Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1750024 - SELinux is preventing rtkit-daemon from 'sys_nice' accesses on the cap_userns labeled rtkit_daemon_t.
Summary: SELinux is preventing rtkit-daemon from 'sys_nice' accesses on the cap_userns...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 30
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:1e75e452328e59ff3766c22f147...
: 1752263 1752583 1754408 1755572 1756755 1758097 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-07 13:41 UTC by Nicolas Semrau
Modified: 2019-10-04 09:06 UTC (History)
34 users (show)

Fixed In Version: selinux-policy-3.14.3-46.fc30
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-30 07:39:12 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Nicolas Semrau 2019-09-07 13:41:42 UTC
Description of problem:
(I installed Fedora 30 via a MATE spin, it is completely updated to 2019-09-06, 11:00 PM, CEST)
 
1. Sent a MATE session to sleep via System -> Shut down... -> Suspend
2. Woke the system up 2 hours later
3. Problem appeared for the first time
SELinux is preventing rtkit-daemon from 'sys_nice' accesses on the cap_userns labeled rtkit_daemon_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rtkit-daemon should be allowed sys_nice access on cap_userns labeled rtkit_daemon_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon
# semodule -X 300 -i my-rtkitdaemon.pp

Additional Information:
Source Context                system_u:system_r:rtkit_daemon_t:s0
Target Context                system_u:system_r:rtkit_daemon_t:s0
Target Objects                Unknown [ cap_userns ]
Source                        rtkit-daemon
Source Path                   rtkit-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-45.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.2.11-200.fc30.x86_64 #1 SMP Thu
                              Aug 29 12:43:20 UTC 2019 x86_64 x86_64
Alert Count                   16
First Seen                    2019-09-07 15:29:56 CEST
Last Seen                     2019-09-07 15:29:56 CEST
Local ID                      d1402707-3a1e-4372-83e6-918d2f491517

Raw Audit Messages
type=AVC msg=audit(1567862996.619:272): avc:  denied  { sys_nice } for  pid=805 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0


Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_nice

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.11-200.fc30.x86_64
type:           libreport

Comment 1 Nicolas Semrau 2019-09-08 07:21:13 UTC
A similar thing appeared today after a logging into MATE from a cold boot-up:

SELinux is preventing rtkit-daemon from sys_nice access on the cap_userns labeled rtkit_daemon_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rtkit-daemon should be allowed sys_nice access on cap_userns labeled rtkit_daemon_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon
# semodule -X 300 -i my-rtkitdaemon.pp

Additional Information:
Source Context                system_u:system_r:rtkit_daemon_t:s0
Target Context                system_u:system_r:rtkit_daemon_t:s0
Target Objects                Unknown [ cap_userns ]
Source                        rtkit-daemon
Source Path                   rtkit-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-45.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.2.11-200.fc30.x86_64 #1 SMP Thu
                              Aug 29 12:43:20 UTC 2019 x86_64 x86_64
Alert Count                   16
First Seen                    2019-09-07 15:29:56 CEST
Last Seen                     2019-09-07 15:29:56 CEST
Local ID                      d1402707-3a1e-4372-83e6-918d2f491517

Raw Audit Messages
type=AVC msg=audit(1567862996.619:272): avc:  denied  { sys_nice } for  pid=805 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0


Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_nice

Comment 2 Lukas Vrabec 2019-09-09 08:28:17 UTC
commit 861c699b2748f3dc373cf69177a5f7a716c074f2 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Lukas Vrabec <lvrabec>
Date:   Mon Sep 9 10:21:51 2019 +0200

    Allow rtkit_daemon_t domain set process nice value in user namespaces
    BZ(1750024)

Comment 3 Ed Beroset 2019-09-13 11:46:11 UTC
Description of problem:
I'm not certain what triggered this.  On my machine, two different packages are installed that require rtkit:

# rpm -q --whatrequires rtkit
pipewire-0.2.6-3.fc30.x86_64
pulseaudio-12.2-9.fc30.x86_64

It seems logical to me that rtkit would want to access sys_nice.

