Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1370160
Summary: | SELinux is preventing abrt-hook-ccpp from 'sys_ptrace' accesses on the cap_userns Unknown. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | sheepdestroyer <sheepdestroyer> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 24 | CC: | aflinta, a.lloyd.flanagan, bucky, cyberdak095, danielsun3164, dimapunk80, dominick.grift, dwalsh, fischer.d.r, geral, jonha87, joseluisxd, joshuaward, lvrabec, mgmackoul, mgrepl, mikhail.v.gavrilov, peljasz, plautrba, samuelmarqueslima1, talipdurmus1, tcarlin, thomas, tomasz.urbanski, vangjelstavro |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:9ee0657824a337cf1fd752078363dd2c4d0be995b0b3357592821cd3fe0b5c76;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.13.1-191.20.fc24 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-10 03:29:39 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
sheepdestroyer
2016-08-25 12:15:11 UTC
Description of problem: While using Google-Chrome Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.2-201.fc24.x86_64 type: libreport *** Bug 1374829 has been marked as a duplicate of this bug. *** Description of problem: Working on Chrome, open a new page and the red light from bit defender stop working Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.3-200.fc24.x86_64 type: libreport Description of problem: Starting `GDK_BACKEND=X11 flatpak run org.libreoffice.LibreOffice` Version-Release number of selected component: selinux-policy-3.13.1-191.16.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.3-200.fc24.x86_64 type: libreport Description of problem: It's only just started doing this right after boot. But it happens every time. Version-Release number of selected component: selinux-policy-3.13.1-191.16.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.4-200.fc24.x86_64 type: libreport I see Chrome in the other comments, and it didn't start happening to me until I installed Firefox 49 and visited Netflix. I wonder if Widevine is involved somehow. It seems to happen in pairs with with the alert: SELinux is preventing plugin-containe from sys_admin access on the cap_userns Unknown. I can't help but notice cap_userns is in that one too. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. Description of problem: Just logged in to gnome classic desktop. Version-Release number of selected component: selinux-policy-3.13.1-191.16.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.5-200.fc24.x86_64 type: libreport Description of problem: Clicked on "Enable DRM" in Firefox at http://www.nbcnews.com/storyline/aleppos-children/hospital-aleppo-evidence-detested-weapon-n657621. Version-Release number of selected component: selinux-policy-3.13.1-191.17.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.4-200.fc24.x86_64 type: libreport Plus one: SELinux is preventing abrt-hook-ccpp from sys_ptrace access on the cap_userns Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that abrt-hook-ccpp should be allowed sys_ptrace access on the Unknown cap_userns by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'abrt-hook-ccpp' --raw | audit2allow -M my-abrthookccpp # semodule -X 300 -i my-abrthookccpp.pp Additional Information: Source Context system_u:system_r:abrt_dump_oops_t:s0 Target Context system_u:system_r:abrt_dump_oops_t:s0 Target Objects Unknown [ cap_userns ] Source abrt-hook-ccpp Source Path abrt-hook-ccpp Port <Unknown> Host eldenador.giftdigital Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.17.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name eldenador.giftdigital Platform Linux eldenador.giftdigital 4.7.5-200.fc24.x86_64 #1 SMP Mon Sep 26 21:25:47 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-10-08 15:11:45 AEST Last Seen 2016-10-08 15:11:45 AEST Local ID ab91b83a-8c84-42ca-a82c-7f6e84b42e61 Raw Audit Messages type=AVC msg=audit(1475903505.996:330): avc: denied { sys_ptrace } for pid=15399 comm="abrt-hook-ccpp" capability=19 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:system_r:abrt_dump_oops_t:s0 tclass=cap_userns permissive=0 Hash: abrt-hook-ccpp,abrt_dump_oops_t,abrt_dump_oops_t,cap_userns,sys_ptrace Description of problem: running latest chrome Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.5-200.fc24.x86_64 type: libreport selinux-policy-3.13.1-191.20.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3 selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3 selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |