2166509 – SELinux is preventing (sd-worker) from using the 'sys_resource' capabilities.

Bug 2166509 - SELinux is preventing (sd-worker) from using the 'sys_resource' capabilities.

Summary: SELinux is preventing (sd-worker) from using the 'sys_resource' capabilities.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	37
Hardware:	x86_64
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:28e9f5c7b8f7461924d6cc7a7a6...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-02-02 03:40 UTC by Matt Fagnani
Modified:	2023-02-05 01:46 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-37.19-1.fc37
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-02-05 01:46:38 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1546	0	None	Merged	Allow systemd-journal list cgroup directories	2023-02-02 08:57:25 UTC

Description Matt Fagnani 2023-02-02 03:40:34 UTC

Description of problem:
I ran sudo dnf offline-upgrade download (with upgrades-testing enabled) then sudo dnf offline-upgrade reboot in a Fedora 37 KDE Plasma installation. The upgrade included systemd-251.11-1.fc37.x86_64 and subpackages. On the next 2 boots after the completed update, processes like sd-worker and systemd-userwork were denied using the sys_resource capability when systemd-userdbd.service was started as shown in the following journal output.

Feb 01 22:05:37 systemd[1]: Starting systemd-userdbd.service - User Database Manager...
Feb 01 22:05:37 auditd[832]: Email option is specified but /usr/lib/sendmail doesn't seem executable.
Feb 01 22:05:37 auditd[832]: q_depth should be larger than 512 for safety margin
Feb 01 22:05:37 auditd[837]: Error - plugin (/etc/audit/plugins.d//syslog.conf) is active but no path given
Feb 01 22:05:37 auditd[837]: Skipping syslog.conf plugin due to errors
Feb 01 22:05:37 auditd[837]: audit dispatcher initialized with q_depth=400 and 1 active plugins
Feb 01 22:05:37 audit: CONFIG_CHANGE op=set audit_enabled=1 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
Feb 01 22:05:37 audit[837]: SYSCALL arch=c000003e syscall=44 success=yes exit=60 a0=3 a1=7ffc7bb19b10 a2=3c a3=0 items=0 ppid=832 pid=837 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditd" exe="/usr/sbin/auditd" subj=system_u:system_r:auditd_t:s0 key=(null)
Feb 01 22:05:37 kernel: audit: type=1305 audit(1675307137.491:159): op=set audit_enabled=1 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
Feb 01 22:05:37 kernel: audit: type=1300 audit(1675307137.491:159): arch=c000003e syscall=44 success=yes exit=60 a0=3 a1=7ffc7bb19b10 a2=3c a3=0 items=0 ppid=832 pid=837 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditd" exe="/usr/sbin/auditd" subj=system_u:system_r:auditd_t:s0 key=(null)
Feb 01 22:05:37 audit: PROCTITLE proctitle="/sbin/auditd"
Feb 01 22:05:37 audit: CONFIG_CHANGE op=set audit_pid=837 old=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
Feb 01 22:05:37 audit[837]: SYSCALL arch=c000003e syscall=44 success=yes exit=60 a0=3 a1=7ffc7bb177d0 a2=3c a3=0 items=0 ppid=832 pid=837 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditd" exe="/usr/sbin/auditd" subj=system_u:system_r:auditd_t:s0 key=(null)
Feb 01 22:05:37 audit: PROCTITLE proctitle="/sbin/auditd"
Feb 01 22:05:37 auditd[837]: Init complete, auditd 3.0.9 listening for events (startup state enable)
Feb 01 22:05:37 audit[843]: AVC avc:  denied  { sys_resource } for  pid=843 comm="(sd-worker)" capability=24  scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=0
Feb 01 22:05:37 audit[843]: SYSCALL arch=c000003e syscall=157 success=no exit=-1 a0=23 a1=8 a2=7f5ed8824000 a3=0 items=0 ppid=836 pid=843 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sd-worker)" exe="/usr/lib/systemd/systemd-userdbd" subj=system_u:system_r:systemd_userdbd_t:s0 key=(null)
Feb 01 22:05:37 audit: PROCTITLE proctitle="(sd-worker)"
Feb 01 22:05:37 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-userdbd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 01 22:05:37 systemd[1]: Started systemd-userdbd.service - User Database Manager.
Feb 01 22:05:37 sedispatch[839]: Connection Error (Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory): AVC Will be dropped
Feb 01 22:05:37 audit[844]: AVC avc:  denied  { sys_resource } for  pid=844 comm="(sd-worker)" capability=24  scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=0
