1750024 – SELinux is preventing rtkit-daemon from 'sys_nice' accesses on the cap_userns labeled rtkit_daemon_t.

Bug 1750024 - SELinux is preventing rtkit-daemon from 'sys_nice' accesses on the cap_userns labeled rtkit_daemon_t.

Summary: SELinux is preventing rtkit-daemon from 'sys_nice' accesses on the cap_userns...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	30
Hardware:	x86_64
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:1e75e452328e59ff3766c22f147...
Duplicates (6):	1752263 1752583 1754408 1755572 1756755 1758097 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-09-07 13:41 UTC by Nicolas Semrau
Modified:	2019-10-04 09:06 UTC (History)
CC List:	34 users (show)
Fixed In Version:	selinux-policy-3.14.3-46.fc30
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-09-30 07:39:12 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Nicolas Semrau 2019-09-07 13:41:42 UTC

Description of problem:
(I installed Fedora 30 via a MATE spin, it is completely updated to 2019-09-06, 11:00 PM, CEST)
 
1. Sent a MATE session to sleep via System -> Shut down... -> Suspend
2. Woke the system up 2 hours later
3. Problem appeared for the first time
SELinux is preventing rtkit-daemon from 'sys_nice' accesses on the cap_userns labeled rtkit_daemon_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rtkit-daemon should be allowed sys_nice access on cap_userns labeled rtkit_daemon_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon
# semodule -X 300 -i my-rtkitdaemon.pp

Additional Information:
Source Context                system_u:system_r:rtkit_daemon_t:s0
Target Context                system_u:system_r:rtkit_daemon_t:s0
Target Objects                Unknown [ cap_userns ]
Source                        rtkit-daemon
Source Path                   rtkit-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-45.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.2.11-200.fc30.x86_64 #1 SMP Thu
                              Aug 29 12:43:20 UTC 2019 x86_64 x86_64
Alert Count                   16
First Seen                    2019-09-07 15:29:56 CEST
Last Seen                     2019-09-07 15:29:56 CEST
Local ID                      d1402707-3a1e-4372-83e6-918d2f491517

Raw Audit Messages
type=AVC msg=audit(1567862996.619:272): avc:  denied  { sys_nice } for  pid=805 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0


Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_nice

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.11-200.fc30.x86_64
type:           libreport

Comment 1 Nicolas Semrau 2019-09-08 07:21:13 UTC

A similar thing appeared today after a logging into MATE from a cold boot-up:

SELinux is preventing rtkit-daemon from sys_nice access on the cap_userns labeled rtkit_daemon_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rtkit-daemon should be allowed sys_nice access on cap_userns labeled rtkit_daemon_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon
# semodule -X 300 -i my-rtkitdaemon.pp

Additional Information:
Source Context                system_u:system_r:rtkit_daemon_t:s0
Target Context                system_u:system_r:rtkit_daemon_t:s0
Target Objects                Unknown [ cap_userns ]
Source                        rtkit-daemon
Source Path                   rtkit-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-45.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.2.11-200.fc30.x86_64 #1 SMP Thu
                              Aug 29 12:43:20 UTC 2019 x86_64 x86_64
Alert Count                   16
First Seen                    2019-09-07 15:29:56 CEST
Last Seen                     2019-09-07 15:29:56 CEST
Local ID                      d1402707-3a1e-4372-83e6-918d2f491517

Raw Audit Messages
type=AVC msg=audit(1567862996.619:272): avc:  denied  { sys_nice } for  pid=805 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0


Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_nice

Comment 2 Lukas Vrabec 2019-09-09 08:28:17 UTC

commit 861c699b2748f3dc373cf69177a5f7a716c074f2 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Lukas Vrabec <lvrabec>
Date:   Mon Sep 9 10:21:51 2019 +0200

    Allow rtkit_daemon_t domain set process nice value in user namespaces
    BZ(1750024)

Comment 3 Ed Beroset 2019-09-13 11:46:11 UTC

Description of problem:
I'm not certain what triggered this.  On my machine, two different packages are installed that require rtkit:

# rpm -q --whatrequires rtkit
pipewire-0.2.6-3.fc30.x86_64
pulseaudio-12.2-9.fc30.x86_64

It seems logical to me that rtkit would want to access sys_nice.

