Bug 2020558 - SELinux is preventing sss_cache from using the 'setgid' capabilities.
Summary: SELinux is preventing sss_cache from using the 'setgid' capabilities.
Keywords:
Status: CLOSED DUPLICATE of bug 2022690
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 35
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:0016661cd7f18938120db99c7bf...
: 2020850 2022558 2023134 2026163 2026169 2033837 2035571 2041286 2042400 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-05 09:38 UTC by Fhiss
Modified: 2022-01-19 12:38 UTC (History)
26 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-18 16:41:14 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1884179 1 medium CLOSED SELinux prevents sss_cache from calling the utime syscall 2023-06-09 08:57:01 UTC

Description Fhiss 2021-11-05 09:38:28 UTC 
Description of problem:
SELinux is preventing sss_cache from using the 'setgid' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

Если вы считаете, что sss_cache должен иметь setgid по умолчанию.
Then рекомендуется создать отчет об ошибке.
Чтобы разрешить доступ, можно создать локальный модуль политики.
Do
разрешить этот доступ сейчас, выполнив:
# ausearch -c 'sss_cache' --raw | audit2allow -M my-ssscache
# semodule -X 300 -i my-ssscache.pp

Additional Information:
Source Context                system_u:system_r:groupadd_t:s0
Target Context                system_u:system_r:groupadd_t:s0
Target Objects                Неизвестно [ capability ]
Source                        sss_cache
Source Path                   sss_cache
Port                          <Неизвестно>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-
                              targeted-35.3-1.20211019git94970fc.fc35.noarch
Local Policy RPM              selinux-policy-
                              targeted-35.3-1.20211019git94970fc.fc35.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.14.15-300.fc35.x86_64 #1 SMP Wed
                              Oct 27 15:53:39 UTC 2021 x86_64 x86_64
Alert Count                   8
First Seen                    2021-11-05 12:37:37 +03
Last Seen                     2021-11-05 12:37:37 +03
Local ID                      9b338754-4362-4753-b1a2-09e006ae1369

Raw Audit Messages
type=AVC msg=audit(1636105057.573:420): avc:  denied  { setgid } for  pid=10226 comm="sss_cache" capability=6  scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=capability permissive=0


Hash: sss_cache,groupadd_t,groupadd_t,capability,setgid

Version-Release number of selected component:
selinux-policy-targeted-35.3-1.20211019git94970fc.fc35.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.15.2
hashmarkername: setroubleshoot
kernel:         5.14.15-300.fc35.x86_64
type:           libreport
Comment 1 Zdenek Pytela 2021-11-05 16:09:14 UTC 
Hi,

Are you able to specify at which moment this avc appears or which action triggers it?
Comment 2 Fhiss 2021-11-06 10:59:41 UTC 
I installed wireshark with all its dependencies on Fedora Xfce. Then I launched it. This error appeared either after installation or after startup. My user has not been added to the "wireshark" group.
Comment 3 Fhiss 2021-11-06 11:12:20 UTC 
*** Bug 2020850 has been marked as a duplicate of this bug. ***
Comment 4 Fhiss 2021-11-06 11:52:11 UTC 
Similar problem has been detected:

Installed cockpit-navigator via dnfdragora. The Cockpit is open in the browser at the same time.

hashmarkername: setroubleshoot
kernel:         5.14.15-300.fc35.x86_64
package:        selinux-policy-targeted-35.3-1.20211019git94970fc.fc35.noarch
reason:         SELinux is preventing sss_cache from using the 'setgid' capabilities.
type:           libreport
Comment 5 Fhiss 2021-11-06 13:09:38 UTC 
Similar problem has been detected:

Installed cockpit-session-recording via dnfdragora. The Cockpit is open in the browser at the same time.

hashmarkername: setroubleshoot
kernel:         5.14.15-300.fc35.x86_64
package:        selinux-policy-targeted-35.3-1.20211019git94970fc.fc35.noarch
reason:         SELinux is preventing sss_cache from using the 'setgid' capabilities.
type:           libreport
Comment 6 Zdenek Pytela 2021-11-09 14:54:19 UTC 
It seems to happen during installation and this is here are full audit records:

