Bug 1539327

Summary: SELinux is preventing logrotate from using the 'dac_override' capabilities.
Product: [Fedora] Fedora Reporter: Leslie Satenstein <lsatenstein>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: bugzilla, bugzilla, dwalsh, dzrudy, eugenemah, fzatlouk, jonha87, jsmith.fedora, kvolny, labouc67, lvrabec, maxx, mgrepl, mikhail.v.gavrilov, plautrba, pmoore, pretomisturado, ricky.tigg, robatino, sgallagh, vinayshastry
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:999678531a28550d4bb624a7552e9faa0d821e1dade5e14526fc06578e278904;VARIANT_ID=workstation;RejectedBlocker;AcceptedFreezeException
Fixed In Version: selinux-policy-3.14.1-14.fc28 selinux-policy-3.14.1-21.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-19 22:07:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1469207    

Description Leslie Satenstein 2018-01-27 23:08:49 UTC
Description of problem:
After reboot, clicked on dnfdragora, saw 100+updates, decided to go the terminal->sudo dnf update method. 
Clicked on terminal icon (I am using Gnome on Rawhide) 
and Selinux popped up
SELinux is preventing logrotate from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that logrotate should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'logrotate' --raw | audit2allow -M my-logrotate
# semodule -X 300 -i my-logrotate.pp

Additional Information:
Source Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability ]
Source                        logrotate
Source Path                   logrotate
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-307.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.15.0-0.rc4.git1.1.fc28.x86_64 #1
                              SMP Tue Dec 19 16:46:00 UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-12-23 08:18:02 EST
Last Seen                     2017-12-23 08:18:02 EST
Local ID                      8af2e11d-d5bb-4684-acc4-a9ff49cc9839

Raw Audit Messages
type=AVC msg=audit(1514035082.228:1489): avc:  denied  { dac_override } for  pid=10419 comm="logrotate" capability=1  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability permissive=0


Hash: logrotate,logrotate_t,logrotate_t,capability,dac_override

Version-Release number of selected component:
selinux-policy-3.13.1-307.fc28.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.0-0.rc8.git0.1.fc28.x86_64
type:           libreport

Comment 1 Lukas Vrabec 2018-02-19 15:44:30 UTC
Are you able to reproduce it?

Comment 2 Fedora End Of Life 2018-02-20 15:26:47 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.

Comment 3 Leslie Satenstein 2018-02-24 03:09:40 UTC
Can't reproduce.

Comment 4 Jared Smith 2018-03-12 13:16:57 UTC
I'm able to reproduce on an updated F28 system.

Comment 5 Fedora Update System 2018-03-12 18:25:51 UTC
selinux-policy-3.14.1-13.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc

Comment 6 Fedora Update System 2018-03-13 15:09:36 UTC
selinux-policy-3.14.1-13.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc

Comment 7 Fedora Update System 2018-03-15 21:23:35 UTC
selinux-policy-3.14.1-14.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc

Comment 8 Fedora Update System 2018-03-16 14:42:08 UTC
selinux-policy-3.14.1-14.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc

Comment 9 Fedora Update System 2018-03-18 00:52:37 UTC
selinux-policy-3.14.1-14.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Jonathan Haas 2018-04-03 07:49:42 UTC
Description of problem:
Happened randomly without clear cause while programming

Version-Release number of selected component:
selinux-policy-3.14.1-14.fc28.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.16.0-0.rc5.git0.2.fc28.x86_64
type:           libreport

Comment 11 Jonathan Haas 2018-04-04 08:07:13 UTC
Description of problem:
Message appeared randomly

Version-Release number of selected component:
selinux-policy-3.14.1-19.fc28.noarch

Additional info:
reporter:       libreport-2.9.4
hashmarkername: setroubleshoot
kernel:         4.16.0-0.rc7.git0.1.fc28.x86_64
type:           libreport

Comment 12 Jonathan Haas 2018-04-04 08:08:39 UTC
This bug seems to be still happening. Reopen?

Comment 13 Chris Murphy 2018-04-08 16:54:32 UTC
I'm hitting this on Fedora 28 with selinux-policy-3.14.1-19.fc28.noarch. It does reproduce shortly after cron.daily runs.

