Bug 1460882

Summary: SELinux is preventing sm-notify from using the dac_read_search capability
Product: [Fedora] Fedora Reporter: Chris Murphy <bugzilla>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: amessina, code, dominick.grift, dustymabe, dwalsh, jforbes, lvrabec, marcvanwageningen, mgrepl, plautrba, pmoore, ssekidde
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-260.14.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-15 20:10:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
journal none

Description Chris Murphy 2017-06-13 03:23:46 UTC 
Description of problem:

SETroubleshoot notification at login appears, with this complaint.


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-254.fc26.noarch
4.12.0-0.rc5.git0.1.fc27.x86_64


How reproducible:
Each boot.


Steps to Reproduce:
1. Boot
2.
3.

Actual results:

SELinux alert notification

Raw Audit Messages
type=AVC msg=audit(1497323290.409:242): avc:  denied  { dac_read_search } for  pid=1656 comm="sm-notify" capability=2  scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:system_r:rpcd_t:s0 tclass=capability permissive=0


Expected results:

No notification for just booting and logging in.


Additional info:

Could be related to upgrading the kernel from 4.11.3 to 4.12rc5; I don't recall these SELinux alerts happening prior to the upgrade.
Comment 1 Chris Murphy 2017-06-13 03:24:16 UTC 
Created attachment 1287141 [details]
journal
Comment 2 Chris Murphy 2017-06-13 03:54:56 UTC 
Also happens with selinux-policy-3.13.1-257.fc26.noarch and manually relabelled.
Comment 3 Lukas Vrabec 2017-06-13 12:53:12 UTC 
*** Bug 1460884 has been marked as a duplicate of this bug. ***
Comment 4 Lukas Vrabec 2017-06-13 12:53:20 UTC 
*** Bug 1460880 has been marked as a duplicate of this bug. ***
Comment 5 Lukas Vrabec 2017-06-13 12:53:24 UTC 
*** Bug 1460881 has been marked as a duplicate of this bug. ***
Comment 6 Daniel Walsh 2017-06-14 14:54:53 UTC 
dac_read_search usually indicates that a process running as root is trying to search through a directory that root does not have access to via ownership permissions.  IE A directory with permissions like

550 where ownership and group are not root.
Comment 7 Chris Murphy 2017-07-05 01:23:38 UTC 
OK this definitely only happens with 4.12.0 kernels.
Comment 8 Daniel Walsh 2017-07-06 11:41:51 UTC 
I believe there was a recent change in the kernel to do dac_read_search checks before dac_override.  This means a lot of confined domains that allow access to dac_override are now going to get dav_read_search avcs.  Probably this will not block any access, but give an ugly avc message.

Kernel checks dac_read_search and then dac_override, if access is allowed in either the access is allowed.

There is probably a good bit of policy that should switch to only allowing dav_read_search and not allow dac_override, since dac_override is a lot more powerful.
Comment 9 Chris Murphy 2017-08-03 16:34:28 UTC 
Fedora 25 and Fedora 26 will soon rebase on kernel 4.12. I get SELinux Troubleshooter notifications in GNOME throughout the day, it's super annoying. Yes I can disable all alerts, but I suspect once F25/F26 get 4.12 there are going to be a lot more complaints.
Comment 10 Justin M. Forbes 2017-08-11 13:47:56 UTC 
4.12 is in updates-testing and 4.11 has been discontinued upstream.
Comment 11 Dusty Mabe 2017-08-14 12:46:20 UTC 
(In reply to Justin M. Forbes from comment #10)
> 4.12 is in updates-testing and 4.11 has been discontinued upstream.

I think the point was that 4.12 is broken. We needed to coordinate with selinux and try to get them to fix this BEFORE the 4.12 kernel was sent to stable. We really need this prioritized now by the SELinux team.
Comment 12 Lukas Vrabec 2017-08-14 13:44:24 UTC 
Hi Dusty, 

All we need is to push updates to bodhi. Will do asap today ;)
Comment 13 Fedora Update System 2017-10-26 12:31:20 UTC 
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d312739a4e
Comment 14 Fedora Update System 2017-11-15 20:10:36 UTC 
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.