Hide Forgot
SELinux is preventing /usr/libexec/rtkit-daemon from using the 'setsched' accesses on a process. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that rtkit-daemon should be allowed setsched access on processes labeled sandbox_web_client_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep rtkit-daemon /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:rtkit_daemon_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:sandbox_web_client_t:s0: c228,c382 Target Objects Unknown [ process ] Source rtkit-daemon Source Path /usr/libexec/rtkit-daemon Port <Unknown> Host (removed) Source RPM Packages rtkit-0.9-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-31.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.38-1.fc15.x86_64 #1 SMP Tue Mar 15 05:29:00 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Wed 23 Mar 2011 08:16:13 PM IST Last Seen Wed 23 Mar 2011 08:16:13 PM IST Local ID bb40ebd1-08af-41d6-a073-d51d3edf638e Raw Audit Messages type=AVC msg=audit(1300891573.173:23770): avc: denied { setsched } for pid=1733 comm="rtkit-daemon" scontext=system_u:system_r:rtkit_daemon_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c228,c382 tclass=process type=SYSCALL msg=audit(1300891573.173:23770): arch=x86_64 syscall=sched_setscheduler success=yes exit=0 a0=5c89 a1=0 a2=7fd709d68d90 a3=0 items=0 ppid=1 pid=1733 auid=4294967295 uid=172 gid=172 euid=172 suid=172 fsuid=172 egid=172 sgid=172 fsgid=172 tty=(none) ses=4294967295 comm=rtkit-daemon exe=/usr/libexec/rtkit-daemon subj=system_u:system_r:rtkit_daemon_t:s0-s0:c0.c1023 key=(null) Hash: rtkit-daemon,rtkit_daemon_t,sandbox_web_client_t,process,setsched audit2allow #============= rtkit_daemon_t ============== allow rtkit_daemon_t sandbox_web_client_t:process setsched; audit2allow -R #============= rtkit_daemon_t ============== allow rtkit_daemon_t sandbox_web_client_t:process setsched;
Should I allow rtkit to change the sched on a sandboxed app?
I think it is safer not to allow sandboxed apps RT scheduling. While we do our best to supervise what people can do with RT I think it would be wrong to give it even to sandboxed apps. PA after all will benefit from RT but should not strictly need it and will go on without it just fine if it isn't able to get it. dontaudit might be a good idea though I guess.
Ok this would not have happened in enforcing mode since sandbox apps would not have been allowed to communicate with the rtkit daemon. Adding dontaudit rtkit_daemon_t $1:process { getsched setsched }; to the rtkit_daemon_dontaudit_dbus_chat Will eliminate this message in permissive mode. We do not consider avcs in permissive mode as real bugs, although we will clean them up when we can.