Hide Forgot
Description of problem: could it be jellyfin related? SELinux is preventing .NET ThreadPool from 'watch' accesses on the Verzeichnis /sys. ***** Plugin catchall (100. confidence) suggests ************************** Wenn Sie denken, dass es .NET ThreadPool standardmäßig erlaubt sein sollte, watch Zugriff auf sys directory zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # ausearch -c '.NET ThreadPool' --raw | audit2allow -M my-NETThreadPool # semodule -X 300 -i my-NETThreadPool.pp Additional Information: Source Context system_u:system_r:container_t:s0:c9,c797 Target Context system_u:object_r:sysfs_t:s0 Target Objects /sys [ dir ] Source .NET ThreadPool Source Path .NET ThreadPool Port <Unbekannt> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.19-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.19-1.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.2.2-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Mar 3 16:25:21 UTC 2023 x86_64 x86_64 Alert Count 1 First Seen 2023-03-10 17:29:12 CET Last Seen 2023-03-10 17:29:12 CET Local ID 7b63b3da-ac0a-4c77-afe9-71d8d6f976e2 Raw Audit Messages type=AVC msg=audit(1678465752.747:1125): avc: denied { watch } for pid=33831 comm=2E4E455420546872656164506F6F6C path="/sys" dev="sysfs" ino=1 scontext=system_u:system_r:container_t:s0:c9,c797 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0 Hash: .NET ThreadPool,container_t,sysfs_t,dir,watch Version-Release number of selected component: selinux-policy-targeted-37.19-1.fc37.noarch Additional info: component: selinux-policy reporter: libreport-2.17.4 hashmarkername: setroubleshoot kernel: 6.2.2-300.fc37.x86_64 type: libreport
Fixed in container-selinux-2.204.0
can anyone tell me if jellyfin in podman container (.NET ThreadPool) is supposed to get 'watch' accesses on directory /sys?
FEDORA-2023-c68939dcbc has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-c68939dcbc
FEDORA-2023-8e2edb6abc has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-8e2edb6abc
I am fine with granting that access since it is just watching for files/directories to show up in a directory that it is currently allowed to list and read.
FEDORA-2023-8e2edb6abc has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-8e2edb6abc` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-8e2edb6abc See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-c68939dcbc has been pushed to the Fedora 38 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-c68939dcbc See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-c68939dcbc has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-8e2edb6abc has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.