Bug 1282836
| Summary: | SELinux is preventing snapperd from using the 'dac_override' capabilities. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Haller <haller_david> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 23 | CC: | adam.nacy, damian01w, darknater, dominick.grift, dwalsh, haller_david, johannespfrang, lvrabec, mgrepl, Per.t.Sjoholm, plautrba, ryanrowe, xtr.xtrnet |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:98bc055844003ce05b0ee4f8524f382a0ca446ca223cafcb8a33bb4e2764fd55;VARIANT_ID=workstation; | ||
| Fixed In Version: | selinux-policy-3.13.1-158.1.fc23 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-01-08 00:49:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Description of problem: This error occurred while trying to create a root config file for Snapper. My root partition is btrfs. The error was occurring when trying to run the command: 'snapper -c root create-config /' Error also occurred after installing the dnf snapper plugin, when dnf would try to create a snapshot before a transaction. Version-Release number of selected component: selinux-policy-3.13.1-155.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.6-301.fc23.x86_64 type: libreport We will need to allow it. Adam, does it work with # grep snapperd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp (In reply to Miroslav Grepl from comment #2) > We will need to allow it. > > Adam, > does it work with > > # grep snapperd /var/log/audit/audit.log | audit2allow -M mypol > # semodule -i mypol.pp Yes, that works. But I have to repeat it for every snapper command, e.g create-config and delete-config. commit 5b2a1bca851b93a0c10c0afe9b2bcb620ce48acd
Author: Miroslav Grepl <mgrepl>
Date: Mon Dec 21 11:14:09 2015 +0100
Allow snapperd dac_override capability.
It is needed for: 'snapper -c root create-config /' command.
Is this fixed? It doesn't work for me unless I setenforce 0. selinux-policy-3.13.1-158.14.fc23.noarch snapper-0.2.8-1.fc23.x86_64 4.4.6-301.fc23.x86_64 Hi, Could you after successful reproducing this issue attach output of: # ausearch -m AVC Thank you. Snapper has dac_override now (this bug), but is still missing sys_admin, see other bug: https://bugzilla.redhat.com/show_bug.cgi?id=1283243 ---- time->Wed Apr 27 15:05:48 2016 type=AVC msg=audit(1461762348.630:315): avc: denied { sys_admin } for pid=7316 comm="snapperd" capability=21 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=capability permissive=0 |
Description of problem: Any snapper command fails if SELinux is enabled. However, snapper command executed by snapper-timeline.service run successfully. When I set SELinux to disabled, everything works again. SELinux is preventing snapperd from using the 'dac_override' capabilities. ***** Plugin dac_override (91.4 confidence) suggests ********************** If sie überprüfen wollen, ob Domäne diesen Zugriff benötigt oder Sie eine Datei mit den falschen Berechtigungen auf Ihrem System haben Then aktivieren Sie die vollständige Audit-Funktion, um die Pfad-Information der problematischen Datei zu erhalten. Dann reproduzieren Sie den Fehler erneut. Do Volle Audit-Funktion aktivieren # auditctl -w /etc/shadow -p w Versuchen Sie AVC zu reproduzieren. Führen Sie dann folgendes aus # ausearch -m avc -ts recent Falls PATH record ersichtlich ist, überprüfen Sie Eigentümer/ Berechtigungen der Datei und korrigieren Sie dies, anderenfalls melden Sie dies an Bugzilla. ***** Plugin catchall (9.59 confidence) suggests ************************** If sie denken, dass snapperd standardmäßig dac_override Berechtigung haben sollten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # grep snapperd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:snapperd_t:s0-s0:c0.c1023 Target Context system_u:system_r:snapperd_t:s0-s0:c0.c1023 Target Objects Unknown [ capability ] Source snapperd Source Path snapperd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-154.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.2.5-300.fc23.x86_64 #1 SMP Tue Oct 27 04:29:56 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-11-17 16:00:16 CET Last Seen 2015-11-17 16:00:16 CET Local ID cbb9a7b9-de6a-4173-a361-b09b97ba9d10 Raw Audit Messages type=AVC msg=audit(1447772416.17:591): avc: denied { dac_override } for pid=12131 comm="snapperd" capability=1 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=capability permissive=0 Hash: snapperd,snapperd_t,snapperd_t,capability,dac_override Version-Release number of selected component: selinux-policy-3.13.1-154.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.5-300.fc23.x86_64 type: libreport