Bug 1852513 - SELinux is preventing tumblerd from using the 'sys_nice' capabilities.
Summary: SELinux is preventing tumblerd from using the 'sys_nice' capabilities.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 32
Hardware: x86_64
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:88f8d5a70ff6383283766b22157...
: 1830516 1860958 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-06-30 14:59 UTC by Raphos
Modified: 2023-09-14 06:03 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.14.5-43.fc32
Clone Of:
Environment:
Last Closed: 2020-08-31 15:50:07 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Raphos 2020-06-30 14:59:17 UTC 
Description of problem:
SELinux is preventing tumblerd from using the 'sys_nice' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

Si vous pensez que tumblerd devrait avoir des capacités sys_nice par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# ausearch -c "tumblerd" --raw | audit2allow -M my-tumblerd
# semodule -X 300 -i my-tumblerd.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Objects                Inconnu [ capability ]
Source                        tumblerd
Source Path                   tumblerd
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.5-41.fc32.noarch
Local Policy RPM              selinux-policy-targeted-3.14.5-41.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.7.6-201.fc32.x86_64 #1 SMP Mon
                              Jun 29 15:15:52 UTC 2020 x86_64 x86_64
Alert Count                   2
First Seen                    2020-06-30 14:43:50 CEST
Last Seen                     2020-06-30 16:55:55 CEST
Local ID                      b024db6b-75b2-4c93-8c48-fd62f157a82f

Raw Audit Messages
type=AVC msg=audit(1593528955.686:231): avc:  denied  { sys_nice } for  pid=1906 comm="tumblerd" capability=23  scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability permissive=0


Hash: tumblerd,thumb_t,thumb_t,capability,sys_nice

Version-Release number of selected component:
selinux-policy-targeted-3.14.5-41.fc32.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.13.1
hashmarkername: setroubleshoot
kernel:         5.7.6-201.fc32.x86_64
type:           libreport
Comment 1 Zdenek Pytela 2020-07-01 06:55:54 UTC 
Hi,

Apart from the denial, do you also see any problem with how the application works?
Comment 2 Zdenek Pytela 2020-07-23 07:11:09 UTC 
*** Bug 1830516 has been marked as a duplicate of this bug. ***
Comment 3 Zdenek Pytela 2020-07-23 07:15:04 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/307
Comment 4 Lukas Vrabec 2020-07-27 06:51:59 UTC 
commit 41c319687340dd7af93da7a38fcd3df78d8f7c3b (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Thu Jul 23 09:13:15 2020 +0200

    Dontaudit thumb_t setting its process scheduling
    
    Resolves: rhbz#1852513
Comment 5 Zdenek Pytela 2020-07-27 14:57:14 UTC 
*** Bug 1860958 has been marked as a duplicate of this bug. ***
Comment 6 Fedora Update System 2020-08-27 21:10:43 UTC 
FEDORA-2020-740de661da has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-740de661da
Comment 7 Fedora Update System 2020-08-28 14:55:13 UTC 
FEDORA-2020-740de661da has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-740de661da`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-740de661da

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2020-08-31 15:50:07 UTC 
FEDORA-2020-740de661da has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Raphos 2020-09-16 06:09:15 UTC 
Hi,

Everything works now.

Thanks !
Comment 10 nopal 2020-11-12 04:46:03 UTC 
Similar problem has been detected:

When i tried to launch apache web service from xampp manager by clicking the 'Go To Application' button

hashmarkername: setroubleshoot
kernel:         5.8.18-200.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-44.fc32.noarch
reason:         SELinux is preventing tumblerd from using the 'sys_nice' capabilities.
type:           libreport
Comment 11 Zdenek Pytela 2020-11-12 08:00:00 UTC 
(In reply to nopal from comment #10)
> Similar problem has been detected:
> 
> When i tried to launch apache web service from xampp manager by clicking the
> 'Go To Application' button
> 
> hashmarkername: setroubleshoot
> kernel:         5.8.18-200.fc32.x86_64
> package:        selinux-policy-targeted-3.14.5-44.fc32.noarch
> reason:         SELinux is preventing tumblerd from using the 'sys_nice'
> capabilities.
> type:           libreport
Hi,

Please update to the latest version 3.14.5-45. File a new bugzilla if the issue persists and include the AVC denial.
Comment 12 Red Hat Bugzilla 2023-09-14 06:03:13 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days
Note You need to log in before you can comment on or make changes to this bug.