On Nightly 69.0a1 and one prior version I have been getting SELinux AVC denial: preventing rtkit-daimon from sys_ptrace
Categories
(Core :: Widget: Gtk, defect, P3)
Tracking
()
People
(Reporter: dionysus.hypnos, Unassigned)
Details
Attachments
(1 file)
5.20 MB,
video/mp4
|
Details |
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
Steps to reproduce:
I am running Fedora 30 with GNOME 3.32.2. The error impacts Firefox Nightly 69.0a1 (2019-06-23) and the version one day prior. (2019-06-22) This is a new problem that I haven't had before. It does not happen with Firefox Quantum 67.0.4. When using nightly I get very many of the same SELinux AVC Alert:
SELinux is preventing rtkit-daemon from sys_ptrace access on the cap_userns labeled rtkit_daemon_t.
The warning pups up very frequently during a browsing session - many times per minute. I tried replicating it using Quantum 67.0.4 and did not get the error. I also tried creating a new profile in Nightly with no extensions nor modifications to preferences and I continued to get the SELinux rtkit-daemon alert. The SETroubleshoot Details are below.
Actual results:
SELinux is preventing rtkit-daemon from sys_ptrace access on the cap_userns labeled rtkit_daemon_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that rtkit-daemon should be allowed sys_ptrace access on cap_userns labeled rtkit_daemon_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon
semodule -X 300 -i my-rtkitdaemon.pp
Additional Information:
Source Context system_u:system_r:rtkit_daemon_t:s0
Target Context system_u:system_r:rtkit_daemon_t:s0
Target Objects Unknown [ cap_userns ]
Source rtkit-daemon
Source Path rtkit-daemon
Port <Unknown>
Host rog
Source RPM Packages
Target RPM Packages
Policy RPM <Unknown>
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name rog
Platform Linux rog 5.1.12-300.fc30.x86_64 #1 SMP Wed Jun 19
15:19:49 UTC 2019 x86_64 x86_64
Alert Count 6
First Seen 2019-06-23 14:33:44 CDT
Last Seen 2019-06-23 14:33:48 CDT
Local ID 5467f127-3910-4e0c-a044-7dc1bee588ca
Raw Audit Messages
type=AVC msg=audit(1561318428.569:2459): avc: denied { sys_ptrace } for pid=1213 comm="rtkit-daemon" capability=19 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0
Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_ptrace
Expected results:
Beyond my knowledge and skill to know, other than it probably shouldn't be happening. And never happened prior to 2019-06-22.
Hi Dave,
Could you share with us steps in order to try to reproduce this on our end? It will be a great help if you can also add screenshots or a screen recording so we can see the warning alerts you mention.
In the meantime, I'll add the product and component so that the corresponding dev team can take a look at this.
Thank you for your report
Hey Virginia -
Sincere apologies for the late response. Had an unexpected family issue. I am going to record a screen cast that hopefully provides you and the dev team the info needed.
Here is a screenscast of Bug 1560811
Hi Dave,
Thanks for the video! That way we know where to start looking.
I'll mark this ticket as NEW.
Regards,
Comment 5•5 years ago
|
||
Dave, can you please file this bug directly at https://bugzilla.redhat.com/ under Fedora/Firefox component? That needs expertise from SELinux folks who don't have access here and it's related to Fedora specific environment anyway. Thanks!
Updated•2 years ago
|
Comment 6•1 year ago
|
||
A needinfo is requested from the reporter, however, the reporter is inactive on Bugzilla. Closing the bug as incomplete.
For more information, please visit auto_nag documentation.
Description
•