1795034 – SELinux is preventing accounts-daemon from using the 'sys_nice' capabilities.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1795034 - SELinux is preventing accounts-daemon from using the 'sys_nice' capabilities.

Summary: SELinux is preventing accounts-daemon from using the 'sys_nice' capabilities.

Keywords:
Status:	CLOSED DUPLICATE of bug 1795524
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:8389d3f402e32b0dbe518c4789b...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-01-26 15:03 UTC by Mikhail
Modified:	2020-02-05 16:11 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-02-05 16:10:08 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Mikhail 2020-01-26 15:03:36 UTC

Description of problem:
happens when I start virtual machine or build package in mock
SELinux is preventing accounts-daemon from using the 'sys_nice' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that accounts-daemon should have the sys_nice capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon
# semodule -X 300 -i my-accountsdaemon.pp

Additional Information:
Source Context                system_u:system_r:accountsd_t:s0
Target Context                system_u:system_r:accountsd_t:s0
Target Objects                Unknown [ capability ]
Source                        accounts-daemon
Source Path                   accounts-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.5-20.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 5.5.0-0.rc7.git0.2.fc32.x86_64 #1
                              SMP Mon Jan 20 22:22:45 +05 2020 x86_64 x86_64
Alert Count                   1
First Seen                    2020-01-25 23:50:37 +05
Last Seen                     2020-01-25 23:50:37 +05
Local ID                      1e630b67-6a5a-467c-8db5-a8d0d37ce9af

Raw Audit Messages
type=AVC msg=audit(1579978237.369:96): avc:  denied  { sys_nice } for  pid=1249 comm="accounts-daemon" capability=23  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1


Hash: accounts-daemon,accountsd_t,accountsd_t,capability,sys_nice

Version-Release number of selected component:
selinux-policy-3.14.5-20.fc32.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.11.3
hashmarkername: setroubleshoot
kernel:         5.5.0-0.rc7.git0.2.fc32.x86_64
type:           libreport

Comment 1 Zdenek Pytela 2020-01-27 12:34:58 UTC

Hi,

Thank you for reporting the issue. I've sent a PR to address it:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/189

Comment 2 Lukas Vrabec 2020-01-27 13:19:47 UTC

Is this operation expected?

Comment 3 Lukas Slebodnik 2020-01-30 16:53:36 UTC

I can also see another AVC for capability

type=AVC msg=audit(01/30/2020 17:47:34.676:85) : avc:  denied  { setsched } for  pid=1137 comm=accounts-daemon scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=process permissive=1

Full output in enforcing and permissive mode

type=PROCTITLE msg=audit(01/30/2020 17:43:58.310:129) : proctitle=/usr/libexec/accounts-daemon 
type=SYSCALL msg=audit(01/30/2020 17:43:58.310:129) : arch=x86_64 syscall=sched_setattr success=no exit=EACCES(Permission denied) a0=0x54c a1=0x5587f7e36d90 a2=0x0 a3=0x7f2f7b977700 items=0 ppid=1 pid=1354 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null) 
type=AVC msg=audit(01/30/2020 17:43:58.310:129) : avc:  denied  { setsched } for  pid=1354 comm=accounts-daemon scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=process permissive=0 
type=AVC msg=audit(01/30/2020 17:43:58.310:129) : avc:  denied  { sys_nice } for  pid=1354 comm=accounts-daemon capability=sys_nice  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(01/30/2020 17:46:38.548:240) : proctitle=/usr/libexec/accounts-daemon 
type=SYSCALL msg=audit(01/30/2020 17:46:38.548:240) : arch=x86_64 syscall=sched_setattr success=yes exit=0 a0=0x77a a1=0x564358d92d90 a2=0x0 a3=0x7f7555240700 items=0 ppid=1 pid=1912 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null) 
type=AVC msg=audit(01/30/2020 17:46:38.548:240) : avc:  denied  { setsched } for  pid=1912 comm=accounts-daemon scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=process permissive=1 
type=AVC msg=audit(01/30/2020 17:46:38.548:240) : avc:  denied  { sys_nice } for  pid=1912 comm=accounts-daemon capability=sys_nice  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1

Reproducer:
systemctl restart accounts-daemon.service

Comment 4 Elliot Lee 2020-02-05 00:11:15 UTC

Because GNOME Display Manager (gdm) depends on accounts-daemon, and this problem causes accounts-daemon to exit with an error, users can't login to their system due to this bug. It probably should have a higher priority and severity.

Also, this problem is not limited to just accounts-daemon. ModemManager has the same issue, as does anything else that uses glib2's GThreadPool system. So I don't think Zdenek's proposed patch is sufficient to really fix the root issue.

It appears that on the glib2 side of things, they should probably not make this a fatal (breakpoint-inducing) g_debug() log message. See bug #1795524 for their side of things.

Comment 5 Elliot Lee 2020-02-05 00:16:12 UTC

Oops, s/g_debug/g_error/ in my last comment.

Comment 6 Zdenek Pytela 2020-02-05 16:10:08 UTC


*** This bug has been marked as a duplicate of bug 1795524 ***

Note You need to log in before you can comment on or make changes to this bug.