View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000030 | AlmaLinux-8 | selinux-policy | public | 2021-02-24 21:37 | 2021-12-31 03:05 |
| Reporter | wadeh | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | new | Resolution | open | ||
| Summary | 0000030: Launched firefox and tried to play a video, got SELinux alert | ||||
| Description | SELinux alert displayed while playing audio on youtube in firefox. | ||||
| Steps To Reproduce | 1. Loaded AlmaLinux RC1 in a VM on Fedora 33. 2. in background installed epel and installed some packages: dnf install marble marble-astro marble-qt 3. Launched firefox and opened a tab, entered youtube.com 4. Selected some classical music and it started playing 5. The selinux alert was displayed | ||||
| Additional Information | See attached | ||||
| Tags | No tags attached. | ||||
| abrt_hash | |||||
| URL | |||||
|
|
selinuxaltert.txt (2,447 bytes)
SELinux is preventing /usr/libexec/rtkit-daemon from sys_ptrace access on the cap_userns labeled rtkit_daemon_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that rtkit-daemon should be allowed sys_ptrace access on cap_userns labeled rtkit_daemon_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon
# semodule -X 300 -i my-rtkitdaemon.pp
Additional Information:
Source Context system_u:system_r:rtkit_daemon_t:s0
Target Context system_u:system_r:rtkit_daemon_t:s0
Target Objects Unknown [ cap_userns ]
Source rtkit-daemon
Source Path /usr/libexec/rtkit-daemon
Port <Unknown>
Host localhost.localdomain
Source RPM Packages rtkit-0.11-19.el8.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.18.0-240.el8.x86_64
#1 SMP Fri Jan 15 11:48:38 MSK 2021 x86_64 x86_64
Alert Count 1
First Seen 2021-02-24 16:26:23 EST
Last Seen 2021-02-24 16:26:23 EST
Local ID 63cbf820-d877-4a0b-bc7d-01ca06260689
Raw Audit Messages
type=AVC msg=audit(1614201983.930:203): avc: denied { sys_ptrace } for pid=911 comm="rtkit-daemon" capability=19 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
type=SYSCALL msg=audit(1614201983.930:203): arch=x86_64 syscall=readlink success=no exit=EACCES a0=7ffded68de30 a1=7ffded68dfa0 a2=7f a3=0 items=0 ppid=1 pid=911 auid=4294967295 uid=172 gid=172 euid=172 suid=172 fsuid=172 egid=172 sgid=172 fsgid=172 tty=(none) ses=4294967295 comm=rtkit-daemon exe=/usr/libexec/rtkit-daemon subj=system_u:system_r:rtkit_daemon_t:s0 key=(null)
Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_ptrace
|
|
|
>Loaded AlmaLinux RC1 in a VM on Fedora 33. It's been a while since RC1 was released. I will have to check if this alert happens on latest release. |
|
|
installed AlmaLinux 8.5, installed firefox, played music on youtube - no SELinux alerts and no avc denials in the logs |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2021-02-24 21:37 | wadeh | New Issue | |
| 2021-02-24 21:37 | wadeh | File Added: selinuxaltert.txt | |
| 2021-12-13 04:03 | akdev | Note Added: 0000446 | |
| 2021-12-13 04:03 | akdev | Tag Attached: needstriage | |
| 2021-12-13 04:05 | akdev | Tag Detached: needstriage | |
| 2021-12-13 04:05 | akdev | Tag Attached: needs-repro | |
| 2021-12-31 03:05 | akdev | Note Added: 0000466 | |
| 2021-12-31 03:05 | akdev | Tag Detached: needs-repro |
