Bug 1476441
Summary: | SELinux is preventing accounts-daemon from using the 'dac_read_search' capabilities. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Joachim Frieben <jfrieben> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 26 | CC: | albin, alexvillacislasso, bugreports, bugzilla, bugzilla.redhat, bugzilla, colotunbabay2010, dominick.grift, dwalsh, edosurina, goodmirek, jorti, joshua, linux, lsm5, lvrabec, mail, mgrepl, migosch, mjs, myphnix, pablodav, plautrba, pmoore, pradeepk.dev, romain.rubi, sgallagh, sheepdestroyer, ssekidde, temlakos, thetaeridanus, tpypta, vsmandy |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:7f0096e1b311125ce6e727e034242a4865f79cd0e9a9e92274ecd7036e106960;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.13.1-260.4.fc26 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-20 14:21:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Joachim Frieben
2017-07-29 04:39:27 UTC
Description of problem: boot up the system and login into Gnome Xorg Version-Release number of selected component: selinux-policy-3.13.1-260.1.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.12.3-301.fc26.x86_64 type: libreport Same issue here. Fedora 26 kernel 4.12.4-300.fc26.x86_64 *** Bug 1481640 has been marked as a duplicate of this bug. *** *** Bug 1481641 has been marked as a duplicate of this bug. *** Description of problem: I did nothing but do a cold reboot of my system after the latest upgrade push, which included a new kernel released today (15 August 2017). Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.12.5-300.fc26.x86_64 type: libreport *** Bug 1481705 has been marked as a duplicate of this bug. *** *** Bug 1481710 has been marked as a duplicate of this bug. *** *** Bug 1481730 has been marked as a duplicate of this bug. *** Description of problem: May have happened creating online accounts in GNOME after fresh install. Version-Release number of selected component: selinux-policy-3.13.1-260.3.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.12.5-300.fc26.x86_64 type: libreport The same issue after latest updates to 4.12 kernel SELinux is preventing accounts-daemon from using the dac_read_search capability. ***** Plugin dac_override (91.4 confidence) suggests ********************** If вы хотите помочь определить, требует ли домен такой уровень доступа, или в системе присутствует файл с неверно назначенными разрешениями Then включите полный аудит, чтобы определить путь к конфликтному файлу и повторно сгенерировать ошибку. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests ************************** If вы считаете, что accounts-daemon следует разрешить доступ dac_read_search по умолчанию. Then рекомендуется создать отчет об ошибке. Чтобы разрешить доступ, можно создать локальный модуль политики. Do allow this access for now by executing: # ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon # semodule -X 300 -i my-accountsdaemon.pp Additional Information: Source Context system_u:system_r:accountsd_t:s0 Target Context system_u:system_r:accountsd_t:s0 Target Objects Unknown [ capability ] Source accounts-daemon Source Path accounts-daemon Port <Неизвестно> Host desktop Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-260.3.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name desktop Platform Linux desktop 4.12.5-300.fc26.x86_64 #1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64 Alert Count 28 First Seen 2017-08-15 22:40:00 MSK Last Seen 2017-08-15 23:25:31 MSK Local ID ea0b2e86-de53-438d-b450-9f6fa5972c93 Raw Audit Messages type=AVC msg=audit(1502828731.959:241): avc: denied { dac_read_search } for pid=637 comm="accounts-daemon" capability=2 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=0 Hash: accounts-daemon,accountsd_t,accountsd_t,capability,dac_read_search *** Bug 1481919 has been marked as a duplicate of this bug. *** Description of problem: I turned on my computer after installing updates and some python packages (pygame and its dependencies) the day before. Version-Release number of selected component: selinux-policy-3.13.1-260.3.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.12.5-300.fc26.x86_64 type: libreport *** Bug 1482126 has been marked as a duplicate of this bug. *** Description of problem: Log in under gnome Version-Release number of selected component: selinux-policy-3.13.1-260.3.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.12.5-300.fc26.x86_64 type: libreport Description of problem: Using computer and it froze up, had to do forced shutdown. Version-Release number of selected component: selinux-policy-3.13.1-260.3.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.12.5-300.fc26.x86_64 type: libreport *** Bug 1511836 has been marked as a duplicate of this bug. *** |