Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Confined user show policy issue: Thunderbird cannot access /dev/random & rtkit-daemon struggles (always when Thunderbird starts, sometimes independently) #1846

Open
py0xc3 opened this issue Aug 22, 2023 · 0 comments
Open

Confined user show policy issue: Thunderbird cannot access /dev/random & rtkit-daemon struggles (always when Thunderbird starts, sometimes independently) #1846

py0xc3 opened this issue Aug 22, 2023 · 0 comments

Comments

@py0xc3
Copy link

py0xc3 commented Aug 22, 2023
edited
Loading

Working with Fedora 38 KDE Spin, x86_64, up to date as of today, only Fedora default repositories (stable), kernel tainted = 0, my user account is confined with sysadm_u (x boolean is enabled).

Thunderbird starts without error message or so, but the logs reveal that it cannot access /dev/random. It is unclear what Thunderbird is using for getting entropy for cryptographic tasks, but low quality entropy is likely if it cannot access /dev/random.

Additionally, when I start Thunderbird, the access denial of /dev/random is always preceded by a "rtkit-daemon" denial. I am not sure if this denial needs an adjustment or if it makes sense to keep this denial -> it does not cause measurable issues. Also, the "rtkit-daemon" denial occurs independently from Thunderbird.

Two equal cases where I start Thunderbird and close it soon later, extract from root's journalctl:

Aug 21 19:29:56 domain kwin_wayland[2484]: This plugin does not support raise()
Aug 21 19:29:55 domain systemd[1]: setroubleshootd.service: Consumed 1.171s CPU time.
Aug 21 19:29:55 domain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 21 19:29:55 domain systemd[1]: setroubleshootd.service: Deactivated successfully.
Aug 21 19:29:55 domain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@4 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 21 19:29:55 domain systemd[1]: dbus-:[email protected]: Deactivated successfully.
Aug 21 19:29:54 domain wireplumber[2487]: <WpSiNode:0x55a91bbb7ac0> failed to activate item: Object activation aborted: proxy destroyed
Aug 21 19:29:54 domain wireplumber[2487]: <WpSiNode:0x55a91bbb7ac0> Object activation aborted: proxy destroyed
Aug 21 19:29:45 domain seapplet[2923]: seapplet: Can't show a notification: g-io-error-quark: GDBus.Error:org.freedesktop.Notifications.Error.ExcessNotificationGeneration: Created too many similar notifications in quick succession (36)
Aug 21 19:29:45 domain setroubleshoot[5482]: SELinux is preventing thunderbird from write access on the chr_file urandom.

                                             *****  Plugin catchall (100. confidence) suggests   **************************

                                             If you believe that thunderbird should be allowed write access on the urandom chr_file by default.
                                             Then you should report this as a bug.
                                             You can generate a local policy module to allow this access.
                                             Do
                                             allow this access for now by executing:
                                             # ausearch -c 'thunderbird' --raw | audit2allow -M my-thunderbird
                                             # semodule -X 300 -i my-thunderbird.pp

Aug 21 19:29:45 domain setroubleshoot[5482]: SELinux is preventing thunderbird from write access on the chr_file urandom. For complete SELinux messages run: sealert -l e00e76c6-1892-4587-ad80-c4eda6dbc478
Aug 21 19:29:45 domain plasmashell[2617]: Could not find the Plasmoid for Plasma::FrameSvgItem(0x5598feb70c50) QQmlContext(0x5598fc574120) QUrl("file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/global/Globals.qml")
Aug 21 19:29:45 domain plasmashell[2617]: Could not find the Plasmoid for Plasma::FrameSvgItem(0x5598feb70c50) QQmlContext(0x5598fc574120) QUrl("file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/global/Globals.qml")
Aug 21 19:29:45 domain setroubleshoot[5482]: SELinux is preventing rtkit-daemon from using the setsched access on a process.

