SELinux denials related to "sss_cache" while installing software

Problem

While installing software (whether from the DNF command line or GUI tools), you notice a message like SELinux is preventing sss_cache from using the setgid capability, or see something like this in
system logs:

avc: denied { setgid } for pid=3823 comm="sss_cache" capability=6 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=capability

Cause

Under investigation

Related Issues

Bugzilla report: #2022690

Workarounds

None yet.

I have seen a similar message from selinux with at least one of my past updates. I vote for common issue.

Yeah, it seems like there are a lot of people chiming in in the Bugzilla report, plus at least one report here: SELinux issue sometimes when installing packages using DNF

Nobody mentioned any side effect or problem related to this, so it seems this is not severe enough to get listed among Common Issues.

1 Like

Okay, I can accept that. I guess my thinking was: a lot of people are seeing it thinking it might be a problem and asking about it, so it might be nice to provide an easy, quick reassurance.

2 Likes

Shrug. We can’t clone the Bugzilla here :slight_smile: We never formalized what exactly goes into CommonBugs, we went by gut feeling, and at least in my case it was a) issues with high impact for the user and b) very visible issues.

This one is only visible to users who manually install setroubleshoot (or have a very old upgraded system) or look into system logs. And those people are often also able to find the bugzilla report themselves (setroubleshoot points you to it, if you choose to report the issue). The impact seems to be zero.

On the other hand, we sifted through the bugs because we used to write all the CommonBugs entries ourselves. When the topic has already been written by someone, I don’t see much disadvantage promoting it. The only downside is that if we have too many of these, the important ones might get lost between the less important ones, and that wouldn’t benefit our users. So it’s about striking some balance, I guess. On wiki, we had different sections (GNOME, KDE, Server, Installer, etc) and I tried to put the most important issues to the top. We can’t do that here. Tagging the topics can improve the situation somewhat, but only to a certain extent.

An update has been released to fix this issue.

After you update your system in your usual way (and possibly reboot), you should no longer be affected by this problem. If the problem persists, please start a new discussion topic and we’ll help figure out what’s still wrong.

We haven’t agreed whether to promote this, and now it’s somewhat pointless, so I’ll just close this.

2 Likes