Raw Audit Messages
type=AVC msg=audit(1523206021.711:476): avc:  denied  { dac_override } for  pid=5233 comm="logrotate" capability=1  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability permissive=0


From journalctl

Apr 08 10:47:01 f28h.local anacron[3103]: Job `cron.daily' started
Apr 08 10:47:01 f28h.local run-parts[5187]: (/etc/cron.daily) starting google-chrome
Apr 08 10:47:01 f28h.local run-parts[5228]: (/etc/cron.daily) finished google-chrome
Apr 08 10:47:01 f28h.local run-parts[5230]: (/etc/cron.daily) starting logrotate
Apr 08 10:47:01 f28h.local audit[5233]: AVC avc:  denied  { dac_override } for  pid=5233 comm="logrotate" capability=1  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability permissive=0
Apr 08 10:47:01 f28h.local logrotate[5245]: ALERT exited abnormally with [1]
Apr 08 10:47:01 f28h.local run-parts[5247]: (/etc/cron.daily) finished logrotate
Apr 08 10:47:01 f28h.local anacron[3103]: Job `cron.daily' terminated (mailing output)
Apr 08 10:47:01 f28h.local anacron[3103]: Normal exit (1 job run)
Apr 08 10:47:04 f28h.local dbus-daemon[699]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.184' (uid=0 pid=663 comm="/usr/sbin/sedispatch " label="system_u:system_r:audisp_t:s0") (using servicehelper)
Apr 08 10:47:05 f28h.local dbus-daemon[699]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Apr 08 10:47:05 f28h.local setroubleshoot[5260]: SELinux is preventing logrotate from using the dac_override capability. For complete SELinux messages run: sealert -l b5f71840-a2b7-41fe-8dbd-79fac5d00fdc
Apr 08 10:47:05 f28h.local python3[5260]: SELinux is preventing logrotate from using the dac_override capability.

Comment 14 pretomisturado 2018-04-08 23:28:44 UTC
Description of problem:
O SELinux está impedindo que o logrotate use um recurso do dac_override.

*****  Plugin dac_override (confiança 91.4) sugere  **************************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Entãoligue a auditoria completa para obter informações de caminho sobre ofender arquivo e gerar um erro novamente.
Faça

Ligue auditoria completa
# auditctl -w /etc/shadow -p w
Tente recriar o AVC. Depois execute
# ausearch -m avc -ts recent
Caso você veja a memória PATH verifique a propriedade ou permissões no arquivo e repare-o, caso contrário reporte como um bugzilla.

*****  Plugin catchall (confiança 9.59) sugere  ******************************

If you believe that logrotate should have the dac_override capability by default.
Entãovocê deve informar que este é um erro.
Você pode gerar um módulo de política local para permitir este acesso.
Faça
allow this access for now by executing:
# ausearch -c 'logrotate' --raw | audit2allow -M my-logrotate
# semodule -X 300 -i my-logrotate.pp

Informação adicional:
Contexto de origem            system_u:system_r:logrotate_t:s0-s0:c0.c1023
Contexto de destino           system_u:system_r:logrotate_t:s0-s0:c0.c1023
Objetos de destino            Unknown [ capability ]
Origem                        logrotate
Caminho da origem             logrotate
Porta                         <Desconhecido>
Máquina                       (removed)
Pacotes RPM de origem         
Pacotes RPM de destino        
RPM da política               selinux-policy-3.14.1-19.fc28.noarch
Selinux habilitado            True
Tipo de política              targeted
Modo reforçado                Enforcing
Nome da máquina               (removed)
Plataforma                    Linux localhost.localdomain 4.16.0-300.fc28.x86_64
                              #1 SMP Tue Apr 3 03:44:37 UTC 2018 x86_64 x86_64
Contador de alertas           1
Visto pela primeira vez em    2018-04-08 03:46:02 WEST
Visto pela última vez em      2018-04-08 03:46:02 WEST
ID local                      fa9a0788-cdc6-4dc0-b812-8efa8449d45a

Mensagens de auditoria não processadas
type=AVC msg=audit(1523155562.347:369): avc:  denied  { dac_override } for  pid=14316 comm="logrotate" capability=1  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability permissive=0


Hash: logrotate,logrotate_t,logrotate_t,capability,dac_override

Version-Release number of selected component:
selinux-policy-3.14.1-19.fc28.noarch

Additional info:
reporter:       libreport-2.9.4
hashmarkername: setroubleshoot
kernel:         4.16.0-300.fc28.x86_64
type:           libreport

Comment 15 Jonathan Haas 2018-04-10 08:49:27 UTC
Description of problem:
The problem is still happening (randomly) with up-to-date software.

