Bug 1451377
Summary: | SELinux is preventing accounts-daemon from using the 'dac_read_search' capabilities. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Delete My Account <c.crispino8611> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | alciregi, alick9188, amessina, awilliam, baptiste.millemathias, brunch875, buzire.rhn, carl, dominick.grift, dwalsh, fedora, igeorgex, iliketurtlesbro, jfrieben, kparal, lvrabec, mgrepl, mikhail.v.gavrilov, nils.tonnaett, plautrba, pmoore, rxguy, ssekidde, vondruch |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | AcceptedBlocker abrt_hash:7f0096e1b311125ce6e727e034242a4865f79cd0e9a9e92274ecd7036e106960; | ||
Fixed In Version: | selinux-policy-3.13.1-273.fc27 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-24 07:41:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1396704 |
Description
Delete My Account
2017-05-16 14:22:59 UTC
Description of problem: This is a fresh rawhide installation upgraded from a fresh f25 installation using the dnf upgrade plugin I was told in IRC the issue is due to a kernel change where the order of dac_read_search and dac_override changed to fix check dac_read_search Version-Release number of selected component: selinux-policy-3.13.1-255.fc27.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.12.0-0.rc3.git0.2.fc27.x86_64 type: libreport Description of problem: Occurs on first boot of an install of current Rawhide Workstation. Version-Release number of selected component: selinux-policy-3.13.1-258.fc27.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.12.0-0.rc5.git2.1.fc27.x86_64 type: libreport Proposing as an F27 Final blocker: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." This is clearly not fixed. Description of problem: Just load Rawhide from USB stick Version-Release number of selected component: selinux-policy-3.13.1-263.fc27.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.13.0-0.rc0.git6.1.fc27.x86_64 type: libreport This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'. Happens also on Fedora 26 after turning off and on Wifi. Discussed during blocker review [1]: AcceptedBlocker (Final) - clear violations of Final criterion "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." [1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-08-21/ # audit2allow -i avc #============= accountsd_t ============== #!!!! This avc is allowed in the current policy allow accountsd_t self:capability dac_read_search; # rpm -q selinux-policy selinux-policy-3.13.1-273.fc27.noarch # sesearch -A -s accountsd_t -t accountsd_t -c capability -p dac_read_search allow accountsd_t accountsd_t:capability { audit_control chown dac_override dac_read_search setgid setuid sys_ptrace }; This bug is fixed in the latest selinux-policy build in koji. Same problem with Fedora 25 and selinux-policy-3.13.1-225.19.fc25.noarch It does happen on F25: $ rpm -q selinux-policy selinux-policy-3.13.1-225.19.fc25.noarch $ sesearch -A -s accountsd_t -t accountsd_t -c capability -p dac_read_search [nothing] The installation was an upgrade, if that matters. |