                                             *****  Plugin catchall (100. confidence) suggests   **************************

                                             If you believe that rtkit-daemon should be allowed setsched access on processes labeled sysadm_t by default.
                                             Then you should report this as a bug.
                                             You can generate a local policy module to allow this access.
                                             Do
                                             allow this access for now by executing:
                                             # ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon
                                             # semodule -X 300 -i my-rtkitdaemon.pp

Aug 21 19:29:45 domain setroubleshoot[5482]: SELinux is preventing rtkit-daemon from using the setsched access on a process. For complete SELinux messages run: sealert -l a8335f0c-a78b-40d7-aa16-d655f8659d59
Aug 21 19:29:45 domain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@4 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 21 19:29:45 domain systemd[1]: Started dbus-:[email protected].
Aug 21 19:29:44 domain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 21 19:29:44 domain systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs.
Aug 21 19:29:43 domain systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs...
Aug 21 19:29:43 domain kwin_wayland[2484]: kwin_screencast: Dropping a screencast frame because the compositor is slow
Aug 21 19:29:43 domain kwin_wayland[2484]: kwin_screencast: Dropping a screencast frame because the compositor is slow
Aug 21 19:29:42 domain pipewire[2486]: mod.client-node: 0x558d1d1fab10: unknown peer 0x558d1d1c6800 fd:56
Aug 21 19:29:41 domain audit[5265]: AVC avc:  denied  { write } for  pid=5265 comm="thunderbird" name="urandom" dev="devtmpfs" ino=9 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=0
Aug 21 19:29:41 domain rtkit-daemon[1616]: Failed to make thread 5436 RT: Permission denied
Aug 21 19:29:41 domain audit[1616]: AVC avc:  denied  { setsched } for  pid=1616 comm="rtkit-daemon" scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0
Aug 21 19:29:37 domain pipewire[2486]: mod.client-node: 0x558d1cfed020: unknown peer 0x558d1d1a2ca0 fd:95
Aug 21 19:29:35 domain kwin_wayland[2484]: kwin_screencast: Dropping a screencast frame because the compositor is slow
...
... <many duplications of the "kwin_screencast: Dropping a screencast frame because the compositor is slow" entry>
...
Aug 21 19:29:35 domain kwin_wayland[2484]: kwin_screencast: Dropping a screencast frame because the compositor is slow
Aug 21 19:29:34 domain pipewire[2486]: mod.client-node: 0x558d1d1b0e90: unknown peer 0x558d1d1c0f90 fd:54
Aug 21 19:29:34 domain pipewire[2486]: mod.client-node: 0x558d1d1a15b0: unknown peer 0x558d1d063530 fd:91
Aug 21 19:29:34 domain pipewire[2486]: mod.client-node: 0x558d1d1ebb60: unknown peer 0x558d1d1c6800 fd:93
Aug 21 19:29:34 domain kwin_wayland[2484]: kwin_screencast: Dropping a screencast frame because the compositor is slow
Aug 21 19:29:34 domain kwin_wayland[2484]: kwin_screencast: Dropping a screencast frame because the compositor is slow
Aug 21 19:29:33 domain pipewire[2486]: mod.client-node: 0x558d1d1a2ca0: unknown peer 0x558d1d1a15b0 fd:95
Aug 21 19:29:33 domain pipewire[2486]: mod.client-node: 0x558d1d1bfb40: unknown peer 0x558d1d1c6800 fd:56
Aug 21 19:29:31 domain plasmashell[5265]: ATTENTION: default value of option mesa_glthread overridden by environment.
Aug 21 19:29:31 domain plasmashell[5265]: ATTENTION: default value of option mesa_glthread overridden by environment.
Aug 21 19:29:31 domain plasmashell[5265]: ATTENTION: default value of option mesa_glthread overridden by environment.
Aug 21 19:29:31 domain plasmashell[5265]: ATTENTION: default value of option mesa_glthread overridden by environment.
Aug 21 19:29:31 domain plasmashell[5265]: ATTENTION: default value of option mesa_glthread overridden by environment.
Aug 21 19:29:31 domain plasmashell[5265]: ATTENTION: default value of option mesa_glthread overridden by environment.
Aug 21 19:29:30 domain thunderbird[5265]: Locale not supported by C library.
                                                  Using the fallback 'C' locale.
Aug 21 19:29:30 domain plasmashell[2617]: QString::arg: 2 argument(s) missing in mozilla-thunderbird
Aug 21 19:29:25 domain plasmashell[2617]: qt.qpa.wayland: Wayland does not support QWindow::requestActivate()
Aug 21 19:29:06 domain kwin_wayland[2484]: This plugin does not support raise()
Aug 21 19:28:49 domain systemd[1]: setroubleshootd.service: Consumed 1.177s CPU time.
Aug 21 19:28:49 domain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 21 19:28:49 domain systemd[1]: setroubleshootd.service: Deactivated successfully.
Aug 21 19:28:49 domain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 21 19:28:49 domain systemd[1]: dbus-:[email protected]: Deactivated successfully.
Aug 21 19:28:40 domain kwin_wayland[2484]: kwin_screencast: Dropping a screencast frame because the compositor is slow
Aug 21 19:28:39 domain seapplet[2923]: seapplet: Can't show a notification: g-io-error-quark: GDBus.Error:org.freedesktop.Notifications.Error.ExcessNotificationGeneration: Created too many similar notifications in quick succession (36)
Aug 21 19:28:39 domain setroubleshoot[5186]: SELinux is preventing thunderbird from write access on the chr_file urandom.

