2264997 – SELinux is preventing systemd-coredum from using the 'sys_admin' capabilities.

Bug 2264997 - SELinux is preventing systemd-coredum from using the 'sys_admin' capabilities.

Summary: SELinux is preventing systemd-coredum from using the 'sys_admin' capabilities.

Keywords:
Status:	CLOSED DUPLICATE of bug 2278902
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:3f3c41747902206a7bd50598ec7...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-02-19 21:14 UTC by Mikhail
Modified:	2025-01-24 15:00 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-05-09 11:10:36 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: description (2.02 KB, text/plain) 2024-02-19 21:14 UTC, Mikhail	no flags	Details
File: os_info (770 bytes, text/plain) 2024-02-19 21:14 UTC, Mikhail	no flags	Details
View All

Description Mikhail 2024-02-19 21:14:53 UTC

Description of problem:
SELinux is preventing systemd-coredum from using the 'sys_admin' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-coredum should have the sys_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-coredum' --raw | audit2allow -M my-systemdcoredum
# semodule -X 300 -i my-systemdcoredum.pp

Additional Information:
Source Context                system_u:system_r:systemd_coredump_t:s0
Target Context                system_u:system_r:systemd_coredump_t:s0
Target Objects                Unknown [ capability ]
Source                        systemd-coredum
Source Path                   systemd-coredum
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.13-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.13-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 6.8.0-
                              0.rc4.20240216git4f5e5092fdbf.39.fc41.x86_64+debug
                              #1 SMP PREEMPT_DYNAMIC Sat Feb 17 14:39:12 +05
                              2024 x86_64
Alert Count                   1
First Seen                    2024-02-19 16:22:22 +05
Last Seen                     2024-02-19 16:22:22 +05
Local ID                      81fae3e0-9297-4d8c-98c5-94b29adf77df

Raw Audit Messages
type=AVC msg=audit(1708341742.746:421): avc:  denied  { sys_admin } for  pid=98419 comm="systemd-coredum" capability=21  scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=capability permissive=1


Hash: systemd-coredum,systemd_coredump_t,systemd_coredump_t,capability,sys_admin

Version-Release number of selected component:
selinux-policy-targeted-40.13-1.fc40.noarch

Additional info:
reporter:       libreport-2.17.14
reason:         SELinux is preventing systemd-coredum from using the 'sys_admin' capabilities.
package:        selinux-policy-targeted-40.13-1.fc40.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.8.0-0.rc5.41.fc41.x86_64+debug
component:      selinux-policy

Comment 1 Mikhail 2024-02-19 21:14:56 UTC

Created attachment 2017701 [details]
File: description

Comment 2 Mikhail 2024-02-19 21:14:58 UTC

Created attachment 2017702 [details]
File: os_info

Comment 3 Zdenek Pytela 2024-02-20 09:04:52 UTC

Mikhail,

which systemd version do you use and how did you trigger this issue?
Can you gather more information with full auditing enabled?
https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing

Comment 4 Zdenek Pytela 2024-05-09 11:10:36 UTC


*** This bug has been marked as a duplicate of bug 2278902 ***

Comment 5 Red Hat Bugzilla 2024-09-07 04:25:11 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.