Description of problem: Issue occurs when I tried submit SELinux bug report SELinux is preventing firewalld from using the 'sys_nice' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that firewalld should have the sys_nice capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'firewalld' --raw | audit2allow -M my-firewalld # semodule -X 300 -i my-firewalld.pp Additional Information: Source Context system_u:system_r:firewalld_t:s0 Target Context system_u:system_r:firewalld_t:s0 Target Objects Unknown [ capability ] Source firewalld Source Path firewalld Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-3.14.6-5.fc33.noarch Local Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.6.0-0.rc3.git0.1.fc33.x86_64 #1 SMP Mon Feb 24 16:03:58 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-02-27 01:43:12 +05 Last Seen 2020-02-27 01:43:12 +05 Local ID fd1733d8-2658-41c0-9f77-5c9f35e6bb63 Raw Audit Messages type=AVC msg=audit(1582749792.584:1623): avc: denied { sys_nice } for pid=1133 comm="firewalld" capability=23 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=1 Hash: firewalld,firewalld_t,firewalld_t,capability,sys_nice Version-Release number of selected component: setroubleshoot-server-3.3.22-5.fc33 Additional info: reporter: libreport-2.12.0 cgroup: 0::/user.slice/user-1000.slice/user/dbus\x2d:1.2\x2dorg.fedoraproject.Setroubleshootd.slice/dbus-:1.2-org.fedoraproject.Setroubleshootd cmdline: /usr/bin/python3 -Es /usr/bin/sealert -s crash_function: createAlertSignature exception_type: TypeError executable: /usr/bin/sealert interpreter: python3-3.8.2-2.fc33.x86_64 kernel: 5.6.0-0.rc4.git0.1.fc33.x86_64 runlevel: N 5 type: Python3 uid: 1000 Truncated backtrace: __init__.py:221:createAlertSignature:TypeError: argument 2 must be str, not None Traceback (most recent call last): File "/usr/lib/python3.8/site-packages/setroubleshoot/browser.py", line 991, in submit_button_clicked self.submit() File "/usr/lib/python3.8/site-packages/setroubleshoot/browser.py", line 1001, in submit signature = report.createAlertSignature(local_policy_package, File "/usr/lib64/python3.8/site-packages/report/__init__.py", line 221, in createAlertSignature pd.add("component", component) TypeError: argument 2 must be str, not None Local variables in innermost frame: component: None hashmarkername: 'setroubleshoot' hashvalue: '522a55dffd978f5c78fb8a7fb48d745f19cfc6e9dd8739ec573ea515e9de0ee7' summary: "SELinux is preventing firewalld from using the 'sys_nice' capabilities." alertSignature: 'SELinux is preventing firewalld from using the \'sys_nice\' capabilities.\n\n***** Plugin catchall (100. confidence) suggests **************************\n\nIf you believe that firewalld should have the sys_nice capability by default.\nThen you should report this as a bug.\nYou can generate a local policy module to allow this access.\nDo\nallow this access for now by executing:\n# ausearch -c \'firewalld\' --raw | audit2allow -M my-firewalld\n# semodule -X 300 -i my-firewalld.pp\n\nAdditional Information:\nSource Context system_u:system_r:firewalld_t:s0\nTarget Context system_u:system_r:firewalld_t:s0\nTarget Objects Unknown [ capability ]\nSource firewalld\nSource Path firewalld\nPort <Unknown>\nHost (removed)\nSource RPM Packages \nTarget RPM Packages \nSELinux Policy RPM selinux-policy-3.14.6-5.fc33.noarch\nLocal Policy RPM <Unknown>\nSelinux Enabled True\nPolicy Type targeted\nEnforcing Mode Permissive\nHost Name (removed)\nPlatform Linux (removed) 5.6.0-0.rc3.git0.1.fc33.x86_64 #1\n SMP Mon Feb 24 16:03:58 UTC 2020 x86_64 x86_64\nAlert Count 1\nFirst Seen 2020-02-27 01:43:12 +05\nLast Seen 2020-02-27 01:43:12 +05\nLocal ID fd1733d8-2658-41c0-9f77-5c9f35e6bb63\n\nRaw Audit Messages\ntype=AVC msg=audit(1582749792.584:1623): avc: denied { sys_nice } for pid=1133 comm="firewalld" capability=23 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=1\n\n\nHash: firewalld,firewalld_t,firewalld_t,capability,sys_nice\n' executable: None package: 'selinux-policy-3.14.6-5.fc33.noarch' pd: <report.problem_data object at 0x7fe2542c12d0> Potential duplicate: bug 1809508
Created attachment 1667623 [details] File: backtrace
Created attachment 1667624 [details] File: cpuinfo
Created attachment 1667625 [details] File: environ
Created attachment 1667626 [details] File: mountinfo
Created attachment 1667627 [details] File: namespaces
Created attachment 1667628 [details] File: open_fds
This bug appears to have been reported against 'rawhide' during the Fedora 33 development cycle. Changing version to 33.
