Description of problem: (I installed Fedora 30 via a MATE spin, it is completely updated to 2019-09-06, 11:00 PM, CEST) 1. Sent a MATE session to sleep via System -> Shut down... -> Suspend 2. Woke the system up 2 hours later 3. Problem appeared for the first time SELinux is preventing rtkit-daemon from 'sys_nice' accesses on the cap_userns labeled rtkit_daemon_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rtkit-daemon should be allowed sys_nice access on cap_userns labeled rtkit_daemon_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon # semodule -X 300 -i my-rtkitdaemon.pp Additional Information: Source Context system_u:system_r:rtkit_daemon_t:s0 Target Context system_u:system_r:rtkit_daemon_t:s0 Target Objects Unknown [ cap_userns ] Source rtkit-daemon Source Path rtkit-daemon Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.3-45.fc30.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.2.11-200.fc30.x86_64 #1 SMP Thu Aug 29 12:43:20 UTC 2019 x86_64 x86_64 Alert Count 16 First Seen 2019-09-07 15:29:56 CEST Last Seen 2019-09-07 15:29:56 CEST Local ID d1402707-3a1e-4372-83e6-918d2f491517 Raw Audit Messages type=AVC msg=audit(1567862996.619:272): avc: denied { sys_nice } for pid=805 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_nice Version-Release number of selected component: selinux-policy-3.14.3-45.fc30.noarch Additional info: component: selinux-policy reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.2.11-200.fc30.x86_64 type: libreport
A similar thing appeared today after a logging into MATE from a cold boot-up: SELinux is preventing rtkit-daemon from sys_nice access on the cap_userns labeled rtkit_daemon_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rtkit-daemon should be allowed sys_nice access on cap_userns labeled rtkit_daemon_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon # semodule -X 300 -i my-rtkitdaemon.pp Additional Information: Source Context system_u:system_r:rtkit_daemon_t:s0 Target Context system_u:system_r:rtkit_daemon_t:s0 Target Objects Unknown [ cap_userns ] Source rtkit-daemon Source Path rtkit-daemon Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.3-45.fc30.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.2.11-200.fc30.x86_64 #1 SMP Thu Aug 29 12:43:20 UTC 2019 x86_64 x86_64 Alert Count 16 First Seen 2019-09-07 15:29:56 CEST Last Seen 2019-09-07 15:29:56 CEST Local ID d1402707-3a1e-4372-83e6-918d2f491517 Raw Audit Messages type=AVC msg=audit(1567862996.619:272): avc: denied { sys_nice } for pid=805 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_nice
commit 861c699b2748f3dc373cf69177a5f7a716c074f2 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Lukas Vrabec <lvrabec> Date: Mon Sep 9 10:21:51 2019 +0200 Allow rtkit_daemon_t domain set process nice value in user namespaces BZ(1750024)
Description of problem: I'm not certain what triggered this. On my machine, two different packages are installed that require rtkit: # rpm -q --whatrequires rtkit pipewire-0.2.6-3.fc30.x86_64 pulseaudio-12.2-9.fc30.x86_64 It seems logical to me that rtkit would want to access sys_nice. Version-Release number of selected component: selinux-policy-3.14.3-45.fc30.noarch Additional info: reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.2.11-200.fc30.x86_64 type: libreport
Description of problem: Hsppened ramdomly after opening laptop lid Version-Release number of selected component: selinux-policy-3.14.3-45.fc30.noarch Additional info: reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.1.20-300.fc30.x86_64 type: libreport
Description of problem: Just after booting with Xorg display (instead of Wayland). Version-Release number of selected component: selinux-policy-3.14.3-45.fc30.noarch Additional info: reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.2.13-200.fc30.x86_64 type: libreport
*** Bug 1752263 has been marked as a duplicate of this bug. ***
Description of problem: Réveil du PC à l'état suspendu Version-Release number of selected component: selinux-policy-3.14.3-45.fc30.noarch Additional info: reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.2.13-200.fc30.x86_64 type: libreport
Description of problem: Wake up from sleep (open lid) Version-Release number of selected component: selinux-policy-3.14.3-45.fc30.noarch Additional info: reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.2.13-200.fc30.x86_64 type: libreport
