View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017899 | CentOS-8 | selinux-policy | public | 2020-12-01 02:37 | 2020-12-23 12:18 |
Reporter | Sat San | ||||
Priority | normal | Severity | minor | Reproducibility | random |
Status | new | Resolution | open | ||
Platform | x86_64 | OS | CentOS Linux | OS Version | 8.2.2004 |
Product Version | 8.2.2004 | ||||
Target Version | Fixed in Version | ||||
Summary | 0017899: SELinux is preventing rtkit-daemon from sys_ptrace access on the cap_userns labeled rtkit_daemon_t. | ||||
Description | ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rtkit-daemon should be allowed sys_ptrace access on cap_userns labeled rtkit_daemon_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon # semodule -X 300 -i my-rtkitdaemon.pp Additional Information: Source Context system_u:system_r:rtkit_daemon_t:s0 Target Context system_u:system_r:rtkit_daemon_t:s0 Target Objects Unknown [ cap_userns ] Source rtkit-daemon Source Path rtkit-daemon Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.3-41.el8_2.8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 4.18.0-193.28.1.el8_2.x86_64 #1 SMP Thu Oct 22 00:20:22 UTC 2020 x86_64 x86_64 Alert Count 31 First Seen 2020-11-26 23:29:07 +08 Last Seen 2020-11-30 13:52:31 +08 Local ID 7c621ee8-6228-42fc-806a-80904a1e6662 Raw Audit Messages type=AVC msg=audit(1606715551.143:238): avc: denied { sys_ptrace } for pid=952 comm="rtkit-daemon" capability=19 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_ptrace | ||||
Steps To Reproduce | Launched Mozilla Firefox 78.4.0esr under terminal mode $firefox -private-window www.google.com will try to rollback to previous version or uninstall+install previous version! | ||||
Tags | No tags attached. | ||||
I get sealert popups related to this regularly and have done for a number of months. Previously thought this was caused by using a newer version of selinux policy (from staging) to workaround a nvidia issue. However with 8.3, this update is now part of base and the problem persists. In addition to triggering seemingly randomly the problem can be reproduced by playing any youtube video. |
|