Feb 01 22:05:37 audit[844]: SYSCALL arch=c000003e syscall=157 success=no exit=-1 a0=23 a1=8 a2=7f5ed8824000 a3=0 items=0 ppid=836 pid=844 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sd-worker)" exe="/usr/lib/systemd/systemd-userdbd" subj=system_u:system_r:systemd_userdbd_t:s0 key=(null)
Feb 01 22:05:37 audit: PROCTITLE proctitle="(sd-worker)"
Feb 01 22:05:37 audit[845]: AVC avc:  denied  { sys_resource } for  pid=845 comm="(sd-worker)" capability=24  scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=0
Feb 01 22:05:37 sedispatch[839]: Connection Error (Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory): AVC Will be dropped
Feb 01 22:05:37 audit[845]: SYSCALL arch=c000003e syscall=157 success=no exit=-1 a0=23 a1=8 a2=7f5ed8824000 a3=0 items=0 ppid=836 pid=845 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sd-worker)" exe="/usr/lib/systemd/systemd-userdbd" subj=system_u:system_r:systemd_userdbd_t:s0 key=(null)
Feb 01 22:05:37 audit: PROCTITLE proctitle="(sd-worker)"
Feb 01 22:05:37 sedispatch[839]: Connection Error (Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory): AVC Will be dropped
Feb 01 22:05:37 audit[844]: AVC avc:  denied  { sys_resource } for  pid=844 comm="systemd-userwor" capability=24  scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=0
Feb 01 22:05:37 audit[844]: SYSCALL arch=c000003e syscall=157 success=no exit=-1 a0=23 a1=8 a2=7ff4893bc000 a3=0 items=0 ppid=836 pid=844 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-userwor" exe="/usr/lib/systemd/systemd-userwork" subj=system_u:system_r:systemd_userdbd_t:s0 key=(null)
Feb 01 22:05:37 audit: PROCTITLE proctitle="(sd-worker)"
Feb 01 22:05:37 audit[843]: AVC avc:  denied  { sys_resource } for  pid=843 comm="systemd-userwor" capability=24  scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=0
Feb 01 22:05:37 audit[846]: AVC avc:  denied  { sys_resource } for  pid=846 comm="(sd-worker)" capability=24  scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=0
Feb 01 22:05:37 audit[843]: SYSCALL arch=c000003e syscall=157 success=no exit=-1 a0=23 a1=8 a2=7f1574a9c000 a3=0 items=0 ppid=836 pid=843 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-userwor" exe="/usr/lib/systemd/systemd-userwork" subj=system_u:system_r:systemd_userdbd_t:s0 key=(null)
Feb 01 22:05:37 audit: PROCTITLE proctitle="(sd-worker)"
Feb 01 22:05:37 audit[846]: SYSCALL arch=c000003e syscall=157 success=no exit=-1 a0=23 a1=8 a2=7f5ed8824000 a3=0 items=0 ppid=836 pid=846 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sd-worker)" exe="/usr/lib/systemd/systemd-userdbd" subj=system_u:system_r:systemd_userdbd_t:s0 key=(null)
Feb 01 22:05:37 audit: PROCTITLE proctitle="(sd-worker)"
Feb 01 22:05:37 sedispatch[839]: Connection Error (Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory): AVC Will be dropped
Feb 01 22:05:37 audit[845]: AVC avc:  denied  { sys_resource } for  pid=845 comm="systemd-userwor" capability=24  scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=0
Feb 01 22:05:37 audit[845]: SYSCALL arch=c000003e syscall=157 success=no exit=-1 a0=23 a1=8 a2=7f33e089c000 a3=0 items=0 ppid=836 pid=845 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-userwor" exe="/usr/lib/systemd/systemd-userwork" subj=system_u:system_r:systemd_userdbd_t:s0 key=(null)
Feb 01 22:05:37 audit: PROCTITLE proctitle="(sd-worker)"
Feb 01 22:05:37 sedispatch[839]: Connection Error (Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory): AVC Will be dropped
Feb 01 22:05:37 sedispatch[839]: Connection Error (Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory): AVC Will be dropped
Feb 01 22:05:37 audit[846]: AVC avc:  denied  { sys_resource } for  pid=846 comm="systemd-userwor" capability=24  scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=0
Feb 01 22:05:37 audit[846]: SYSCALL arch=c000003e syscall=157 success=no exit=-1 a0=23 a1=8 a2=7fdec0159000 a3=0 items=0 ppid=836 pid=846 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-userwor" exe="/usr/lib/systemd/systemd-userwork" subj=system_u:system_r:systemd_userdbd_t:s0 key=(null)
Feb 01 22:05:37 audit: PROCTITLE proctitle="(sd-worker)"
Feb 01 22:05:37 sedispatch[839]: Connection Error (Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory): AVC Will be dropped
Feb 01 22:05:37 sedispatch[839]: Connection Error (Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory): AVC Will be dropped

