SELinux policy problems on Fedora 40

[Tiagoquix]

Context: video games crashing (for both alerts).

---

``` SELinux is preventing systemd-coredum from using the sys_admin capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-coredum should have the sys_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-coredum' --raw | audit2allow -M my-systemdcoredum # semodule -X 300 -i my-systemdcoredum.pp Additional Information: Source Context system_u:system_r:systemd_coredump_t:s0 Target Context system_u:system_r:systemd_coredump_t:s0 Target Objects Unknown [ capability ] Source systemd-coredum Source Path systemd-coredum Port Host fedora Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-40.17-1.fc40.noarch Local Policy RPM selinux-policy-targeted-40.17-1.fc40.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora Platform Linux fedora 6.8.7-300.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Apr 17 19:21:08 UTC 2024 x86_64 Alert Count 3 First Seen 2024-04-30 02:16:14 -03 Last Seen 2024-05-02 19:47:56 -03 Local ID 8f63820a-c1b4-4f8d-a134-a3139631dbb8 Raw Audit Messages type=AVC msg=audit(1714690076.992:169): avc: denied { sys_admin } for pid=2941 comm="systemd-coredum" capability=21 scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=capability permissive=0 Hash: systemd-coredum,systemd_coredump_t,systemd_coredump_t,capability,sys_admin ```

---

``` SELinux is preventing abrt-dump-journ from connectto access on the unix_stream_socket /run/systemd/userdb/io.systemd.Home. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that abrt-dump-journ should be allowed connectto access on the io.systemd.Home unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'abrt-dump-journ' --raw | audit2allow -M my-abrtdumpjourn # semodule -X 300 -i my-abrtdumpjourn.pp Additional Information: Source Context system_u:system_r:abrt_dump_oops_t:s0 Target Context system_u:system_r:init_t:s0 Target Objects /run/systemd/userdb/io.systemd.Home [ unix_stream_socket ] Source abrt-dump-journ Source Path abrt-dump-journ Port Host fedora Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-40.17-1.fc40.noarch Local Policy RPM selinux-policy-targeted-40.17-1.fc40.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora Platform Linux fedora 6.8.8-300.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Apr 27 17:53:31 UTC 2024 x86_64 Alert Count 34 First Seen 2024-04-30 02:02:28 -03 Last Seen 2024-05-04 00:04:16 -03 Local ID 419378c2-85d6-4f98-9216-56acff9c556e Raw Audit Messages type=AVC msg=audit(1714791856.980:220): avc: denied { connectto } for pid=1404 comm="abrt-dump-journ" path="/run/systemd/userdb/io.systemd.Home" scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0 Hash: abrt-dump-journ,abrt_dump_oops_t,init_t,unix_stream_socket,connectto ```

[zpytela]

Problems with abrt have been resolved, for sd-coredump we are awaiting further information: https://bugzilla.redhat.com/show_bug.cgi?id=2278902

[Tiagoquix]

For sd-coredump, it also happens when normal applications crash (such as GIMP).

[zpytela]

I cannot see any AVC denial on my systems after killing running services, that's why additional inputs are needed.

[Tiagoquix]

For me there's a new bug in GIMP, and maybe you can test it too.

It always crashes if I crop an image, export it and then discard the changes to the original image. Then SELinux complains and denies the access for sd-coredump.

[Tiagoquix]

@zpytela Hi there. Another systemd-coredum -> sys_admin happened to me today:

SELinux is preventing systemd-coredum from using the sys_admin capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-coredum should have the sys_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-coredum' --raw | audit2allow -M my-systemdcoredum
# semodule -X 300 -i my-systemdcoredum.pp

Additional Information:
Source Context                system_u:system_r:systemd_coredump_t:s0
Target Context                system_u:system_r:systemd_coredump_t:s0
Target Objects                Unknown [ capability ]
Source                        systemd-coredum
Source Path                   systemd-coredum
Port                          <Unknown>
Host                          fedora
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.20-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.20-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora
Platform                      Linux fedora 6.8.11-300.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Mon May 27 14:53:33 UTC 2024
                              x86_64
Alert Count                   6
First Seen                    2024-04-30 02:16:14 -03
Last Seen                     2024-06-08 11:53:48 -03
Local ID                      8f63820a-c1b4-4f8d-a134-a3139631dbb8

Raw Audit Messages
type=AVC msg=audit(1717858428.104:449): avc:  denied  { sys_admin } for  pid=31054 comm="systemd-coredum" capability=21  scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=capability permissive=0

Hash: systemd-coredum,systemd_coredump_t,systemd_coredump_t,capability,sys_admin

[zpytela]

The root cause has been found and issue fixed. https://github.com/fedora-selinux/selinux-policy/pull/2151