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.11-200.fc30.x86_64
type:           libreport

Comment 4 Jonathan Haas 2019-09-13 17:42:55 UTC
Description of problem:
Hsppened ramdomly after opening laptop lid

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.1.20-300.fc30.x86_64
type:           libreport

Comment 5 Alex. H. F. 2019-09-14 12:02:11 UTC
Description of problem:
Just after booting with Xorg display (instead of Wayland).

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.13-200.fc30.x86_64
type:           libreport

Comment 6 Lukas Vrabec 2019-09-16 08:10:46 UTC
*** Bug 1752263 has been marked as a duplicate of this bug. ***

Comment 7 fred 2019-09-16 15:15:11 UTC
Description of problem:
Réveil du PC à l'état suspendu

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.13-200.fc30.x86_64
type:           libreport

Comment 8 Philipp Raich 2019-09-16 18:18:25 UTC
Description of problem:
Wake up from sleep (open lid)

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.13-200.fc30.x86_64
type:           libreport

Comment 9 Christian Kujau 2019-09-17 05:54:58 UTC
Description of problem:
Happens during suspend, which appears to fail and the laptop wakes up again, with that SELinux alert.

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.13-200.fc30.x86_64
type:           libreport

Comment 10 Lukas Vrabec 2019-09-17 07:11:01 UTC
*** Bug 1752583 has been marked as a duplicate of this bug. ***

Comment 11 Dima 2019-09-18 17:23:48 UTC
Description of problem:
install virtualbox6.0.12 r133076 (Qt5.6.1)

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.14-200.fc30.x86_64
type:           libreport

Comment 12 Peter Greenwood 2019-09-21 11:52:27 UTC
Description of problem:
Brought the laptop out of suspend; here is an extract of /var/log/messages:

Sep 20 23:27:07 slide kernel: usb 1-7: reset full-speed USB device number 4 using xhci_hcd
Sep 20 23:27:07 slide kernel: ath10k_pci 0000:02:00.0: unsupported HTC service id: 1536
Sep 20 23:27:07 slide kernel: PM: resume devices took 2.338 seconds
Sep 20 23:27:07 slide kernel: OOM killer enabled.
Sep 20 23:27:08 slide kernel: Restarting tasks ... done.
Sep 20 23:27:08 slide kernel: PM: suspend exit
Sep 20 23:27:08 slide kernel: ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
Sep 20 23:27:08 slide kernel: ata1.00: configured for UDMA/133
Sep 20 23:27:08 slide kernel: Bluetooth: hci0: using rampatch file: qca/rampatch_usb_00000300.bin
Sep 20 23:27:08 slide kernel: Bluetooth: hci0: QCA: patch rome 0x300 build 0x3e8, firmware rome 0x300 build 0x111
Sep 20 23:27:08 slide kernel: Bluetooth: hci0: using NVM file: qca/nvm_usb_00000300.bin
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[884]: AVC avc:  denied  { sys_nice } for  pid=884 comm="rtkit-daemon" capability=23  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Sep 20 23:27:08 slide audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-suspend comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Sep 20 23:27:08 slide audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-suspend comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Sep 20 23:27:08 slide audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-rfkill comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Sep 20 23:27:08 slide audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.2-org.fedoraproject.Setroubleshootd@3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Sep 20 23:27:08 slide systemd-logind[970]: Lid opened.
Sep 20 23:27:08 slide rtkit-daemon[884]: The canary thread is apparently starving. Taking action.
Sep 20 23:27:09 slide systemd[1]: Starting Load/Save RF Kill Switch Status...
Sep 20 23:27:09 slide rtkit-daemon[884]: Demoting known real-time threads.
Sep 20 23:27:09 slide systemd-sleep[12199]: System resumed.
Sep 20 23:27:09 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 31885: Operation not permitted
Sep 20 23:27:09 slide systemd[1]: systemd-suspend.service: Succeeded.
Sep 20 23:27:09 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 31884: Operation not permitted
Sep 20 23:27:09 slide systemd[1]: Started Suspend.
Sep 20 23:27:09 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 28389: Operation not permitted
Sep 20 23:27:09 slide systemd[1]: Stopped target Sleep.
Sep 20 23:27:09 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 28388: Operation not permitted
Sep 20 23:27:09 slide systemd[1]: Reached target Suspend.
Sep 20 23:27:09 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 28205: Operation not permitted
Sep 20 23:27:09 slide systemd-logind[970]: Operation 'sleep' finished.
Sep 20 23:27:09 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 28204: Operation not permitted
Sep 20 23:27:09 slide systemd[1]: Stopped target Suspend.
Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 28127: Operation not permitted
Sep 20 23:27:10 slide NetworkManager[1001]: <info>  [1569018426.2321] bluez5: NAP: removed interface 64:6E:69:D5:DD:FE
Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 28128: Operation not permitted
Sep 20 23:27:10 slide NetworkManager[1001]: <info>  [1569018426.2323] manager: sleep: wake requested (sleeping: yes  enabled: yes)
Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 20125: Operation not permitted
Sep 20 23:27:10 slide NetworkManager[1001]: <info>  [1569018426.2325] device (wlp2s0): state change: activated -> unmanaged (reason 'sleeping', sys-iface-state: 'managed')
Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 20124: Operation not permitted
Sep 20 23:27:10 slide kernel: Generic Realtek PHY r8169-100:00: attached PHY driver [Generic Realtek PHY] (mii_bus:phy_addr=r8169-100:00, irq=IGNORE)
Sep 20 23:27:10 slide kernel: r8169 0000:01:00.0 enp1s0: Link is Down
Sep 20 23:27:10 slide audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Sep 20 23:27:10 slide systemd[1]: Stopped target Bluetooth.
Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 19880: Operation not permitted
Sep 20 23:27:10 slide sssd[kcm][2734]: Shutting down
Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 19881: Operation not permitted
Sep 20 23:27:10 slide NetworkManager[1001]: <info>  [1569018426.6013] dhcp4 (wlp2s0): canceled DHCP transaction, DHCP client pid 2754
Sep 20 23:27:10 slide rtkit-daemon[884]: Warning: Failed to reset nice level to 0 for thread 30070: Operation not permitted

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.11-200.fc30.x86_64
type:           libreport

Comment 13 sgupta.ee17 2019-09-23 07:56:39 UTC
*** Bug 1754408 has been marked as a duplicate of this bug. ***

Comment 14 Alejandro Duran 2019-09-25 00:19:27 UTC
Description of problem:
 Yesterday I update my fedora 30 laptop, today show me that message at log in my laptop

Version-Release number of selected component:
selinux-policy-3.14.3-45.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.15-200.fc30.x86_64
type:           libreport

Comment 15 sgupta.ee17 2019-09-25 17:48:48 UTC
*** Bug 1755572 has been marked as a duplicate of this bug. ***

Comment 16 Nicolas Semrau 2019-09-27 17:06:21 UTC
OP here. After updating from 3.14.3-45.fc30 to selinux-policy 3.14.3-46.fc30 the error-message applet stopped to appear in the notification area. I am unsure if this can be marked as solved and closed.

Comment 17 Tomas 2019-09-29 17:48:56 UTC
*** Bug 1756755 has been marked as a duplicate of this bug. ***

Comment 18 Lukas Vrabec 2019-09-30 07:39:12 UTC
Thanks for testing. 

selinux-policy-3.14.3-46.fc30 is already part of Fedora 30 repositories, closing as CURRENTRELEASE.

Thanks,
Lukas.

Comment 19 Lukas Vrabec 2019-10-04 09:06:40 UTC
*** Bug 1758097 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.