I also saw SELinux denial notifications at various times while using Plasma. The same sorts of sys_resource denials were shown in the journal at those times. The denials didn't happen before the update including systemd-251.11-1.fc37 so likely some change in that is related to them. I'm using the targeted policy in enforcing mode from selinux-policy-37.18-1.fc37.
SELinux is preventing (sd-worker) from using the 'sys_resource' capabilities.

*****  Plugin sys_resource (91.4 confidence) suggests   **********************

If you do not want processes to require capabilities to use up all the system resources on your system;
Then you need to diagnose why your system is running out of system resources and fix the problem.

According to /usr/include/linux/capability.h, sys_resource is required to:

/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
   resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
   you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */

Do
fix the cause of the SYS_RESOURCE on your system.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that (sd-worker) should have the sys_resource capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(sd-worker)' --raw | audit2allow -M my-sdworker
# semodule -X 300 -i my-sdworker.pp

Additional Information:
Source Context                system_u:system_r:systemd_userdbd_t:s0
Target Context                system_u:system_r:systemd_userdbd_t:s0
Target Objects                Unknown [ capability ]
Source                        (sd-worker)
Source Path                   (sd-worker)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-37.18-1.fc37.noarch
Local Policy RPM              selinux-policy-targeted-37.18-1.fc37.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.1.8-200.fc37.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Tue Jan 24 20:32:16 UTC 2023
                              x86_64 x86_64
Alert Count                   12
First Seen                    2023-02-01 22:10:46 EST
Last Seen                     2023-02-01 22:16:10 EST
Local ID                      be2b891b-ec94-4342-94bf-21c34a711eaa

Raw Audit Messages
type=AVC msg=audit(1675307770.565:398): avc:  denied  { sys_resource } for  pid=3450 comm="systemd-userwor" capability=24  scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=0


Hash: (sd-worker),systemd_userdbd_t,systemd_userdbd_t,capability,sys_resource

Version-Release number of selected component:
selinux-policy-targeted-37.18-1.fc37.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.17.4
hashmarkername: setroubleshoot
kernel:         6.1.8-200.fc37.x86_64
type:           libreport

Comment 1 Matt Fagnani 2023-02-02 04:16:54 UTC

I searched for systemd-userdbd in the systemd-stable repository and found a commit units: allow systemd-userdbd to change process name which makes the following change adding the CAP_SYS_RESOURCE capability to the systemd-userdbd.service file https://github.com/systemd/systemd-stable/commit/9357d2342981a8b4fcfa2d170b7749c27d364fdd

- CapabilityBoundingSet=CAP_DAC_READ_SEARCH
+ CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE

That change might be where these denials are coming from.