Similar problem has been detected: Trying to report selinux errors.... reporter: libreport-2.14.0 cmdline: /usr/bin/python3 -Es /usr/bin/sealert -s crash_function: createAlertSignature exception_type: TypeError executable: /usr/bin/sealert interpreter: python3-3.9.0-1.fc33.x86_64 kernel: 5.9.11-200.fc33.x86_64 package: setroubleshoot-server-3.3.24-1.fc33 reason: __init__.py:221:createAlertSignature:TypeError: argument 2 must be str, not None runlevel: N 5 type: Python3 uid: 1000
Similar problem has been detected: Probably happened when reporting a gdb access to chr_file: card0 related SELinux problem. reporter: libreport-2.14.0 cgroup: 0::/user.slice/user-1000.slice/user/dbus\x2d:1.2\x2dorg.fedoraproject.Setroubleshootd.slice/dbus-:1.2-org.fedoraproject.Setroubleshootd cmdline: /usr/bin/python3 -Es /usr/bin/sealert -s crash_function: createAlertSignature exception_type: TypeError executable: /usr/bin/sealert interpreter: python3-3.9.1-1.fc33.x86_64 kernel: 5.10.7-200.fc33.x86_64 package: setroubleshoot-server-3.3.24-1.fc33 reason: __init__.py:221:createAlertSignature:TypeError: argument 2 must be str, not None runlevel: N 5 type: Python3 uid: 1000
Similar problem has been detected: Crash happened when reporting an SELinux problem with WhatIP flatpak application. My system is now continously showing new SELinux security alerts. reporter: libreport-2.14.0 cgroup: 0::/user.slice/user-1000.slice/user/dbus\x2d:1.2\x2dorg.fedoraproject.Setroubleshootd.slice/dbus-:1.2-org.fedoraproject.Setroubleshootd cmdline: /usr/bin/python3 -Es /usr/bin/sealert -s crash_function: createAlertSignature exception_type: TypeError executable: /usr/bin/sealert interpreter: python3-3.9.1-2.fc33.x86_64 kernel: 5.10.10-200.fc33.x86_64 package: setroubleshoot-server-3.3.24-1.fc33 reason: __init__.py:221:createAlertSignature:TypeError: argument 2 must be str, not None runlevel: N 5 type: Python3 uid: 1000
Similar problem has been detected: Crash happened when reporting an SELinux alert related to unbound-anchor. From SE Linux review and submit window: SELinux is preventing unbound-anchor from 'name_bind' accesses on the udp_socket port 61000. ***** Plugin bind_ports (92.2 confidence) suggests ************************ If you want to allow unbound-anchor to bind to network port 61000 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p udp 61000 where PORT_TYPE is one of the following: afs3_callback_port_t, afs_bos_port_t, afs_fs_port_t, afs_ka_port_t, afs_pt_port_t, afs_vl_port_t, amanda_port_t, amavisd_recv_port_t, amavisd_send_port_t, amqp_port_t, aol_port_t, apc_port_t, apcupsd_port_t, appswitch_emp_port_t, asterisk_port_t, babel_port_t, bacula_port_t, bctp_port_t, bfd_control_port_t, bgp_port_t, boinc_client_port_t, boinc_port_t, brlp_port_t, certmaster_port_t, clamd_port_t, clockspeed_port_t, cluster_port_t, cma_port_t, cobbler_port_t, collectd_port_t, commplex_link_port_t, commplex_main_port_t, condor_port_t, conman_port_t, connlcli_port_t, conntrackd_port_t, couchdb_port_t, ctdb_port_t, cvs_port_t, cyphesis_port_t, cyrus_imapd_port_t, daap_port_t, dbskkd_port_t, dcc_port_t, dccm_port_t, dey_keyneg_port_t, dey_sapi_port_t, dhcpc_port_t, dict_port_t, distccd_port_t, dns_port_t, dnssec_port_t, dogtag_port_t, embrace_dp_c_port_t, ephemeral_port_t, epmd_port_t, fac_restore_port_t, firepower_port_t, flash_port_t, fmpro_internal_port_t, freeipmi_port_t, gatekeeper_port_t, gds_db_port_t, gear_port_t, geneve_port_t, giftd_port_t, git_port_t, glance_port_t, glance