Bug 1476441

Summary: SELinux is preventing accounts-daemon from using the 'dac_read_search' capabilities.
Product: [Fedora] Fedora Reporter: Joachim Frieben <jfrieben>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: albin, alexvillacislasso, bugreports, bugzilla, bugzilla.redhat, bugzilla, colotunbabay2010, dominick.grift, dwalsh, edosurina, goodmirek, jorti, joshua, linux, lsm5, lvrabec, mail, mgrepl, migosch, mjs, myphnix, pablodav, plautrba, pmoore, pradeepk.dev, romain.rubi, sgallagh, sheepdestroyer, ssekidde, temlakos, thetaeridanus, tpypta, vsmandy
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:7f0096e1b311125ce6e727e034242a4865f79cd0e9a9e92274ecd7036e106960;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-3.13.1-260.4.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-20 14:21:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joachim Frieben 2017-07-29 04:39:27 UTC 
Description of problem:
SELinux is preventing accounts-daemon from using the 'dac_read_search' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that accounts-daemon should have the dac_read_search capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon
# semodule -X 300 -i my-accountsdaemon.pp

Additional Information:
Source Context                system_u:system_r:accountsd_t:s0
Target Context                system_u:system_r:accountsd_t:s0
Target Objects                Unknown [ capability ]
Source                        accounts-daemon
Source Path                   accounts-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-260.3.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.12.4-300.fc26.x86_64 #1 SMP Thu
                              Jul 27 23:09:13 UTC 2017 x86_64 x86_64
Alert Count                   3
First Seen                    2017-07-29 06:02:54 CEST
Last Seen                     2017-07-29 06:04:12 CEST
Local ID                      24967863-cbd4-4735-ac49-240b7cd7dbbf

Raw Audit Messages
type=AVC msg=audit(1501301052.563:359): avc:  denied  { dac_read_search } for  pid=1035 comm="accounts-daemon" capability=2  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=0


Hash: accounts-daemon,accountsd_t,accountsd_t,capability,dac_read_search

Version-Release number of selected component:
selinux-policy-3.13.1-260.3.fc26.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.12.4-300.fc26.x86_64
type:           libreport

Potential duplicate: bug 1451377
Comment 1 Mirek Svoboda 2017-07-29 08:16:33 UTC 
Description of problem:
boot up the system and login into Gnome Xorg

Version-Release number of selected component:
selinux-policy-3.13.1-260.1.fc26.noarch

Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.12.3-301.fc26.x86_64
type:           libreport
Comment 2 Bill 2017-08-11 08:23:20 UTC 
Same issue here. Fedora 26 kernel 4.12.4-300.fc26.x86_64
Comment 3 Romano 2017-08-15 10:09:18 UTC 
*** Bug 1481640 has been marked as a duplicate of this bug. ***
Comment 4 amarty 2017-08-15 10:11:12 UTC 
*** Bug 1481641 has been marked as a duplicate of this bug. ***
Comment 5 Terry A. Hurlbut 2017-08-15 11:29:35 UTC 
Description of problem:
I did nothing but do a cold reboot of my system after the latest upgrade push, which included a new kernel released today (15 August 2017).


Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.12.5-300.fc26.x86_64
type:           libreport
Comment 6 vaughn miller 2017-08-15 13:49:45 UTC 
*** Bug 1481705 has been marked as a duplicate of this bug. ***
Comment 7 tpypta 2017-08-15 13:54:07 UTC 
*** Bug 1481710 has been marked as a duplicate of this bug. ***
Comment 8 vaughn miller 2017-08-15 14:25:55 UTC 
*** Bug 1481730 has been marked as a duplicate of this bug. ***
Comment 9 Matthew Saltzman 2017-08-15 17:09:07 UTC 
Description of problem:
May have happened creating online accounts in GNOME after fresh install.

Version-Release number of selected component:
selinux-policy-3.13.1-260.3.fc26.noarch

Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.12.5-300.fc26.x86_64
type:           libreport
Comment 10 Sergey Chebotar 2017-08-15 20:38:46 UTC 
The same issue after latest updates to 4.12 kernel

SELinux is preventing accounts-daemon from using the dac_read_search capability.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If вы хотите помочь определить, требует ли домен такой уровень доступа, или
в системе присутствует файл с неверно назначенными разрешениями
Then включите полный аудит, чтобы определить путь к конфликтному файлу и повторно сгенерировать ошибку.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If вы считаете, что accounts-daemon следует разрешить доступ dac_read_search по умолчанию.
Then рекомендуется создать отчет об ошибке.
Чтобы разрешить доступ, можно создать локальный модуль политики.
Do
allow this access for now by executing:
# ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon
# semodule -X 300 -i my-accountsdaemon.pp

Additional Information:
Source Context                system_u:system_r:accountsd_t:s0
Target Context                system_u:system_r:accountsd_t:s0
Target Objects                Unknown [ capability ]
Source                        accounts-daemon
Source Path                   accounts-daemon
Port                          <Неизвестно>
Host                          desktop
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-260.3.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     desktop
Platform                      Linux desktop 4.12.5-300.fc26.x86_64 #1 SMP Mon
                              Aug 7 15:27:25 UTC 2017 x86_64 x86_64
Alert Count                   28
First Seen                    2017-08-15 22:40:00 MSK
Last Seen                     2017-08-15 23:25:31 MSK
Local ID                      ea0b2e86-de53-438d-b450-9f6fa5972c93

Raw Audit Messages
type=AVC msg=audit(1502828731.959:241): avc:  denied  { dac_read_search } for  pid=637 comm="accounts-daemon" capability=2  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=0


Hash: accounts-daemon,accountsd_t,accountsd_t,capability,dac_read_search
Comment 11 Pradeep Kumar 2017-08-16 03:38:51 UTC 
*** Bug 1481919 has been marked as a duplicate of this bug. ***
Comment 12 bugreports 2017-08-16 13:03:13 UTC 
Description of problem:
I turned on my computer after installing updates and some python packages (pygame and its dependencies) the day before.

Version-Release number of selected component:
selinux-policy-3.13.1-260.3.fc26.noarch

Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.12.5-300.fc26.x86_64
type:           libreport
Comment 13 sheepdestroyer 2017-08-16 14:06:40 UTC 
*** Bug 1482126 has been marked as a duplicate of this bug. ***
Comment 14 Frank Büttner 2017-08-16 14:14:55 UTC 
Description of problem:
Log in under gnome

Version-Release number of selected component:
selinux-policy-3.13.1-260.3.fc26.noarch

Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.12.5-300.fc26.x86_64
type:           libreport
Comment 15 Victor Smith 2017-08-16 21:23:39 UTC 
Description of problem:
Using computer and it froze up, had to do forced shutdown.

Version-Release number of selected component:
selinux-policy-3.13.1-260.3.fc26.noarch

Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.12.5-300.fc26.x86_64
type:           libreport
Comment 16 phyz 2017-11-10 09:18:53 UTC 
*** Bug 1511836 has been marked as a duplicate of this bug. ***