Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1723308
Summary: | SELinux is preventing rtkit-daemon from 'sys_ptrace' accesses on the cap_userns labeled rtkit_daemon_t. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Marcus Husar <marcus.husar> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 30 | CC: | as.maps, b.bellec, bztdlinux, dwalsh, extras-qa, jan.public, kcchouette+fedora, lvrabec, marinodiego.96+redhat, mgrepl, oliver.henshaw, plautrba, pv.bugzilla, rocket111185, samtygier, vkadlcik, zpytela |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:5cb01176e79af3869e500df9de4f681f863d10f3b460ff1a84dafba720dcc387;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.14.3-40.fc30 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-07-13 01:06:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marcus Husar
2019-06-24 08:58:52 UTC
commit 9feef6798e92a30233f9eec182d9935240771794 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Mon Jun 24 18:19:11 2019 +0200 Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability BZ(1723308) Description of problem: starting firefox Version-Release number of selected component: selinux-policy-3.14.3-37.fc30.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.0.16-300.fc30.x86_64 type: libreport Description of problem: Downloaded firefox nightly firefox-69.0a1.en-US.linux-x86_64.tar.bz2 expand it in my download folder launched with ./firefox Version-Release number of selected component: selinux-policy-3.14.3-39.fc30.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.1.8-300.fc30.x86_64 type: libreport Description of problem: Launched Firefox Developers. Received AVC denials notifications. Version-Release number of selected component: selinux-policy-3.14.3-39.fc30.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.1.16-300.fc30.x86_64 type: libreport Description of problem: Firefox Nighly launch Version-Release number of selected component: selinux-policy-3.14.3-39.fc30.noarch Additional info: reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.1.16-300.fc30.x86_64 type: libreport FEDORA-2019-9c513c4cf8 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9c513c4cf8 selinux-policy-3.14.3-40.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9c513c4cf8 selinux-policy-3.14.3-40.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 1729647 has been marked as a duplicate of this bug. *** Just today I received a similar message: SELinux is preventing rtkit-daemon from sys_nice access on the cap_userns labeled rtkit_daemon_t. This after updating yesterday from 3.14.3-43.fc30 -> 3.14.3-45.fc30 : ---> Package selinux-policy.noarch 3.14.3-43.fc30 will be upgraded ---> Package selinux-policy.noarch 3.14.3-45.fc30 will be an upgrade ---> Package selinux-policy-targeted.noarch 3.14.3-43.fc30 will be upgraded ---> Package selinux-policy-targeted.noarch 3.14.3-45.fc30 will be an upgrade "SETroubleshoot Details Window" reports: SELinux is preventing rtkit-daemon from sys_nice access on the cap_userns labeled rtkit_daemon_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rtkit-daemon should be allowed sys_nice access on cap_userns labeled rtkit_daemon_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon # semodule -X 300 -i my-rtkitdaemon.pp Additional Information: Source Context system_u:system_r:rtkit_daemon_t:s0 Target Context system_u:system_r:rtkit_daemon_t:s0 Target Objects Unknown [ cap_userns ] Source rtkit-daemon Source Path rtkit-daemon Port <Unknown> Host red Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.3-45.fc30.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name red Platform Linux red 5.2.11-200.fc30.x86_64 #1 SMP Thu Aug 29 12:43:20 UTC 2019 x86_64 x86_64 Alert Count 18 First Seen 2019-09-09 09:51:48 HKT Last Seen 2019-09-09 09:51:48 HKT Local ID e077715f-c977-4b86-8bd9-3fafb91d0b89 Raw Audit Messages type=AVC msg=audit(1567993908.72:356): avc: denied { sys_nice } for pid=875 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_nice Per bug #1752263 this happens on F29 too. For me, this started happening today after upgrading firefox to firefox-69.0.1-3.fc29.x86_64 - https://bugzilla.mozilla.org/show_bug.cgi?id=1560811 looks relevant. (In reply to Oliver Henshaw from comment #11) > Per bug #1752263 this happens on F29 too. > > For me, this started happening today after upgrading firefox to > firefox-69.0.1-3.fc29.x86_64 - > https://bugzilla.mozilla.org/show_bug.cgi?id=1560811 looks relevant. Hi Oliver, I observe it too and I think it would be better to have a new, F29-specific bug. I've just filed it: bz1759423 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |