SELinux Denial. Is it expected behavior?

Bug Reports
1

:lady_beetle: SELinux seems to be blocking some functionality of the Cursor AppImage. I’ve been expieriencing alot of crashes lately, some times it freezes, some times it returns code 132.

:arrows_counterclockwise: I do not know how to reproduce it

:computer: Env
Cursor Version: Latest
Fedora 41
KDE Plasma 6.2.5
KDE Framework 6.10.0
QT Version 6.8.1
Kernel Version 6.12.9-200.fc41.x86_64 (64-bit)
Wayland

Hardware ThinkPad P1 Gen 4

:no_entry_sign: It makes almost impossible to use it since it crashes mid prompts, longer prompts it doesn’t even finish.

SELinux Logs

SELinux is preventing systemd-coredum from using the sys_admin capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-coredum should have the sys_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-coredum' --raw | audit2allow -M my-systemdcoredum
# semodule -X 300 -i my-systemdcoredum.pp

Additional Information:
Source Context                system_u:system_r:systemd_coredump_t:s0
Target Context                system_u:system_r:systemd_coredump_t:s0
Target Objects                Unknown [ capability ]
Source                        systemd-coredum
Source Path                   systemd-coredum
Port                          <Unknown>
Host                          fedora
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-41.28-1.fc41.noarch
Local Policy RPM              selinux-policy-targeted-41.28-1.fc41.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora
Platform                      Linux fedora 6.12.9-200.fc41.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Jan  9 16:05:40 UTC 2025
                              x86_64
Alert Count                   7
First Seen                    2025-01-15 16:31:54 -03
Last Seen                     2025-01-16 17:01:19 -03
Local ID                      6fb4xxxx-xxxx-xxxx-xxxx-xxxxxx

Raw Audit Messages
type=AVC msg=audit(1737057679.118:685): avc:  denied  { sys_admin } for  pid=88627 comm="systemd-coredum" capability=21  scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=capability permissive=0


Hash: systemd-coredum,systemd_coredump_t,systemd_coredump_t,capability,sys_admin

Is this expected behavior? I really don´t like the idea of giving it sys_admin capabilities

2

Well, I guess I found a possible culprit.

I was using nohup and firejail to init my appimage through .bashrc function. I guess SELinux did not like the jailed processes :grimacing:

Testing right now and still no crash.

For those wondering, this is my current function.

cursor() {
    # Create the log directory if it doesn't exist
    mkdir -p "$HOME/.cursor_logs"

    # Get the current date and time for the log filename
    log_file="$HOME/.cursor_logs/$(date '+%Y-%m-%d_%H-%M-%S').log"

    # Run the AppImage and redirect output to the log file
    (/opt/cursor.appimage "$@" >"$log_file" 2>&1 &)
}
3

Sadly the changes done did nothing to fix the issue. Still having crashes, while though much less often then before but equaly annoying.

Any one has any idea?