Description of problem: Happens during suspend, which appears to fail and the laptop wakes up again, with that SELinux alert. Version-Release number of selected component: selinux-policy-3.14.3-45.fc30.noarch Additional info: reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.2.13-200.fc30.x86_64 type: libreport
*** Bug 1752583 has been marked as a duplicate of this bug. ***
Description of problem: install virtualbox6.0.12 r133076 (Qt5.6.1) Version-Release number of selected component: selinux-policy-3.14.3-45.fc30.noarch Additional info: reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.2.14-200.fc30.x86_64 type: libreport
Description of problem: Brought the laptop out of suspend; here is an extract of /var/log/messages: Sep 20 23:27:07 slide kernel: usb 1-7: reset full-speed USB device number 4 using xhci_hcd Sep 20 23:27:07 slide kernel: ath10k_pci 0000:02:00.0: unsupported HTC service id: 1536 Sep 20 23:27:07 slide kernel: PM: resume devices took 2.338 seconds Sep 20 23:27:07 slide kernel: OOM killer enabled. Sep 20 23:27:08 slide kernel: Restarting tasks ... done. Sep 20 23:27:08 slide kernel: PM: suspend exit Sep 20 23:27:08 slide kernel: ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300) Sep 20 23:27:08 slide kernel: ata1.00: configured for UDMA/133 Sep 20 23:27:08 slide kernel: Bluetooth: hci0: using rampatch file: qca/rampatch_usb_00000300.bin Sep 20 23:27:08 slide kernel: Bluetooth: hci0: QCA: patch rome 0x300 build 0x3e8, firmware rome 0x300 build 0x111 Sep 20 23:27:08 slide kernel: Bluetooth: hci0: using NVM file: qca/nvm_usb_00000300.bin Sep 20 23:27:08 slide audit[884]: AVC avc: denied { sys_nice } for pid=884 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Sep 20 23:27:08 slide audit[884]: AVC avc: denied { sys_nice } for pid=884 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Sep 20 23:27:08 slide audit[884]: AVC avc: denied { sys_nice } for pid=884 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Sep 20 23:27:08 slide audit[884]: AVC avc: denied { sys_nice } for pid=884 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Sep 20 23:27:08 slide audit[884]: AVC avc: denied { sys_nice } for pid=884 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Sep 20 23:27:08 slide audit[884]: AVC avc: denied { sys_nice } for pid=884 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Sep 20 23:27:08 slide audit[884]: AVC avc: denied { sys_nice } for pid=884 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Sep 20 23:27:08 slide audit[884]: AVC avc: denied { sys_nice } for pid=884 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Sep 20 23:27:08 slide audit[884]: AVC avc: denied { sys_nice } for pid=884 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Sep 20 23:27:08 slide audit[884]: AVC avc: denied { sys_nice } for pid=884 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Sep 20 23:27:08 slide audit[884]: AVC avc: denied { sys_nice } for pid=884 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Sep 20 23:27:08 slide audit[884]: AVC avc: denied { sys_nice } for pid=884 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Sep 20 23:27:08 slide audit[884]: AVC avc: denied { sys_nice } for pid=884 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Sep 20 23:27:08 slide audit[884]: AVC avc: denied { sys_nice } for pid=884 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Sep 20 23:27:08 slide audit[884]: AVC avc: denied { sys_nice } for pid=884 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Sep 20 23:27:08 slide audit[884]: AVC avc: denied { sys_nice } for pid=884 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Sep 20 23:27:08 slide audit[884]: AVC avc: denied { sys_nice } for pid=884 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Sep 20 23:27:08 slide audit[884]: AVC avc: denied { sys_nice } for pid=884 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Sep 20 23:27:08 slide audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-suspend comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Sep 20 23:27:08 slide audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-suspend comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Sep 