Comment 2 Zdenek Pytela 2023-02-02 08:57:26 UTC

Correct, and it's already in rawhide, so backporting.

Comment 3 Zbigniew Jędrzejewski-Szmek 2023-02-02 12:07:04 UTC

Oh, great. I was about to do a build with the revert, but I'll wait for the selinux-policy update instead. Please add it to the bodhi update so they go out together.

Comment 4 Fedora Update System 2023-02-03 15:16:37 UTC

FEDORA-2023-7bf3639a5d has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-7bf3639a5d

Comment 5 Nicolas Berrehouc 2023-02-03 16:28:40 UTC

Similar problem has been detected:

Since last upgrade

# dnf history info 824
Identifiant de transaction : 824
Temps de début    : ven. 03 févr. 2023 05:41:11
Début de RPMDB    : 709e8388798c21330990c7d8f5b9166291777fd5b29bb9538896062e66b81716
Temps de fin : ven. 03 févr. 2023 05:41:32 (21 secondes)
Fin de RPMDB : 12ba79557295978e554e669238e3dc64938ba1ee8e12de5b4a17a55d59ca760e
Utilisateur  : Nicosss <nicosss>
Code de retour  : Réussi
Version      : 37
Ligne de commande : upgrade --refresh --enablerepo=*testing
Commentaire : 
Paquets modifiés :
    Upgrade  cifs-utils-7.0-1.fc37.x86_64                 @updates-testing
    Upgraded cifs-utils-6.15-2.fc37.x86_64                @@System
    Upgrade  cifs-utils-info-7.0-1.fc37.x86_64            @updates-testing
    Upgraded cifs-utils-info-6.15-2.fc37.x86_64           @@System
    Upgrade  gnome-shell-43.2-2.fc37.x86_64               @updates-testing
    Upgraded gnome-shell-43.2-1.fc37.x86_64               @@System
    Upgrade  libhandy-1.8.1-1.fc37.x86_64                 @updates-testing
    Upgraded libhandy-1.8.0-1.fc37.x86_64                 @@System
    Upgrade  libpwquality-1.4.5-3.fc37.x86_64             @updates-testing
    Upgraded libpwquality-1.4.5-1.fc37.x86_64             @@System
    Upgrade  llvm11-libs-11.1.0-10.fc37.x86_64            @updates-testing
    Upgraded llvm11-libs-11.1.0-6.fc35.x86_64             @@System
    Upgrade  mutter-43.2-2.fc37.x86_64                    @updates-testing
    Upgraded mutter-43.2-1.fc37.x86_64                    @@System
    Upgrade  perl-HTML-Parser-3.81-1.fc37.x86_64          @updates-testing
    Upgraded perl-HTML-Parser-3.80-1.fc37.x86_64          @@System
    Upgrade  python3-pwquality-1.4.5-3.fc37.x86_64        @updates-testing
    Upgraded python3-pwquality-1.4.5-1.fc37.x86_64        @@System
    Upgrade  systemd-251.11-1.fc37.x86_64                 @updates-testing
    Upgraded systemd-251.10-588.fc37.x86_64               @@System
    Upgrade  systemd-container-251.11-1.fc37.x86_64       @updates-testing
    Upgraded systemd-container-251.10-588.fc37.x86_64     @@System
    Upgrade  systemd-libs-251.11-1.fc37.x86_64            @updates-testing
    Upgraded systemd-libs-251.10-588.fc37.x86_64          @@System
    Upgrade  systemd-networkd-251.11-1.fc37.x86_64        @updates-testing
    Upgraded systemd-networkd-251.10-588.fc37.x86_64      @@System
    Upgrade  systemd-oomd-defaults-251.11-1.fc37.noarch   @updates-testing
    Upgraded systemd-oomd-defaults-251.10-588.fc37.noarch @@System
    Upgrade  systemd-pam-251.11-1.fc37.x86_64             @updates-testing
    Upgraded systemd-pam-251.10-588.fc37.x86_64           @@System
    Upgrade  systemd-resolved-251.11-1.fc37.x86_64        @updates-testing
    Upgraded systemd-resolved-251.10-588.fc37.x86_64      @@System
    Upgrade  systemd-rpm-macros-251.11-1.fc37.noarch      @updates-testing
    Upgraded systemd-rpm-macros-251.10-588.fc37.noarch    @@System
    Upgrade  systemd-udev-251.11-1.fc37.x86_64            @updates-testing
    Upgraded systemd-udev-251.10-588.fc37.x86_64          @@System
    Upgrade  thunderbird-102.7.1-2.fc37.x86_64            @updates-testing
    Upgraded thunderbird-102.6.0-2.fc37.x86_64            @@System
    Upgrade  thunderbird-librnp-rnp-102.7.1-2.fc37.x86_64 @updates-testing
    Upgraded thunderbird-librnp-rnp-102.6.0-2.fc37.x86_64 @@System
    Upgrade  thunderbird-wayland-102.7.1-2.fc37.x86_64    @updates-testing
    Upgraded thunderbird-wayland-102.6.0-2.fc37.x86_64    @@System
    Upgrade  tpm2-tss-3.2.2-1.fc37.x86_64                 @updates-testing
    Upgraded tpm2-tss-3.2.1-1.fc37.x86_64                 @@System

