Bug 1509277
Summary: | SELinux prevents several domains from doing dac_read_search | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Steve Best <sbest> | ||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.5-Alt | CC: | ilari.stenroth, lvrabec, mgrepl, mmalik, pholica, plautrba, ssekidde | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.13.1-176.el7 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-04-10 12:46:03 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1477564 | ||||||
Attachments: |
|
This is a bit like opening a bug against rsyslog and saying there's messages in my logs. :-) If I understand it right, you are seeing AVC's which might indicate there is a problem with selinux policy because there should be no AVC's. If this is correct, this bz should be transferred to selinux-policy so they can fix the policy to match system activity. When the attachment file is piped into audit2allow, audit2allow says that following rules are missing: allow getty_t self:capability dac_read_search; allow passwd_t self:capability dac_read_search; allow postfix_master_t self:capability dac_read_search; I'm suggesting this as a duplicate of #1532022. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763 |
Created attachment 1347348 [details] console Description of problem: There are numerous audit msgs on RHEL 7.5-ALT nightly [ 45.896682] audit: type=1400 audit(1509723988.131:6): avc: denied { execute _no_trans } for pid=2945 comm="chrony-helper" path="/usr/bin/chronyc" dev="dm-0 " ino=34078725 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_ r:chronyc_exec_t:s0 tclass=file permissive=0 [ 47.600873] audit: type=1400 audit(1509723989.841:7): avc: denied { dac_rea d_search } for pid=3099 comm="find" capability=2 scontext=system_u:system_r:po stfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capabili ty permissive=0 [ 47.600966] audit: type=1400 audit(1509723989.841:8): avc: denied { dac_rea d_search } for pid=3099 comm="find" capability=2 scontext=system_u:system_r:po stfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capabili ty permissive=0 Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1.Using RHEL-ALT-7.5-20171103.n.0 2.look at console log 3. Actual results: numerous audit avc Expected results: no avcs Additional info: