Description of problem: SELinux is preventing sss_cache from using the 'setgid' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** Если вы считаете, что sss_cache должен иметь setgid по умолчанию. Then рекомендуется создать отчет об ошибке. Чтобы разрешить доступ, можно создать локальный модуль политики. Do разрешить этот доступ сейчас, выполнив: # ausearch -c 'sss_cache' --raw | audit2allow -M my-ssscache # semodule -X 300 -i my-ssscache.pp Additional Information: Source Context system_u:system_r:groupadd_t:s0 Target Context system_u:system_r:groupadd_t:s0 Target Objects Неизвестно [ capability ] Source sss_cache Source Path sss_cache Port <Неизвестно> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy- targeted-35.3-1.20211019git94970fc.fc35.noarch Local Policy RPM selinux-policy- targeted-35.3-1.20211019git94970fc.fc35.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.14.15-300.fc35.x86_64 #1 SMP Wed Oct 27 15:53:39 UTC 2021 x86_64 x86_64 Alert Count 8 First Seen 2021-11-05 12:37:37 +03 Last Seen 2021-11-05 12:37:37 +03 Local ID 9b338754-4362-4753-b1a2-09e006ae1369 Raw Audit Messages type=AVC msg=audit(1636105057.573:420): avc: denied { setgid } for pid=10226 comm="sss_cache" capability=6 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=capability permissive=0 Hash: sss_cache,groupadd_t,groupadd_t,capability,setgid Version-Release number of selected component: selinux-policy-targeted-35.3-1.20211019git94970fc.fc35.noarch Additional info: component: selinux-policy reporter: libreport-2.15.2 hashmarkername: setroubleshoot kernel: 5.14.15-300.fc35.x86_64 type: libreport
Hi, Are you able to specify at which moment this avc appears or which action triggers it?
I installed wireshark with all its dependencies on Fedora Xfce. Then I launched it. This error appeared either after installation or after startup. My user has not been added to the "wireshark" group.
*** Bug 2020850 has been marked as a duplicate of this bug. ***
Similar problem has been detected: Installed cockpit-navigator via dnfdragora. The Cockpit is open in the browser at the same time. hashmarkername: setroubleshoot kernel: 5.14.15-300.fc35.x86_64 package: selinux-policy-targeted-35.3-1.20211019git94970fc.fc35.noarch reason: SELinux is preventing sss_cache from using the 'setgid' capabilities. type: libreport
Similar problem has been detected: Installed cockpit-session-recording via dnfdragora. The Cockpit is open in the browser at the same time. hashmarkername: setroubleshoot kernel: 5.14.15-300.fc35.x86_64 package: selinux-policy-targeted-35.3-1.20211019git94970fc.fc35.noarch reason: SELinux is preventing sss_cache from using the 'setgid' capabilities. type: libreport
It seems to happen during installation and this is here are full audit records: ---- type=PROCTITLE msg=audit(11/09/2021 09:51:41.079:609) : proctitle=sss_cache -UG type=SYSCALL msg=audit(11/09/2021 09:51:41.079:609) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x7f03f7c29ac0 items=0 ppid=1642 pid=1645 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/09/2021 09:51:41.079:609) : avc: denied { setgid } for pid=1645 comm=sss_cache capability=setgid scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(11/09/2021 09:51:41.080:610) : proctitle=sss_cache -UG type=SYSCALL msg=audit(11/09/2021 09:51:41.080:610) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=1642 pid=1645 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/09/2021 09:51:41.080:610) : avc: denied { setgid } for pid=1645 comm=sss_cache capability=setgid scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(11/09/2021 09:51:41.091:611) : proctitle=sss_cache -G type=SYSCALL msg=audit(11/09/2021 09:51:41.091:611) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x7f692d181ac0 items=0 ppid=1642 pid=1647 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/09/2021 09:51:41.091:611) : avc: denied { setgid } for pid=1647 comm=sss_cache capability=setgid scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(11/09/2021 09:51:41.092:612) : proctitle=sss_cache -G type=SYSCALL msg=audit(11/09/2021 09:51:41.092:612) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=1642 pid=1647 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/09/2021 09:51:41.092:612) : avc: denied { setgid } for pid=1647 comm=sss_cache capability=setgid scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(11/09/2021 09:51:41.143:615) : proctitle=sss_cache -UG type=SYSCALL msg=audit(11/09/2021 09:51:41.143:615) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x7f45f35e9ac0 items=0 ppid=1649 pid=1652 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/09/2021 09:51:41.143:615) : avc: denied { setgid } for pid=1652 comm=sss_cache capability=setgid scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(11/09/2021 09:51:41.144:616) : proctitle=sss_cache -UG type=SYSCALL msg=audit(11/09/2021 09:51:41.144:616) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=1649 pid=1652 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/09/2021 09:51:41.144:616) : avc: denied { setgid } for pid=1652 comm=sss_cache capability=setgid scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(11/09/2021 09:51:41.158:617) : proctitle=sss_cache -G type=SYSCALL msg=audit(11/09/2021 09:51:41.158:617) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x7fe137146ac0 items=0 ppid=1649 pid=1654 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/09/2021 09:51:41.158:617) : avc: denied { setgid } for pid=1654 comm=sss_cache capability=setgid scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(11/09/2021 09:51:41.159:618) : proctitle=sss_cache -G type=SYSCALL msg=audit(11/09/2021 09:51:41.159:618) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=1649 pid=1654 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/09/2021 09:51:41.159:618) : avc: denied { setgid } for pid=1654 comm=sss_cache capability=setgid scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0
Similar problem has been detected: sudo dnf groupinstall 'Development Tools'-y && sudo dnf install libcurl-devel && sudo dnf install sqlite-devel hashmarkername: setroubleshoot kernel: 5.14.16-301.fc35.x86_64 package: selinux-policy-targeted-35.5-1.fc35.noarch reason: SELinux is preventing sss_cache from using the 'setgid' capabilities. type: libreport
Similar problem has been detected: I was running `dnf group install "KDE Plasma Workspaces"` hashmarkername: setroubleshoot kernel: 5.14.16-301.fc35.x86_64 package: selinux-policy-targeted-35.5-1.fc35.noarch reason: SELinux is preventing sss_cache from using the 'setgid' capabilities. type: libreport
*** Bug 2022558 has been marked as a duplicate of this bug. ***
Similar problem has been detected: run `sudo dnf install php` hashmarkername: setroubleshoot kernel: 5.14.16-301.fc35.x86_64 package: selinux-policy-targeted-35.5-1.fc35.noarch reason: SELinux is preventing sss_cache from using the 'setgid' capabilities. type: libreport
*** Bug 2023134 has been marked as a duplicate of this bug. ***
Similar problem has been detected: Au démarrage ou pendant la mise à jour (Mis à niveau: clamav-0.103.4-1.fc35.x86_64 clamav-data-0.103.4-1.fc35.noarch clamav-filesystem-0.103.4-1.fc35.noarch clamav-lib-0.103.4-1.fc35.x86_64 clamav-update-0.103.4-1.fc35.x86_64 cups-1:2.3.3op2-10.fc35.x86_64 cups-client-1:2.3.3op2-10.fc35.x86_64 cups-filesystem-1:2.3.3op2-10.fc35.noarch cups-ipptool-1:2.3.3op2-10.fc35.x86_64 cups-libs-1:2.3.3op2-10.fc35.x86_64 gdb-11.1-5.fc35.x86_64 gdb-headless-11.1-5.fc35.x86_64 libsamplerate-0.2.2-1.fc35.x86_64 libsepol-3.3-2.fc35.x86_64 libsepol-devel-3.3-2.fc35.x86_64 libtommath-1.2.0-5.fc35.x86_64 libusb-1:0.1.7-6.fc35.x86_64 linux-atm-libs-2.5.1-30.fc35.x86_64 shadow-utils-2:4.9-7.fc35.x86_64 xdg-desktop-portal-gtk-1.10.0-2.fc35.x86_64 ) hashmarkername: setroubleshoot kernel: 5.14.17-301.fc35.x86_64 package: selinux-policy-targeted-35.5-1.fc35.noarch reason: SELinux is preventing sss_cache from using the 'setgid' capabilities. type: libreport
Similar problem has been detected: Switching between TTY4 and TTY2. hashmarkername: setroubleshoot kernel: 5.14.17-301.fc35.x86_64 package: selinux-policy-targeted-35.5-1.fc35.noarch reason: SELinux is preventing sss_cache from using the 'setgid' capabilities. type: libreport
Similar problem has been detected: this bug was triggered by `dnf upgrade` but I don't know which package that was triggering. hashmarkername: setroubleshoot kernel: 5.14.16-301.fc35.x86_64 package: selinux-policy-targeted-35.5-1.fc35.noarch reason: SELinux is preventing sss_cache from using the 'setgid' capabilities. type: libreport
Similar problem has been detected: sudo dnf install \*-firmware hashmarkername: setroubleshoot kernel: 5.14.17-301.fc35.x86_64 package: selinux-policy-targeted-35.5-1.fc35.noarch reason: SELinux is preventing sss_cache from using the 'setgid' capabilities. type: libreport
*** This bug has been marked as a duplicate of bug 2022690 ***
*** Bug 2026163 has been marked as a duplicate of this bug. ***
*** Bug 2026169 has been marked as a duplicate of this bug. ***
*** Bug 2033837 has been marked as a duplicate of this bug. ***
*** Bug 2035571 has been marked as a duplicate of this bug. ***
*** Bug 2041286 has been marked as a duplicate of this bug. ***
*** Bug 2042400 has been marked as a duplicate of this bug. ***