.14.3-45.fc30 will be an upgrade



"SETroubleshoot Details Window" reports:

SELinux is preventing rtkit-daemon from sys_nice access on the cap_userns labeled rtkit_daemon_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rtkit-daemon should be allowed sys_nice access on cap_userns labeled rtkit_daemon_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon
# semodule -X 300 -i my-rtkitdaemon.pp

Additional Information:
Source Context                system_u:system_r:rtkit_daemon_t:s0
Target Context                system_u:system_r:rtkit_daemon_t:s0
Target Objects                Unknown [ cap_userns ]
Source                        rtkit-daemon
Source Path                   rtkit-daemon
Port                          <Unknown>
Host                          red
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-45.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     red
Platform                      Linux red 5.2.11-200.fc30.x86_64 #1 SMP Thu Aug 29
                              12:43:20 UTC 2019 x86_64 x86_64
Alert Count                   18
First Seen                    2019-09-09 09:51:48 HKT
Last Seen                     2019-09-09 09:51:48 HKT
Local ID                      e077715f-c977-4b86-8bd9-3fafb91d0b89

Raw Audit Messages
type=AVC msg=audit(1567993908.72:356): avc:  denied  { sys_nice } for  pid=875 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0


Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_nice

Comment 11 Oliver Henshaw 2019-10-06 13:03:07 UTC

Per bug #1752263 this happens on F29 too.

For me, this started happening today after upgrading firefox to firefox-69.0.1-3.fc29.x86_64 - 
https://bugzilla.mozilla.org/show_bug.cgi?id=1560811 looks relevant.

Comment 12 Václav Kadlčík 2019-10-08 06:52:35 UTC

(In reply to Oliver Henshaw from comment #11)
> Per bug #1752263 this happens on F29 too.
> 
> For me, this started happening today after upgrading firefox to
> firefox-69.0.1-3.fc29.x86_64 - 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1560811 looks relevant.

Hi Oliver, I observe it too and I think it would be better to have
a new, F29-specific bug. I've just filed it: bz1759423

Comment 13 Red Hat Bugzilla 2023-09-14 05:30:46 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.