                                             *****  Plugin catchall (100. confidence) suggests   **************************

                                             If you believe that thunderbird should be allowed write access on the urandom chr_file by default.
                                             Then you should report this as a bug.
                                             You can generate a local policy module to allow this access.
                                             Do
                                             allow this access for now by executing:
                                             # ausearch -c 'thunderbird' --raw | audit2allow -M my-thunderbird
                                             # semodule -X 300 -i my-thunderbird.pp

Aug 21 19:28:39 domain setroubleshoot[5186]: SELinux is preventing thunderbird from write access on the chr_file urandom. For complete SELinux messages run: sealert -l e00e76c6-1892-4587-ad80-c4eda6dbc478
Aug 21 19:28:39 domain plasmashell[2617]: Could not find the Plasmoid for Plasma::FrameSvgItem(0x5598fb6f4580) QQmlContext(0x5598fc574120) QUrl("file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/global/Globals.qml")
Aug 21 19:28:39 domain plasmashell[2617]: Could not find the Plasmoid for Plasma::FrameSvgItem(0x5598fb6f4580) QQmlContext(0x5598fc574120) QUrl("file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/global/Globals.qml")
Aug 21 19:28:39 domain setroubleshoot[5186]: SELinux is preventing rtkit-daemon from using the setsched access on a process.

                                             *****  Plugin catchall (100. confidence) suggests   **************************

                                             If you believe that rtkit-daemon should be allowed setsched access on processes labeled sysadm_t by default.
                                             Then you should report this as a bug.
                                             You can generate a local policy module to allow this access.
                                             Do
                                             allow this access for now by executing:
                                             # ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon
                                             # semodule -X 300 -i my-rtkitdaemon.pp