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.11-200.fc30.x86_64
type:           libreport

Comment 4 Jonathan Haas 2019-09-13 17:42:55 UTC

Description of problem:
Hsppened ramdomly after opening laptop lid

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.1.20-300.fc30.x86_64
type:           libreport

Comment 5 Alex. H. F. 2019-09-14 12:02:11 UTC

Description of problem:
Just after booting with Xorg display (instead of Wayland).

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.13-200.fc30.x86_64
type:           libreport

Comment 6 Lukas Vrabec 2019-09-16 08:10:46 UTC

*** Bug 1752263 has been marked as a duplicate of this bug. ***

Comment 7 fred 2019-09-16 15:15:11 UTC

Description of problem:
Réveil du PC à l'état suspendu

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.13-200.fc30.x86_64
type:           libreport

Comment 8 Philipp Raich 2019-09-16 18:18:25 UTC

Description of problem:
Wake up from sleep (open lid)

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.13-200.fc30.x86_64
type:           libreport

Comment 9 Christian Kujau 2019-09-17 05:54:58 UTC

Description of problem:
Happens during suspend, which appears to fail and the laptop wakes up again, with that SELinux alert.

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.13-200.fc30.x86_64
type:           libreport

Comment 10 Lukas Vrabec 2019-09-17 07:11:01 UTC

*** Bug 1752583 has been marked as a duplicate of this bug. ***

Comment 11 Dima 2019-09-18 17:23:48 UTC

Description of problem:
install virtualbox6.0.12 r133076 (Qt5.6.1)

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.14-200.fc30.x86_64
type:           libreport

Comment 12 Peter Greenwood 2019-09-21 11:52:27 UTC

Description of problem:
Brought the laptop out of suspend; here is an extract of /var/log/messages:

Sep 20 23:27:07 slide kernel: usb 1-7: reset full-speed USB device number 4 using xhci_hcd
Sep 20 23:27:07 slide kernel: ath10k_pci 0000:02:00.0: unsupported HTC service id: 1536
Sep 20 23:27:07 slide kernel: PM: resume devices took 2.338 seconds
Sep 20 23:27:07 slide kernel: OOM killer enabled.
Sep 20 23:27:08 slide kernel: Restarting tasks ... done.
Sep 20 23:27:08 slide kernel: PM: suspend exit
Sep 20 23:27:08 slide kernel: ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
Sep 20 23:27:08 slide kernel: ata1.00: configured for UDMA/133
Sep 20 23:27:08 slide kernel: Bluetooth: hci0: using rampatch file: qca/rampatch_usb_00000300.bin
Sep 20 23:27:08 slide kernel: Bluetooth: hci0: QCA: patch rome 0x300 build 0x3e8, firmware rome 0x300 build 0x111
Sep 20 23:27:08 slide kernel: Bluetooth: hci0: using NVM file: qca/nvm_usb_00000300.bin
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-suspend comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Sep 20 23:27:08 slide audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-suspend comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Sep 20 23:27:08 slide audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-rfkill comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Sep 20 23:27:08 slide audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.2-org.fedoraproject.Setroubleshootd@3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Sep 20 23:27:08 slide systemd-logind[970]: Lid opened.
Sep 20 23:27:08 slide rtkit-daemon[884]: The canary thread is apparently starving. Taking action.
Sep 20 23:27:09 slide systemd[1]: Starting Load/Save RF Kill Switch Status...
Sep 20 23:27:09 slide rtkit-daemon[884]: Demoting known real-time threads.
Sep 20 23:27:09 slide systemd-sleep[12199]: System resumed.
Sep 20 23:27:09 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 31885: Operation not permitted
Sep 20 23:27:09 slide systemd[1]: systemd-suspend.service: Succeeded.
Sep 20 23:27:09 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 31884: Operation not permitted
Sep 20 23:27:09 slide systemd[1]: Started Suspend.
Sep 20 23:27:09 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 28389: Operation not permitted
Sep 20 23:27:09 slide systemd[1]: Stopped target Sleep.
Sep 20 23:27:09 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 28388: Operation not permitted
Sep 20 23:27:09 slide systemd[1]: Reached target Suspend.
Sep 20 23:27:09 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 28205: Operation not permitted
Sep 20 23:27:09 slide systemd-logind[970]: Operation 'sleep' finished.
Sep 20 23:27:09 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 28204: Operation not permitted
Sep 20 23:27:09 slide systemd[1]: Stopped target Suspend.
Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 28127: Operation not permitted
Sep 20 23:27:10 slide NetworkManager[1001]: <info>  [1569018426.2321] bluez5: NAP: removed interface 64:6E:69:D5:DD:FE
Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 28128: Operation not permitted
Sep 20 23:27:10 slide NetworkManager[1001]: <info>  [1569018426.2323] manager: sleep: wake requested (sleeping: yes  enabled: yes)
Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 20125: Operation not permitted
Sep 20 23:27:10 slide NetworkManager[1001]: <info>  [1569018426.2325] device (wlp2s0): state change: activated -> unmanaged (reason 'sleeping', sys-iface-state: 'managed')
Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 20124: Operation not permitted
Sep 20 23:27:10 slide kernel: Generic Realtek PHY r8169-100:00: attached PHY driver [Generic Realtek PHY] (mii_bus:phy_addr=r8169-100:00, irq=IGNORE)
Sep 20 23:27:10 slide kernel: r8169 0000:01:00.0 enp1s0: Link is Down
Sep 20 23:27:10 slide audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Sep 20 23:27:10 slide systemd[1]: Stopped target Bluetooth.
Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 19880: Operation not permitted
Sep 20 23:27:10 slide sssd[kcm][2734]: Shutting down
Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 19881: Operation not permitted
Sep 20 23:27:10 slide NetworkManager[1001]: <info>  [1569018426.6013] dhcp4 (wlp2s0): canceled DHCP transaction, DHCP client pid 2754
Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 30070: Operation not permitted

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.11-200.fc30.x86_64
type:           libreport

Comment 13 sgupta.ee17 2019-09-23 07:56:39 UTC

*** Bug 1754408 has been marked as a duplicate of this bug. ***

Comment 14 Alejandro Duran 2019-09-25 00:19:27 UTC

Description of problem:
 Yesterday I update my fedora 30 laptop, today show me that message at log in my laptop

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.15-200.fc30.x86_64
type:           libreport

Comment 15 sgupta.ee17 2019-09-25 17:48:48 UTC

*** Bug 1755572 has been marked as a duplicate of this bug. ***

Comment 16 Nicolas Semrau 2019-09-27 17:06:21 UTC

OP here. After updating from 3.14.3-45.fc30 to selinux-policy 3.14.3-46.fc30 the error-message applet stopped to appear in the notification area. I am unsure if this can be marked as solved and closed.

Comment 17 Tomas 2019-09-29 17:48:56 UTC

*** Bug 1756755 has been marked as a duplicate of this bug. ***

Comment 18 Lukas Vrabec 2019-09-30 07:39:12 UTC

Thanks for testing. 

selinux-policy-3.14.3-46.fc30 is already part of Fedora 30 repositories, closing as CURRENTRELEASE.

Thanks,
Lukas.

Comment 19 Lukas Vrabec 2019-10-04 09:06:40 UTC

*** Bug 1758097 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.

adnnow
alex.go4more
antonio.montagnani
artur.tanistra
beroset
cjashfor
crashhal
dwalsh
fry.futurateam
fukidid
Gab_Fierro45
gigor44
goodmirek
ijalsovec
jonha87
justin.smestad
lvrabec
matthias.andree
mgrepl
mstuff
peterg
philipp.raich
plautrba
prd-fedora
redhat-bugzilla
redhat
sgupta.ee17
smitna
soal
timon20025
V.NIRGUNA
xyzk
yulinux
zpytela