Version-Release number of selected component:
selinux-policy-3.14.1-19.fc28.noarch

Additional info:
reporter:       libreport-2.9.4
hashmarkername: setroubleshoot
kernel:         4.16.0-0.rc7.git0.1.fc28.x86_64
type:           libreport

Comment 16 Jonathan Haas 2018-04-11 10:15:14 UTC
Description of problem:
Happened randomly

Version-Release number of selected component:
selinux-policy-3.14.1-19.fc28.noarch

Additional info:
reporter:       libreport-2.9.4
hashmarkername: setroubleshoot
kernel:         4.16.0-0.rc7.git0.1.fc28.x86_64
type:           libreport

Comment 17 Fedora Blocker Bugs Application 2018-04-11 12:19:46 UTC
Proposed as a Blocker for 28-final by Fedora user jonha using the blocker tracking app because:

 There must be no SELinux denial notifications [...] at first login after a default install of a release-blocking desktop. 

I understand "at first login" as during the first session after installation, you can just login and wait and (I suppose) the notification should appear after some time.

Comment 18 Or Schiro 2018-04-12 07:52:55 UTC
Randomly got the same error:

SELinux is preventing logrotate from using the dac_override capability.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that logrotate should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'logrotate' --raw | audit2allow -M my-logrotate
# semodule -X 300 -i my-logrotate.pp

Additional Information:
Source Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability ]
Source                        logrotate
Source Path                   logrotate
Port                          <Unknown>
Host                          x230
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-19.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     x230
Platform                      Linux x230 4.16.0-300.fc28.x86_64 #1 SMP Tue Apr 3
                              03:44:37 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-04-12 09:34:02 CEST
Last Seen                     2018-04-12 09:34:02 CEST
Local ID                      5c431ed1-abab-46e0-a158-43c29b0e4d2c

Raw Audit Messages
type=AVC msg=audit(1523518442.239:310): avc:  denied  { dac_override } for  pid=27448 comm="logrotate" capability=1  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability permissive=0


Hash: logrotate,logrotate_t,logrotate_t,capability,dac_override

Comment 19 Eugene Mah 2018-04-15 11:48:55 UTC
Description of problem:
Not sure what caused the problem. Was just using my computer and the alert popped up.

Version-Release number of selected component:
selinux-policy-3.14.1-19.fc28.noarch

Additional info:
reporter:       libreport-2.9.4
hashmarkername: setroubleshoot
kernel:         4.16.1-300.fc28.x86_64
type:           libreport

Comment 20 Karel Volný 2018-04-16 07:37:47 UTC
Description of problem:
I'm not sure if this capability is needed, it just appeared after updating to F28 ...

Version-Release number of selected component:
selinux-policy-3.14.1-19.fc28.noarch

Additional info:
reporter:       libreport-2.9.4
hashmarkername: setroubleshoot
kernel:         4.16.1-300.fc28.x86_64
type:           libreport

Comment 21 Fedora Update System 2018-04-16 11:34:33 UTC
selinux-policy-3.14.1-21.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1148ada2a3

Comment 22 František Zatloukal 2018-04-16 17:45:35 UTC
Discussed during the 2018-04-16 blocker review meeting: [1]

The decision to classify this bug as an RejectedBlocker / AcceptedFreezeException:

"We don't believe this actually happens consistently to all installs right after install, which is the scenario the criterion is intended to prevent, so we don't think it quite qualifies as a release blocker. However, it is a polish issue and should be fixed, so we grant it a freeze exception, and expect it will be fixed soon"

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2018-04-16/f28-blocker-review.2018-04-16-16.00.log.txt

Comment 23 Fedora Update System 2018-04-17 03:03:50 UTC
selinux-policy-3.14.1-21.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1148ada2a3

Comment 24 Fedora Update System 2018-04-19 22:07:16 UTC
selinux-policy-3.14.1-21.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.