_registry_port_t, gluster_port_t, gpsd_port_t, hadoop_datanode_port_t, hadoop_namenode_port_t, hddtemp_port_t, howl_port_t, hplip_port_t, http_cache_port_t, i18n_input_port_t, ibm_dt_2_port_t, imaze_port_t, intermapper_port_t, interwise_port_t, ionixnetmon_port_t, ipp_port_t, ipsecnat_port_t, ircd_port_t, iscsi_port_t, isns_port_t, jabber_client_port_t, jabber_interserver_port_t, jabber_router_port_t, jacorb_port_t, jboss_debug_port_t, jboss_management_port_t, jboss_messaging_port_t, kerberos_port_t, keystone_port_t, kubernetes_port_t, l2tp_port_t, lirc_port_t, llmnr_port_t, lltng_port_t, lsm_plugin_port_t, luci_port_t, mail_port_t, mailbox_port_t, matahari_port_t, memcache_port_t, milter_port_t, mmcc_port_t, mongod_port_t, monopd_port_t, mountd_port_t, movaz_ssc_port_t, mpd_port_t, ms_streaming_port_t, msnp_port_t, mssql_port_t, munin_port_t, mxi_port_t, mysqld_port_t, mysqlmanagerd_port_t, mythtv_port_t, nessus_port_t, netport_port_t, netsupport_port_t, neutron_port_t, nfs_port_t, nmea_port_t, nodejs_debug_port_t, nsca_port_t, nsd_control_port_t, ntop_port_t, ntske_port_t, oa_system_port_t, ocsp_port_t, openflow_port_t, openhpid_port_t, openqa_port_t, openqa_websockets_port_t, openvpn_port_t, openvswitch_port_t, oracle_port_t, osapi_compute_port_t, ovsdb_port_t, pdps_port_t, pegasus_http_port_t, pegasus_https_port_t, pgpkeyserver_port_t, pingd_port_t, pki_kra_port_t, pki_ocsp_port_t, pki_ra_port_t, pki_tks_port_t, pki_tps_port_t, pktcable_cops_port_t, postfix_policyd_port_t, postgresql_port_t, postgrey_port_t, pptp_port_t, prelude_port_t, presence_port_t, preupgrade_port_t, priority_e_com_port_t, prosody_port_t, ptal_port_t, pulp_port_t, pulseaudio_port_t, puppet_port_t, pxe_port_t, pyzor_port_t, qpasa_agent_port_t, rabbitmq_port_t, radacct_port_t, radius_port_t, radsec_port_t, razor_port_t, redis_port_t, repository_port_t, ricci_modcluster_port_t, ricci_port_t, rkt_port_t, rtp_media_port_t, rtsclient_port_t, rtsp_port_t, salt_port_t, sap_port_t, saphostctrl_port_t, servistaitsm_port_t, sge_port_t, shellinaboxd_port_t, sieve_port_t, sip_port_t, sixxsconfig_port_t, smntubootstrap_port_t, soundd_port_t, speech_port_t, squid_port_t, ssdp_port_t, statsd_port_t, svn_port_t, swift_port_t, sype_transport_port_t, syslog_tls_port_t, tangd_port_t, tcs_port_t, tor_port_t, traceroute_port_t, tram_port_t, transproxy_port_t, trisoap_port_t, trivnet1_port_t, unreserved_port_t, ups_port_t, us_cli_port_t, varnishd_port_t, versa_tek_port_t, virt_migration_port_t, virt_port_t, virtual_places_port_t, vnc_port_t, wap_wsp_port_t, wccp_port_t, websm_port_t, whois_port_t, winshadow_port_t, wsdapi_port_t, wsicopy_port_t, xen_port_t, xfs_port_t, xinuexpansion3_port_t, xinuexpansion4_port_t, xodbc_connect_port_t, xserver_port_t, zabbix_agent_port_t, zabbix_port_t, zebra_port_t, zented_port_t, zookeeper_client_port_t, zookeeper_election_port_t, zookeeper_leader_port_t, zope_port_t. ***** Plugin catchall_boolean (7.83 confidence) suggests ****************** If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. Do setsebool -P nis_enabled 1 ***** Plugin catchall (1.41 confidence) suggests ************************** If you believe that unbound-anchor should be allowed name_bind access on the port 61000 udp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'unbound-anchor' --raw | audit2allow -M my-unboundanchor # semodule -X 300 -i my-unboundanchor.pp Additional Information: Source Context system_u:system_r:named_t:s0 Target Context system_u:object_r:port_t:s0 