Description of problem: Happened a few minutes after enabling numad for the first time, seems like perhaps an incompatibility between the default selinux setups of numad and flatpak I've already added a local policy exception, but I figured it was worth reporting. SELinux is preventing numad from using the 'signull' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that numad should be allowed signull access on processes labeled flatpak_helper_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'numad' --raw | audit2allow -M my-numad # semodule -X 300 -i my-numad.pp Additional Information: Source Context system_u:system_r:numad_t:s0 Target Context system_u:system_r:flatpak_helper_t:s0 Target Objects Unknown [ process ] Source numad Source Path numad Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.3-46.fc30.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.2.17-200.fc30.x86_64 #1 SMP Mon Sep 23 13:42:32 UTC 2019 x86_64 x86_64 Alert Count 8 First Seen 2019-10-08 09:42:07 EDT Last Seen 2019-10-08 09:43:52 EDT Local ID 8f3d33c6-05ed-49d3-93de-cb9bbbeae140 Raw Audit Messages type=AVC msg=audit(1570542232.400:598): avc: denied { signull } for pid=13559 comm="numad" scontext=system_u:system_r:numad_t:s0 tcontext=system_u:system_r:flatpak_helper_t:s0 tclass=process permissive=0 Hash: numad,numad_t,flatpak_helper_t,process,signull Version-Release number of selected component: selinux-policy-3.14.3-46.fc30.noarch Additional info: component: selinux-policy reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.2.17-200.fc30.x86_64 type: libreport
I actually ended up getting several more SELinux denials due to numad several minutes later: type=AVC msg=audit(1570543013.90:621): avc: denied { sys_ptrace } for pid=13559 comm="numad" capability=19 scontext=system_u:system_r:numad_t:s0 tcontext=system_u:system_r:numad_t:s0 tclass=cap_userns permissive=0 type=AVC msg=audit(1570543028.105:634): avc: denied { kill } for pid=13559 comm="numad" capability=5 scontext=system_u:system_r:numad_t:s0 tcontext=system_u:system_r:numad_t:s0 tclass=cap_userns permissive=0 type=AVC msg=audit(1570543058.151:732): avc: denied { sys_nice } for pid=13559 comm="numad" capability=23 scontext=system_u:system_r:numad_t:s0 tcontext=system_u:system_r:numad_t:s0 tclass=cap_userns permissive=0 type=AVC msg=audit(1570543058.152:733): avc: denied { sys_nice } for pid=13559 comm="numad" capability=23 scontext=system_u:system_r:numad_t:s0 tcontext=system_u:system_r:numad_t:s0 tclass=capability permissive=0
commit bd635ce68d153487a98e9d725a4e895346987f9f (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Patrik Koncity <pkoncity> Date: Fri Oct 11 16:41:47 2019 +0200 Update numad policy to allow signull, kill, nice and trace processes Numad is user-level daemon that provides placement advice and process management for efficient use of CPUs and memory on systems with NUMA topology Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1759561 Allow capability sys_nice set real-time scheduling policies for calling process, and set scheduling policies and priorities for arbitrary processes Allow capability sys_ptrace to trace arbitrary processes Allow capability kill to kill processes Allow macro domain_signull_all_domains() to send a null signal to all domains
FEDORA-2019-d68c9e27f8 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8
selinux-policy-3.14.3-50.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8
FEDORA-2019-f83217e2bf has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf
selinux-policy-3.14.3-51.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf
FEDORA-2019-70d80ad4bc has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc
selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc
selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.