View Issue Details

IDProjectCategoryView StatusLast Update
0017899CentOS-8selinux-policypublic2020-12-23 12:18
ReporterSat San Assigned To 
Status newResolutionopen 
Platformx86_64OSCentOS LinuxOS Version8.2.2004
Product Version8.2.2004 
Summary0017899: SELinux is preventing rtkit-daemon from sys_ptrace access on the cap_userns labeled rtkit_daemon_t.
Description***** Plugin catchall (100. confidence) suggests **************************

If you believe that rtkit-daemon should be allowed sys_ptrace access on cap_userns labeled rtkit_daemon_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon
# semodule -X 300 -i my-rtkitdaemon.pp

Additional Information:
Source Context system_u:system_r:rtkit_daemon_t:s0
Target Context system_u:system_r:rtkit_daemon_t:s0
Target Objects Unknown [ cap_userns ]
Source rtkit-daemon
Source Path rtkit-daemon
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.3-41.el8_2.8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
                              4.18.0-193.28.1.el8_2.x86_64 #1 SMP Thu Oct 22
                              00:20:22 UTC 2020 x86_64 x86_64
Alert Count 31
First Seen 2020-11-26 23:29:07 +08
Last Seen 2020-11-30 13:52:31 +08
Local ID 7c621ee8-6228-42fc-806a-80904a1e6662

Raw Audit Messages
type=AVC msg=audit(1606715551.143:238): avc: denied { sys_ptrace } for pid=952 comm="rtkit-daemon" capability=19 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0

Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_ptrace
Steps To ReproduceLaunched Mozilla Firefox 78.4.0esr under terminal mode

$firefox -private-window

will try to rollback to previous version or uninstall+install previous version!
TagsNo tags attached.




2020-12-23 12:18

reporter   ~0038134

I get sealert popups related to this regularly and have done for a number of months. Previously thought this was caused by using a newer version of selinux policy (from staging) to workaround a nvidia issue. However with 8.3, this update is now part of base and the problem persists.

In addition to triggering seemingly randomly the problem can be reproduced by playing any youtube video.

Issue History

Date Modified Username Field Change
2020-12-01 02:37 Sat San New Issue
2020-12-23 12:18 huw Note Added: 0038134