hashmarkername: setroubleshoot
kernel:         6.1.9-200.fc37.x86_64
package:        selinux-policy-targeted-37.18-1.fc37.noarch
reason:         SELinux is preventing (sd-worker) from using the 'sys_resource' capabilities.
type:           libreport

Comment 6 Nicolas Berrehouc 2023-02-03 18:36:32 UTC

(In reply to Nicolas Berrehouc from comment #5)
> Similar problem has been detected:
> 
> Since last upgrade
> 
> # dnf history info 824
> Identifiant de transaction : 824
> Temps de début    : ven. 03 févr. 2023 05:41:11
> Début de RPMDB    :
> 709e8388798c21330990c7d8f5b9166291777fd5b29bb9538896062e66b81716
> Temps de fin : ven. 03 févr. 2023 05:41:32 (21 secondes)
> Fin de RPMDB :
> 12ba79557295978e554e669238e3dc64938ba1ee8e12de5b4a17a55d59ca760e
> Utilisateur  : Nicosss <nicosss>
> Code de retour  : Réussi
> Version      : 37
> Ligne de commande : upgrade --refresh --enablerepo=*testing
> Commentaire : 
> Paquets modifiés :
>     Upgrade  cifs-utils-7.0-1.fc37.x86_64                 @updates-testing
>     Upgraded cifs-utils-6.15-2.fc37.x86_64                @@System
>     Upgrade  cifs-utils-info-7.0-1.fc37.x86_64            @updates-testing
>     Upgraded cifs-utils-info-6.15-2.fc37.x86_64           @@System
>     Upgrade  gnome-shell-43.2-2.fc37.x86_64               @updates-testing
>     Upgraded gnome-shell-43.2-1.fc37.x86_64               @@System
>     Upgrade  libhandy-1.8.1-1.fc37.x86_64                 @updates-testing
>     Upgraded libhandy-1.8.0-1.fc37.x86_64                 @@System
>     Upgrade  libpwquality-1.4.5-3.fc37.x86_64             @updates-testing
>     Upgraded libpwquality-1.4.5-1.fc37.x86_64             @@System
>     Upgrade  llvm11-libs-11.1.0-10.fc37.x86_64            @updates-testing
>     Upgraded llvm11-libs-11.1.0-6.fc35.x86_64             @@System
>     Upgrade  mutter-43.2-2.fc37.x86_64                    @updates-testing
>     Upgraded mutter-43.2-1.fc37.x86_64                    @@System
>     Upgrade  perl-HTML-Parser-3.81-1.fc37.x86_64          @updates-testing
>     Upgraded perl-HTML-Parser-3.80-1.fc37.x86_64          @@System
>     Upgrade  python3-pwquality-1.4.5-3.fc37.x86_64        @updates-testing
>     Upgraded python3-pwquality-1.4.5-1.fc37.x86_64        @@System
>     Upgrade  systemd-251.11-1.fc37.x86_64                 @updates-testing
>     Upgraded systemd-251.10-588.fc37.x86_64               @@System