Target Objects port 61000 [ udp_socket ] Source unbound-anchor Source Path unbound-anchor Port 61000 Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM <Unknown> Local Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.10.9-201.fc33.x86_64 #1 SMP Wed Jan 20 16:56:23 UTC 2021 x86_64 x86_64 Alert Count 1 First Seen 2021-01-30 09:42:32 CET Last Seen 2021-01-30 09:42:32 CET Local ID eff1afd2-31cb-499d-ba52-733ce0e1b505 Raw Audit Messages type=AVC msg=audit(1611996152.156:9527): avc: denied { name_bind } for pid=711444 comm="unbound-anchor" src=61000 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket permissive=0 Hash: unbound-anchor,named_t,port_t,udp_socket,name_bind reporter: libreport-2.14.0 cgroup: 0::/user.slice/user-1000.slice/user/dbus\x2d:1.2\x2dorg.fedoraproject.Setroubleshootd.slice/dbus-:1.2-org.fedoraproject.Setroubleshootd cmdline: /usr/bin/python3 -Es /usr/bin/sealert -s crash_function: createAlertSignature exception_type: TypeError executable: /usr/bin/sealert interpreter: python3-3.9.1-2.fc33.x86_64 kernel: 5.10.10-200.fc33.x86_64 package: setroubleshoot-server-3.3.24-1.fc33 reason: __init__.py:221:createAlertSignature:TypeError: argument 2 must be str, not None runlevel: N 5 type: Python3 uid: 1000
Similar problem has been detected: Trying to report an SELinux Alert. reporter: libreport-2.14.0 cgroup: 0::/user.slice/user-1000.slice/user/dbus\x2d:1.2\x2dorg.fedoraproject.Setroubleshootd.slice/dbus-:1.2-org.fedoraproject.Setroubleshootd cmdline: /usr/bin/python3 -Es /usr/bin/sealert -s crash_function: createAlertSignature exception_type: TypeError executable: /usr/bin/sealert interpreter: python3-3.9.1-2.fc33.x86_64 kernel: 5.10.12-200.fc33.x86_64 package: setroubleshoot-server-3.3.24-1.fc33 reason: __init__.py:221:createAlertSignature:TypeError: argument 2 must be str, not None runlevel: N 5 type: Python3 uid: 1000
Similar problem has been detected: Just using SELinux Alert Browser. reporter: libreport-2.14.0 cgroup: 0::/user.slice/user-1000.slice/user/dbus\x2d:1.1\x2dorg.fedoraproject.Setroubleshootd.slice/dbus-:1.1-org.fedoraproject.Setroubleshootd cmdline: /usr/bin/python3 -Es /usr/bin/sealert -s crash_function: createAlertSignature exception_type: TypeError executable: /usr/bin/sealert interpreter: python3-3.9.2-1.fc33.x86_64 kernel: 5.11.11-200.fc33.x86_64 package: setroubleshoot-server-3.3.24-1.fc33 reason: __init__.py:221:createAlertSignature:TypeError: argument 2 must be str, not None runlevel: N 5 type: Python3 uid: 1000
Similar problem has been detected: Reporting a gdb related SELinux Alert resulted in this crash report. reporter: libreport-2.14.0 cgroup: 0::/user.slice/user-1000.slice/user/dbus\x2d:1.1\x2dorg.fedoraproject.Setroubleshootd.slice/dbus-:1.1-org.fedoraproject.Setroubleshootd cmdline: /usr/bin/python3 -Es /usr/bin/sealert -s crash_function: createAlertSignature exception_type: TypeError executable: /usr/bin/sealert interpreter: python3-3.9.2-1.fc33.x86_64 kernel: 5.11.11-200.fc33.x86_64 package: setroubleshoot-server-3.3.24-1.fc33 reason: __init__.py:221:createAlertSignature:TypeError: argument 2 must be str, not None runlevel: N 5 type: Python3 uid: 1000
This message is a reminder that Fedora 33 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '33'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 33 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 33 changed to end-of-life (EOL) status on 2021-11-30. Fedora 33 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.