20 23:27:08 slide audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-rfkill comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Sep 20 23:27:08 slide audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.2-org.fedoraproject.Setroubleshootd@3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Sep 20 23:27:08 slide systemd-logind[970]: Lid opened. Sep 20 23:27:08 slide rtkit-daemon[884]: The canary thread is apparently starving. Taking action. Sep 20 23:27:09 slide systemd[1]: Starting Load/Save RF Kill Switch Status... Sep 20 23:27:09 slide rtkit-daemon[884]: Demoting known real-time threads. Sep 20 23:27:09 slide systemd-sleep[12199]: System resumed. Sep 20 23:27:09 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 31885: Operation not permitted Sep 20 23:27:09 slide systemd[1]: systemd-suspend.service: Succeeded. Sep 20 23:27:09 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 31884: Operation not permitted Sep 20 23:27:09 slide systemd[1]: Started Suspend. Sep 20 23:27:09 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 28389: Operation not permitted Sep 20 23:27:09 slide systemd[1]: Stopped target Sleep. Sep 20 23:27:09 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 28388: Operation not permitted Sep 20 23:27:09 slide systemd[1]: Reached target Suspend. Sep 20 23:27:09 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 28205: Operation not permitted Sep 20 23:27:09 slide systemd-logind[970]: Operation 'sleep' finished. Sep 20 23:27:09 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 28204: Operation not permitted Sep 20 23:27:09 slide systemd[1]: Stopped target Suspend. Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 28127: Operation not permitted Sep 20 23:27:10 slide NetworkManager[1001]: <info> [1569018426.2321] bluez5: NAP: removed interface 64:6E:69:D5:DD:FE Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 28128: Operation not permitted Sep 20 23:27:10 slide NetworkManager[1001]: <info> [1569018426.2323] manager: sleep: wake requested (sleeping: yes enabled: yes) Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 20125: Operation not permitted Sep 20 23:27:10 slide NetworkManager[1001]: <info> [1569018426.2325] device (wlp2s0): state change: activated -> unmanaged (reason 'sleeping', sys-iface-state: 'managed') Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 20124: Operation not permitted Sep 20 23:27:10 slide kernel: Generic Realtek PHY r8169-100:00: attached PHY driver [Generic Realtek PHY] (mii_bus:phy_addr=r8169-100:00, irq=IGNORE) Sep 20 23:27:10 slide kernel: r8169 0000:01:00.0 enp1s0: Link is Down Sep 20 23:27:10 slide audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Sep 20 23:27:10 slide systemd[1]: Stopped target Bluetooth. Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 19880: Operation not permitted Sep 20 23:27:10 slide sssd[kcm][2734]: Shutting down Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 19881: Operation not permitted Sep 20 23:27:10 slide NetworkManager[1001]: <info> [1569018426.6013] dhcp4 (wlp2s0): canceled DHCP transaction, DHCP client pid 2754 Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 30070: Operation not permitted Version-Release number of selected component: selinux-policy-3.14.3-45.fc30.noarch Additional info: reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.2.11-200.fc30.x86_64 type: libreport
*** Bug 1754408 has been marked as a duplicate of this bug. ***
Description of problem: Yesterday I update my fedora 30 laptop, today show me that message at log in my laptop Version-Release number of selected component: selinux-policy-3.14.3-45.fc30.noarch Additional info: reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.2.15-200.fc30.x86_64 type: libreport
*** Bug 1755572 has been marked as a duplicate of this bug. ***
OP here. After updating from 3.14.3-45.fc30 to selinux-policy 3.14.3-46.fc30 the error-message applet stopped to appear in the notification area. I am unsure if this can be marked as solved and closed.
*** Bug 1756755 has been marked as a duplicate of this bug. ***
Thanks for testing. selinux-policy-3.14.3-46.fc30 is already part of Fedora 30 repositories, closing as CURRENTRELEASE. Thanks, Lukas.
*** Bug 1758097 has been marked as a duplicate of this bug. ***