View Issue Details

IDProjectCategoryView StatusLast Update
0000030AlmaLinux-8selinux-policypublic2021-12-31 03:05
Reporterwadeh Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Summary0000030: Launched firefox and tried to play a video, got SELinux alert
DescriptionSELinux alert displayed while playing audio on youtube in firefox.
Steps To Reproduce1. Loaded AlmaLinux RC1 in a VM on Fedora 33.
2. in background installed epel and installed some packages:
       dnf install marble marble-astro marble-qt
3. Launched firefox and opened a tab, entered
4. Selected some classical music and it started playing
5. The selinux alert was displayed
Additional InformationSee attached
TagsNo tags attached.
Attached Files
selinuxaltert.txt (2,447 bytes)   
SELinux is preventing /usr/libexec/rtkit-daemon from sys_ptrace access on the cap_userns labeled rtkit_daemon_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rtkit-daemon should be allowed sys_ptrace access on cap_userns labeled rtkit_daemon_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon
# semodule -X 300 -i my-rtkitdaemon.pp

Additional Information:
Source Context                system_u:system_r:rtkit_daemon_t:s0
Target Context                system_u:system_r:rtkit_daemon_t:s0
Target Objects                Unknown [ cap_userns ]
Source                        rtkit-daemon
Source Path                   /usr/libexec/rtkit-daemon
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           rtkit-0.11-19.el8.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.18.0-240.el8.x86_64
                              #1 SMP Fri Jan 15 11:48:38 MSK 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2021-02-24 16:26:23 EST
Last Seen                     2021-02-24 16:26:23 EST
Local ID                      63cbf820-d877-4a0b-bc7d-01ca06260689

Raw Audit Messages
type=AVC msg=audit(1614201983.930:203): avc:  denied  { sys_ptrace } for  pid=911 comm="rtkit-daemon" capability=19  scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0

type=SYSCALL msg=audit(1614201983.930:203): arch=x86_64 syscall=readlink success=no exit=EACCES a0=7ffded68de30 a1=7ffded68dfa0 a2=7f a3=0 items=0 ppid=1 pid=911 auid=4294967295 uid=172 gid=172 euid=172 suid=172 fsuid=172 egid=172 sgid=172 fsgid=172 tty=(none) ses=4294967295 comm=rtkit-daemon exe=/usr/libexec/rtkit-daemon subj=system_u:system_r:rtkit_daemon_t:s0 key=(null)

Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_ptrace

selinuxaltert.txt (2,447 bytes)   



2021-12-13 04:03

reporter   ~0000446

>Loaded AlmaLinux RC1 in a VM on Fedora 33.

It's been a while since RC1 was released. I will have to check if this alert happens on latest release.


2021-12-31 03:05

reporter   ~0000466

installed AlmaLinux 8.5, installed firefox, played music on youtube - no SELinux alerts and no avc denials in the logs

Issue History

Date Modified Username Field Change
2021-02-24 21:37 wadeh New Issue
2021-02-24 21:37 wadeh File Added: selinuxaltert.txt
2021-12-13 04:03 akdev Note Added: 0000446
2021-12-13 04:03 akdev Tag Attached: needstriage
2021-12-13 04:05 akdev Tag Detached: needstriage
2021-12-13 04:05 akdev Tag Attached: needs-repro
2021-12-31 03:05 akdev Note Added: 0000466
2021-12-31 03:05 akdev Tag Detached: needs-repro