Description of problem: I am getting this AVC reproducibly during startup of pcscd. There is no explicit call to nice in pcscd, but it might be in underlying usb libraries. As it is daemon talking to HW, I assume this is valid request to ask for priority. Version-Release number of selected component (if applicable): selinux-policy-3.14.6-9.fc33.noarch selinux-policy-3.14.5-31.fc32.noarch How reproducible: 100% Steps to Reproduce: 0. Install gnutls-utils, pcscd, opensc 1. Run p11tool --list-tokens Actual results: works, but this AVC is thrown Expected results: Works, no AVC is thrown I did not see this in Fedora 31. Additional info: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 32 selinux-policy-3.14.6-9.fc33.noarch time->Fri Mar 27 14:26:29 2020 type=AVC msg=audit(1585319189.817:2659): avc: denied { sys_nice } for pid=50066 comm="pcscd" capability=23 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability permissive=0
Jakub, This is supposed to be related to update of glib2 in F32 and is a candidate for not auditing. Do you see any issue with not having the permission allowed, like some functionality problem? https://bugzilla.redhat.com/show_bug.cgi?id=1795524
No. It works fine without this permission. If it is bug in glib2, feel free to close it as a duplicate. These were jobs from Friday. If it will show up again with newer versions, I will reopen.
*** This bug has been marked as a duplicate of bug 1811407 ***