Bug 2290509 - SELinux is preventing systemd-coredum from using the 'sys_admin' capabilities.
Summary: SELinux is preventing systemd-coredum from using the 'sys_admin' capabilities.
Keywords:
Status: CLOSED DUPLICATE of bug 2278902
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 40
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:3f3c41747902206a7bd50598ec7...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-06-05 06:47 UTC by William Saffery
Modified: 2024-06-05 08:12 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2024-06-05 08:12:47 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: description (1.96 KB, text/plain)
2024-06-05 06:47 UTC, William Saffery 		no flags Details
File: os_info (699 bytes, text/plain)
2024-06-05 06:47 UTC, William Saffery 		no flags Details
View All

Description William Saffery 2024-06-05 06:47:26 UTC 
Description of problem:
I opened a text file with over 2080404 lines in VS Code. The program presumably coredumped, and then this errror was thrown by SELinux. VS Code version was 1.89.1 in case that's relevant to anyone reading (redhat or otherwise).
Running Fedora 40, KDE Spin.
SELinux is preventing systemd-coredum from using the 'sys_admin' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-coredum should have the sys_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-coredum' --raw | audit2allow -M my-systemdcoredum
# semodule -X 300 -i my-systemdcoredum.pp

Additional Information:
Source Context                system_u:system_r:systemd_coredump_t:s0
Target Context                system_u:system_r:systemd_coredump_t:s0
Target Objects                Unknown [ capability ]
Source                        systemd-coredum
Source Path                   systemd-coredum
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.20-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.20-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.8.10-300.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Fri May 17 21:20:54 UTC 2024
                              x86_64
Alert Count                   2
First Seen                    2024-06-02 18:53:43 AEST
Last Seen                     2024-06-05 16:28:34 AEST
Local ID                      82cbf0fa-2edd-4797-abd8-1e18aedaf916

Raw Audit Messages
type=AVC msg=audit(1717568914.793:2279): avc:  denied  { sys_admin } for  pid=443191 comm="systemd-coredum" capability=21  scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=capability permissive=0


Hash: systemd-coredum,systemd_coredump_t,systemd_coredump_t,capability,sys_admin

Version-Release number of selected component:
selinux-policy-targeted-40.20-1.fc40.noarch

Additional info:
reporter:       libreport-2.17.15
reason:         SELinux is preventing systemd-coredum from using the 'sys_admin' capabilities.
package:        selinux-policy-targeted-40.20-1.fc40.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.8.10-300.fc40.x86_64
component:      selinux-policy
Comment 1 William Saffery 2024-06-05 06:47:30 UTC 
Created attachment 2036381 [details]
File: description
Comment 2 William Saffery 2024-06-05 06:47:32 UTC 
Created attachment 2036382 [details]
File: os_info
Comment 3 Zdenek Pytela 2024-06-05 08:12:47 UTC 

*** This bug has been marked as a duplicate of bug 2278902 ***
Note You need to log in before you can comment on or make changes to this bug.