----
type=PROCTITLE msg=audit(11/09/2021 09:51:41.079:609) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(11/09/2021 09:51:41.079:609) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x7f03f7c29ac0 items=0 ppid=1642 pid=1645 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/09/2021 09:51:41.079:609) : avc:  denied  { setgid } for  pid=1645 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(11/09/2021 09:51:41.080:610) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(11/09/2021 09:51:41.080:610) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=1642 pid=1645 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/09/2021 09:51:41.080:610) : avc:  denied  { setgid } for  pid=1645 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(11/09/2021 09:51:41.091:611) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(11/09/2021 09:51:41.091:611) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x7f692d181ac0 items=0 ppid=1642 pid=1647 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/09/2021 09:51:41.091:611) : avc:  denied  { setgid } for  pid=1647 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(11/09/2021 09:51:41.092:612) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(11/09/2021 09:51:41.092:612) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=1642 pid=1647 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/09/2021 09:51:41.092:612) : avc:  denied  { setgid } for  pid=1647 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(11/09/2021 09:51:41.143:615) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(11/09/2021 09:51:41.143:615) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x7f45f35e9ac0 items=0 ppid=1649 pid=1652 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/09/2021 09:51:41.143:615) : avc:  denied  { setgid } for  pid=1652 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0
----
type=PROCTITLE msg=audit(11/09/2021 09:51:41.144:616) : proctitle=sss_cache -UG
type=SYSCALL msg=audit(11/09/2021 09:51:41.144:616) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=1649 pid=1652 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/09/2021 09:51:41.144:616) : avc:  denied  { setgid } for  pid=1652 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0
----
type=PROCTITLE msg=audit(11/09/2021 09:51:41.158:617) : proctitle=sss_cache -G
type=SYSCALL msg=audit(11/09/2021 09:51:41.158:617) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x7fe137146ac0 items=0 ppid=1649 pid=1654 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/09/2021 09:51:41.158:617) : avc:  denied  { setgid } for  pid=1654 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0
----
type=PROCTITLE msg=audit(11/09/2021 09:51:41.159:618) : proctitle=sss_cache -G
type=SYSCALL msg=audit(11/09/2021 09:51:41.159:618) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=1649 pid=1654 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/09/2021 09:51:41.159:618) : avc:  denied  { setgid } for  pid=1654 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0
Comment 7 alan.aguinaga 2021-11-11 07:39:37 UTC 
Similar problem has been detected:


sudo dnf groupinstall 'Development Tools'-y && sudo dnf install libcurl-devel && sudo dnf install sqlite-devel

hashmarkername: setroubleshoot
kernel:         5.14.16-301.fc35.x86_64
package:        selinux-policy-targeted-35.5-1.fc35.noarch
reason:         SELinux is preventing sss_cache from using the 'setgid' capabilities.
type:           libreport
Comment 8 vincent 2021-11-11 11:51:23 UTC 
Similar problem has been detected:

I was running `dnf group install "KDE Plasma Workspaces"`

hashmarkername: setroubleshoot
kernel:         5.14.16-301.fc35.x86_64
package:        selinux-policy-targeted-35.5-1.fc35.noarch
reason:         SELinux is preventing sss_cache from using the 'setgid' capabilities.
type:           libreport
Comment 9 talhaprima 2021-11-12 00:34:26 UTC 
*** Bug 2022558 has been marked as a duplicate of this bug. ***
Comment 10 optimus_1 2021-11-12 07:53:13 UTC 
Similar problem has been detected:

run `sudo dnf install php`

hashmarkername: setroubleshoot
kernel:         5.14.16-301.fc35.x86_64
package:        selinux-policy-targeted-35.5-1.fc35.noarch
reason:         SELinux is preventing sss_cache from using the 'setgid' capabilities.
type:           libreport
Comment 11 talhaprima 2021-11-15 00:06:09 UTC 
*** Bug 2023134 has been marked as a duplicate of this bug. ***
Comment 12 fred 2021-11-15 09:07:41 UTC 
Similar problem has been detected:

Au démarrage ou pendant la mise à jour (Mis à niveau:
  clamav-0.103.4-1.fc35.x86_64                                                  
  clamav-data-0.103.4-1.fc35.noarch                                             
  clamav-filesystem-0.103.4-1.fc35.noarch                                       
  clamav-lib-0.103.4-1.fc35.x86_64                                              
  clamav-update-0.103.4-1.fc35.x86_64                                           
  cups-1:2.3.3op2-10.fc35.x86_64                                                
  cups-client-1:2.3.3op2-10.fc35.x86_64                                         
  cups-filesystem-1:2.3.3op2-10.fc35.noarch                                     
  cups-ipptool-1:2.3.3op2-10.fc35.x86_64                                        
  cups-libs-1:2.3.3op2-10.fc35.x86_64                                           
  gdb-11.1-5.fc35.x86_64                                                        
  gdb-headless-11.1-5.fc35.x86_64                                               
  libsamplerate-0.2.2-1.fc35.x86_64                                             
  libsepol-3.3-2.fc35.x86_64                                                    
  libsepol-devel-3.3-2.fc35.x86_64                                              
  libtommath-1.2.0-5.fc35.x86_64                                                
  libusb-1:0.1.7-6.fc35.x86_64                                                  
  linux-atm-libs-2.5.1-30.fc35.x86_64                                           
  shadow-utils-2:4.9-7.fc35.x86_64                                              
  xdg-desktop-portal-gtk-1.10.0-2.fc35.x86_64 )

hashmarkername: setroubleshoot
kernel:         5.14.17-301.fc35.x86_64
package:        selinux-policy-targeted-35.5-1.fc35.noarch
reason:         SELinux is preventing sss_cache from using the 'setgid' capabilities.
type:           libreport
Comment 13 Artem Pasko 2021-11-15 22:32:45 UTC 
Similar problem has been detected:

Switching between TTY4 and TTY2.

hashmarkername: setroubleshoot
kernel:         5.14.17-301.fc35.x86_64
package:        selinux-policy-targeted-35.5-1.fc35.noarch
reason:         SELinux is preventing sss_cache from using the 'setgid' capabilities.
type:           libreport
Comment 14 Didik Supriadi 2021-11-17 13:16:54 UTC 
Similar problem has been detected:

this bug was triggered by `dnf upgrade` but I don't know which package that was triggering.

hashmarkername: setroubleshoot
kernel:         5.14.16-301.fc35.x86_64
package:        selinux-policy-targeted-35.5-1.fc35.noarch
reason:         SELinux is preventing sss_cache from using the 'setgid' capabilities.
type:           libreport
Comment 15 Artem Pasko 2021-11-18 16:01:02 UTC 
Similar problem has been detected:

sudo dnf install \*-firmware

hashmarkername: setroubleshoot
kernel:         5.14.17-301.fc35.x86_64
package:        selinux-policy-targeted-35.5-1.fc35.noarch
reason:         SELinux is preventing sss_cache from using the 'setgid' capabilities.
type:           libreport
Comment 16 Zdenek Pytela 2021-11-18 16:41:14 UTC 

*** This bug has been marked as a duplicate of bug 2022690 ***
Comment 17 Phillip Dunstall 2021-11-23 22:58:15 UTC 
*** Bug 2026163 has been marked as a duplicate of this bug. ***
Comment 18 Phillip Dunstall 2021-11-23 23:44:47 UTC 
*** Bug 2026169 has been marked as a duplicate of this bug. ***
Comment 19 Roberto Reis 2021-12-18 02:02:11 UTC 
*** Bug 2033837 has been marked as a duplicate of this bug. ***
Comment 20 Nikita Bige 2021-12-24 18:17:29 UTC 
*** Bug 2035571 has been marked as a duplicate of this bug. ***
Comment 21 raffaele.tranquillini 2022-01-16 23:20:59 UTC 
*** Bug 2041286 has been marked as a duplicate of this bug. ***
Comment 22 binom-vuk 2022-01-19 12:38:40 UTC 
*** Bug 2042400 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.