Aug 21 19:28:39 domain setroubleshoot[5186]: SELinux is preventing rtkit-daemon from using the setsched access on a process. For complete SELinux messages run: sealert -l a8335f0c-a78b-40d7-aa16-d655f8659d59
Aug 21 19:28:39 domain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 21 19:28:39 domain systemd[1]: Started dbus-:[email protected].
Aug 21 19:28:38 domain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 21 19:28:38 domain systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs.
Aug 21 19:28:38 domain systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs...
Aug 21 19:28:37 domain audit[4983]: AVC avc:  denied  { write } for  pid=4983 comm="thunderbird" name="urandom" dev="devtmpfs" ino=9 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=0
Aug 21 19:28:36 domain rtkit-daemon[1616]: Failed to make thread 5152 RT: Permission denied
Aug 21 19:28:36 domain audit[1616]: AVC avc:  denied  { setsched } for  pid=1616 comm="rtkit-daemon" scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0
Aug 21 19:28:31 domain plasmashell[4983]: ATTENTION: default value of option mesa_glthread overridden by environment.
Aug 21 19:28:31 domain plasmashell[4983]: ATTENTION: default value of option mesa_glthread overridden by environment.
Aug 21 19:28:31 domain plasmashell[4983]: ATTENTION: default value of option mesa_glthread overridden by environment.
Aug 21 19:28:31 domain plasmashell[4983]: ATTENTION: default value of option mesa_glthread overridden by environment.
Aug 21 19:28:31 domain plasmashell[4983]: ATTENTION: default value of option mesa_glthread overridden by environment.
Aug 21 19:28:31 domain plasmashell[4983]: ATTENTION: default value of option mesa_glthread overridden by environment.
Aug 21 19:28:31 domain thunderbird[4983]: Locale not supported by C library.
                                                  Using the fallback 'C' locale.
Aug 21 19:28:31 domain plasmashell[2617]: QString::arg: 2 argument(s) missing in mozilla-thunderbird

Extract from root's journalctl where the "rtkit-daemon" denial takes place independently from Thunderbird (this time it seems to correlate with Firefox, but there are several seconds in between and this can be a coincident anyway since Firefox is mostly running if my machine is up):

Aug 21 20:14:53 domain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.kde.powerdevil.backlighthelper@3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 21 20:14:53 domain systemd[1]: dbus-:[email protected]: Deactivated successfully.
Aug 21 20:14:52 domain plasmashell[2617]: Could not find the Plasmoid for Plasma::FrameSvgItem(0x5598fb687140) QQmlContext(0x5598fc574120) QUrl("file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/global/Globals.qml")
Aug 21 20:14:52 domain plasmashell[2617]: Could not find the Plasmoid for Plasma::FrameSvgItem(0x5598fb687140) QQmlContext(0x5598fc574120) QUrl("file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/global/Globals.qml")
Aug 21 20:14:52 domain setroubleshoot[7998]: SELinux is preventing rtkit-daemon from using the setsched access on a process.

                                             *****  Plugin catchall (100. confidence) suggests   **************************

                                             If you believe that rtkit-daemon should be allowed setsched access on processes labeled sysadm_t by default.
                                             Then you should report this as a bug.
                                             You can generate a local policy module to allow this access.
                                             Do
                                             allow this access for now by executing:
                                             # ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon
                                             # semodule -X 300 -i my-rtkitdaemon.pp

Aug 21 20:14:52 domain setroubleshoot[7998]: SELinux is preventing rtkit-daemon from using the setsched access on a process. For complete SELinux messages run: sealert -l a8335f0c-a78b-40d7-aa16-d655f8659d59
Aug 21 20:14:51 domain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@12 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 21 20:14:51 domain systemd[1]: Started dbus-:[email protected].
Aug 21 20:14:50 domain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 21 20:14:50 domain systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs.
Aug 21 20:14:50 domain systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs...
Aug 21 20:14:48 domain rtkit-daemon[1616]: Failed to make thread 7839 RT: Permission denied
Aug 21 20:14:48 domain audit[1616]: AVC avc:  denied  { setsched } for  pid=1616 comm="rtkit-daemon" scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0
Aug 21 20:14:47 domain firefox[7662]: Locale not supported by C library.
                                              Using the fallback 'C' locale.
Aug 21 20:14:47 domain plasmashell[2617]: QString::arg: 2 argument(s) missing in firefox
Aug 21 20:14:47 domain plasmashell[2617]: kf.service.services: KApplicationTrader: mimeType "x-scheme-handler/file" not found

-> The "rtkit-daemon" denial is also occurring during the sddm logins along with many other denials (I put this into a separated topic: #1847 )

Possible relations to #1839 and #1835
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@py0xc3