Description of problem: happens when I start virtual machine or build package in mock SELinux is preventing accounts-daemon from using the 'sys_nice' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that accounts-daemon should have the sys_nice capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon # semodule -X 300 -i my-accountsdaemon.pp Additional Information: Source Context system_u:system_r:accountsd_t:s0 Target Context system_u:system_r:accountsd_t:s0 Target Objects Unknown [ capability ] Source accounts-daemon Source Path accounts-daemon Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.5-20.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.5.0-0.rc7.git0.2.fc32.x86_64 #1 SMP Mon Jan 20 22:22:45 +05 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-01-25 23:50:37 +05 Last Seen 2020-01-25 23:50:37 +05 Local ID 1e630b67-6a5a-467c-8db5-a8d0d37ce9af Raw Audit Messages type=AVC msg=audit(1579978237.369:96): avc: denied { sys_nice } for pid=1249 comm="accounts-daemon" capability=23 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1 Hash: accounts-daemon,accountsd_t,accountsd_t,capability,sys_nice Version-Release number of selected component: selinux-policy-3.14.5-20.fc32.noarch Additional info: component: selinux-policy reporter: libreport-2.11.3 hashmarkername: setroubleshoot kernel: 5.5.0-0.rc7.git0.2.fc32.x86_64 type: libreport
Hi, Thank you for reporting the issue. I've sent a PR to address it: https://github.com/fedora-selinux/selinux-policy-contrib/pull/189
Is this operation expected?
I can also see another AVC for capability type=AVC msg=audit(01/30/2020 17:47:34.676:85) : avc: denied { setsched } for pid=1137 comm=accounts-daemon scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=process permissive=1 Full output in enforcing and permissive mode type=PROCTITLE msg=audit(01/30/2020 17:43:58.310:129) : proctitle=/usr/libexec/accounts-daemon type=SYSCALL msg=audit(01/30/2020 17:43:58.310:129) : arch=x86_64 syscall=sched_setattr success=no exit=EACCES(Permission denied) a0=0x54c a1=0x5587f7e36d90 a2=0x0 a3=0x7f2f7b977700 items=0 ppid=1 pid=1354 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null) type=AVC msg=audit(01/30/2020 17:43:58.310:129) : avc: denied { setsched } for pid=1354 comm=accounts-daemon scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=process permissive=0 type=AVC msg=audit(01/30/2020 17:43:58.310:129) : avc: denied { sys_nice } for pid=1354 comm=accounts-daemon capability=sys_nice scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(01/30/2020 17:46:38.548:240) : proctitle=/usr/libexec/accounts-daemon type=SYSCALL msg=audit(01/30/2020 17:46:38.548:240) : arch=x86_64 syscall=sched_setattr success=yes exit=0 a0=0x77a a1=0x564358d92d90 a2=0x0 a3=0x7f7555240700 items=0 ppid=1 pid=1912 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null) type=AVC msg=audit(01/30/2020 17:46:38.548:240) : avc: denied { setsched } for pid=1912 comm=accounts-daemon scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=process permissive=1 type=AVC msg=audit(01/30/2020 17:46:38.548:240) : avc: denied { sys_nice } for pid=1912 comm=accounts-daemon capability=sys_nice scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1 Reproducer: systemctl restart accounts-daemon.service
Because GNOME Display Manager (gdm) depends on accounts-daemon, and this problem causes accounts-daemon to exit with an error, users can't login to their system due to this bug. It probably should have a higher priority and severity. Also, this problem is not limited to just accounts-daemon. ModemManager has the same issue, as does anything else that uses glib2's GThreadPool system. So I don't think Zdenek's proposed patch is sufficient to really fix the root issue. It appears that on the glib2 side of things, they should probably not make this a fatal (breakpoint-inducing) g_debug() log message. See bug #1795524 for their side of things.
Oops, s/g_debug/g_error/ in my last comment.
*** This bug has been marked as a duplicate of bug 1795524 ***