>     Upgrade  systemd-container-251.11-1.fc37.x86_64       @updates-testing
>     Upgraded systemd-container-251.10-588.fc37.x86_64     @@System
>     Upgrade  systemd-libs-251.11-1.fc37.x86_64            @updates-testing
>     Upgraded systemd-libs-251.10-588.fc37.x86_64          @@System
>     Upgrade  systemd-networkd-251.11-1.fc37.x86_64        @updates-testing
>     Upgraded systemd-networkd-251.10-588.fc37.x86_64      @@System
>     Upgrade  systemd-oomd-defaults-251.11-1.fc37.noarch   @updates-testing
>     Upgraded systemd-oomd-defaults-251.10-588.fc37.noarch @@System
>     Upgrade  systemd-pam-251.11-1.fc37.x86_64             @updates-testing
>     Upgraded systemd-pam-251.10-588.fc37.x86_64           @@System
>     Upgrade  systemd-resolved-251.11-1.fc37.x86_64        @updates-testing
>     Upgraded systemd-resolved-251.10-588.fc37.x86_64      @@System
>     Upgrade  systemd-rpm-macros-251.11-1.fc37.noarch      @updates-testing
>     Upgraded systemd-rpm-macros-251.10-588.fc37.noarch    @@System
>     Upgrade  systemd-udev-251.11-1.fc37.x86_64            @updates-testing
>     Upgraded systemd-udev-251.10-588.fc37.x86_64          @@System
>     Upgrade  thunderbird-102.7.1-2.fc37.x86_64            @updates-testing
>     Upgraded thunderbird-102.6.0-2.fc37.x86_64            @@System
>     Upgrade  thunderbird-librnp-rnp-102.7.1-2.fc37.x86_64 @updates-testing
>     Upgraded thunderbird-librnp-rnp-102.6.0-2.fc37.x86_64 @@System
>     Upgrade  thunderbird-wayland-102.7.1-2.fc37.x86_64    @updates-testing
>     Upgraded thunderbird-wayland-102.6.0-2.fc37.x86_64    @@System
>     Upgrade  tpm2-tss-3.2.2-1.fc37.x86_64                 @updates-testing
>     Upgraded tpm2-tss-3.2.1-1.fc37.x86_64                 @@System
> 
> hashmarkername: setroubleshoot
> kernel:         6.1.9-200.fc37.x86_64
> package:        selinux-policy-targeted-37.18-1.fc37.noarch
> reason:         SELinux is preventing (sd-worker) from using the
> 'sys_resource' capabilities.
> type:           libreport

Sorry, there are no more alerts after applying the new F37 version of selinux-policy.

Comment 7 Fedora Update System 2023-02-04 02:51:00 UTC

FEDORA-2023-7bf3639a5d has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-7bf3639a5d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-7bf3639a5d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2023-02-05 01:46:38 UTC

FEDORA-2023-7bf3639a5d has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.