Bug 1459910

Summary: Latest update seems to block dac_read_search on many services at boot time
Product: [Fedora] Fedora Reporter: David Hill <dhill>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: unspecified    
Version: 27CC: dhill, dwalsh, jpazdziora, mmahudha, mszpak, phidica.veia
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-283.34.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-22 10:53:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Hill 2017-06-08 14:14:36 UTC 
Description of problem:
Latest update seems to block dac_read_search on many services at boot time

[root@otto audit]# grep denied audit.log  | grep dac_read
type=AVC msg=audit(1496931060.717:98): avc:  denied  { dac_read_search } for  pid=1216 comm="accounts-daemon" capability=2  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931060.735:105): avc:  denied  { dac_read_search } for  pid=1218 comm="abrtd" capability=2  scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=capability permissive=1
type=AVC msg=audit(1496931060.754:111): avc:  denied  { dac_read_search } for  pid=1295 comm="chronyc" capability=2  scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931062.279:148): avc:  denied  { dac_read_search } for  pid=1216 comm="accounts-daemon" capability=2  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931062.406:149): avc:  denied  { dac_read_search } for  pid=1994 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931063.312:207): avc:  denied  { dac_read_search } for  pid=2249 comm="chronyc" capability=2  scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931063.444:211): avc:  denied  { dac_read_search } for  pid=1259 comm="systemd-logind" capability=2  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931063.497:215): avc:  denied  { dac_read_search } for  pid=2303 comm="chronyc" capability=2  scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931063.499:216): avc:  denied  { dac_read_search } for  pid=2304 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931064.560:234): avc:  denied  { dac_read_search } for  pid=1216 comm="accounts-daemon" capability=2  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931067.679:243): avc:  denied  { dac_read_search } for  pid=1216 comm="accounts-daemon" capability=2  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931068.277:253): avc:  denied  { dac_read_search } for  pid=2822 comm="sm-notify" capability=2  scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:system_r:rpcd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931068.297:256): avc:  denied  { dac_read_search } for  pid=2840 comm="chronyc" capability=2  scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931069.935:257): avc:  denied  { dac_read_search } for  pid=2905 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=capability permissive=1
type=AVC msg=audit(1496931057.918:260): avc:  denied  { dac_read_search } for  pid=2937 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=capability permissive=1
type=AVC msg=audit(1496931058.957:266): avc:  denied  { dac_read_search } for  pid=2943 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931061.811:275): avc:  denied  { dac_read_search } for  pid=1216 comm="accounts-daemon" capability=2  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931064.017:278): avc:  denied  { dac_read_search } for  pid=3466 comm="abrt-dbus" capability=2  scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=capability permissive=1

Version-Release number of selected component (if applicable):


How reproducible:
Update

Steps to Reproduce:
1. Reboot
2.
3.

Actual results:
Lot's of selinux dac_read_search denied

Expected results:
Hidden or allowed

Additional info:
Comment 1 Jan Kurik 2017-08-15 07:44:12 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 2 Mustafa Mahudhawala 2017-08-25 04:40:53 UTC 
I have the same problem after updating to F25. Looks like this blog from Dan Walsh explains this error well ..

http://danwalsh.livejournal.com/69478.html

And I did notice that we generally use 000 for /etc/shadow

# ls -l /etc/shadow*
----------. 1 root root 1352 Jul  4 18:40 /etc/shadow
----------. 1 root root 1478 Jul  4 18:40 /etc/shadow-

Which is where the services seems to be complaining about.

Is setting 600 for /etc/shadow a recommendation then based on above blog from Dan ?
Comment 3 Mustafa Mahudhawala 2017-08-25 04:42:21 UTC 
Or at least 400 for /etc/shadow ?
Comment 4 Jan Pazdziora 2018-05-10 09:05:38 UTC 
I no longer seem to see the issue with selinux-policy-3.13.1-283.34.fc27.noarch, for chronyd (bug 1449108) nor openssh (bug 1449110). Should this bugzilla be closed CURRENTRELEASE, with some fixed in version set?