Selinux crashes Flatpak version of VScodium on Fedora KDE Spin 40

SELinux is preventing systemd-coredum from using the sys_admin capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-coredum should have the sys_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-coredum' --raw | audit2allow -M my-systemdcoredum
# semodule -X 300 -i my-systemdcoredum.pp

Additional Information:
Source Context                system_u:system_r:systemd_coredump_t:s0
Target Context                system_u:system_r:systemd_coredump_t:s0
Target Objects                Unknown [ capability ]
Source                        systemd-coredum
Source Path                   systemd-coredum
Port                          <Unknown>
Host                          localhost
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.13-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.13-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 6.8.5-301.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Apr 11 20:00:10 UTC 2024
                              x86_64
Alert Count                   1
First Seen                    2024-04-16 21:19:29 +06
Last Seen                     2024-04-16 21:19:29 +06
Local ID                      40ca4ac8-2f70-452d-9474-197f57501c91

Raw Audit Messages
type=AVC msg=audit(1713280769.310:549): avc:  denied  { sys_admin } for  pid=10690 comm="systemd-coredum" capability=21  scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=capability permissive=0


Hash: systemd-coredum,systemd_coredump_t,systemd_coredump_t,capability,sys_admin

Error 2

SELinux is preventing abrt-dump-journ from write access on the sock_file io.systemd.Home.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that abrt-dump-journ should be allowed write access on the io.systemd.Home sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'abrt-dump-journ' --raw | audit2allow -M my-abrtdumpjourn
# semodule -X 300 -i my-abrtdumpjourn.pp

Additional Information:
Source Context                system_u:system_r:abrt_dump_oops_t:s0
Target Context                system_u:object_r:systemd_userdbd_runtime_t:s0
Target Objects                io.systemd.Home [ sock_file ]
Source                        abrt-dump-journ
Source Path                   abrt-dump-journ
Port                          <Unknown>
Host                          localhost
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.13-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.13-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 6.8.5-301.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Apr 11 20:00:10 UTC 2024
                              x86_64
Alert Count                   6
First Seen                    2024-04-16 21:19:30 +06
Last Seen                     2024-04-16 21:19:30 +06
Local ID                      5c6a8ede-61fd-49af-bf1a-eef5822f60b2

Raw Audit Messages
type=AVC msg=audit(1713280770.64:567): avc:  denied  { write } for  pid=1259 comm="abrt-dump-journ" name="io.systemd.Home" dev="tmpfs" ino=2126 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=0


Hash: abrt-dump-journ,abrt_dump_oops_t,systemd_userdbd_runtime_t,sock_file,write

Error 3

SELinux is preventing abrt-server from using the nnp_transition access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that abrt-server should be allowed nnp_transition access on processes labeled abrt_handle_event_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'abrt-server' --raw | audit2allow -M my-abrtserver
# semodule -X 300 -i my-abrtserver.pp

Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:system_r:abrt_handle_event_t:s0-
                              s0:c0.c1023
Target Objects                Unknown [ process2 ]
Source                        abrt-server
Source Path                   abrt-server
Port                          <Unknown>
Host                          localhost
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.13-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.13-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 6.8.5-301.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Apr 11 20:00:10 UTC 2024
                              x86_64
Alert Count                   2
First Seen                    2024-04-16 21:19:30 +06
Last Seen                     2024-04-16 21:19:30 +06
Local ID                      f6308847-6f92-4d21-bf89-73286d3039da

Raw Audit Messages
type=AVC msg=audit(1713280770.464:574): avc:  denied  { nnp_transition } for  pid=10746 comm="abrt-server" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_handle_event_t:s0-s0:c0.c1023 tclass=process2 permissive=0


Hash: abrt-server,abrt_t,abrt_handle_event_t,process2,nnp_transition

I was trying out Fedora 40 and I can’t seem to launch Vscodium because of selinux.

Please use the preformatted text tags (the </> button on the toolbar) and post text as copy&paste from your screen into the post whenever possible.
Images take more storage space, are not searchable, and difficult to quote when pointing out solutions or specific errors. Later users cannot find the info when searching for terms that may be contained in the image.

In many cases there may be information that is scrolled off the screen to the right which is necessary to solve a situation but can never be seem with an image.

1 Like

Is that supposed to be called systemd-coredum?

The images are from the new app selinux troubleshooter. systemd-croedump does show up in errors but I am not sure what they really mean.

Hi, Thanks for the tips. I have updated the post accordingly. And sorry for not doing it the correct way before.

2 Likes

Similar warnings with discord flatpak under Fedora KDE 40 + Wayland:

sudo ausearch -m avc -ts recent:

...
----
time->Tue May 21 22:08:58 2024
type=AVC msg=audit(1716293338.627:2773): avc:  denied  { execheap } for  pid=1784563 comm="ThreadPoolForeg" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Tue May 21 22:08:58 2024
type=AVC msg=audit(1716293338.627:2774): avc:  denied  { execheap } for  pid=1784563 comm="Discord" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Tue May 21 22:08:58 2024
type=AVC msg=audit(1716293338.631:2776): avc:  denied  { sys_admin } for  pid=1784584 comm="systemd-coredum" capability=21  scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=capability permissive=0

selinux troubleshooter has been around for probably more than 30 previous releases of Fedora.

I am still wondering about the missing “p” in “coredump”