Bug 1539327
Summary: | SELinux is preventing logrotate from using the 'dac_override' capabilities. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Leslie Satenstein <lsatenstein> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 28 | CC: | bugzilla, bugzilla, dwalsh, dzrudy, eugenemah, fzatlouk, jonha87, jsmith.fedora, kvolny, labouc67, lvrabec, maxx, mgrepl, mikhail.v.gavrilov, plautrba, pmoore, pretomisturado, ricky.tigg, robatino, sgallagh, vinayshastry |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:999678531a28550d4bb624a7552e9faa0d821e1dade5e14526fc06578e278904;VARIANT_ID=workstation;RejectedBlocker;AcceptedFreezeException | ||
Fixed In Version: | selinux-policy-3.14.1-14.fc28 selinux-policy-3.14.1-21.fc28 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-04-19 22:07:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1469207 |
Description
Leslie Satenstein
2018-01-27 23:08:49 UTC
Are you able to reproduce it? This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'. Can't reproduce. I'm able to reproduce on an updated F28 system. selinux-policy-3.14.1-13.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc selinux-policy-3.14.1-13.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc selinux-policy-3.14.1-14.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc selinux-policy-3.14.1-14.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc selinux-policy-3.14.1-14.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. Description of problem: Happened randomly without clear cause while programming Version-Release number of selected component: selinux-policy-3.14.1-14.fc28.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.16.0-0.rc5.git0.2.fc28.x86_64 type: libreport Description of problem: Message appeared randomly Version-Release number of selected component: selinux-policy-3.14.1-19.fc28.noarch Additional info: reporter: libreport-2.9.4 hashmarkername: setroubleshoot kernel: 4.16.0-0.rc7.git0.1.fc28.x86_64 type: libreport This bug seems to be still happening. Reopen? I'm hitting this on Fedora 28 with selinux-policy-3.14.1-19.fc28.noarch. It does reproduce shortly after cron.daily runs. Raw Audit Messages type=AVC msg=audit(1523206021.711:476): avc: denied { dac_override } for pid=5233 comm="logrotate" capability=1 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability permissive=0 From journalctl Apr 08 10:47:01 f28h.local anacron[3103]: Job `cron.daily' started Apr 08 10:47:01 f28h.local run-parts[5187]: (/etc/cron.daily) starting google-chrome Apr 08 10:47:01 f28h.local run-parts[5228]: (/etc/cron.daily) finished google-chrome Apr 08 10:47:01 f28h.local run-parts[5230]: (/etc/cron.daily) starting logrotate Apr 08 10:47:01 f28h.local audit[5233]: AVC avc: denied { dac_override } for pid=5233 comm="logrotate" capability=1 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability permissive=0 Apr 08 10:47:01 f28h.local logrotate[5245]: ALERT exited abnormally with [1] Apr 08 10:47:01 f28h.local run-parts[5247]: (/etc/cron.daily) finished logrotate Apr 08 10:47:01 f28h.local anacron[3103]: Job `cron.daily' terminated (mailing output) Apr 08 10:47:01 f28h.local anacron[3103]: Normal exit (1 job run) Apr 08 10:47:04 f28h.local dbus-daemon[699]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.184' (uid=0 pid=663 comm="/usr/sbin/sedispatch " label="system_u:system_r:audisp_t:s0") (using servicehelper) Apr 08 10:47:05 f28h.local dbus-daemon[699]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Apr 08 10:47:05 f28h.local setroubleshoot[5260]: SELinux is preventing logrotate from using the dac_override capability. For complete SELinux messages run: sealert -l b5f71840-a2b7-41fe-8dbd-79fac5d00fdc Apr 08 10:47:05 f28h.local python3[5260]: SELinux is preventing logrotate from using the dac_override capability. Description of problem: O SELinux está impedindo que o logrotate use um recurso do dac_override. ***** Plugin dac_override (confiança 91.4) sugere ************************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Entãoligue a auditoria completa para obter informações de caminho sobre ofender arquivo e gerar um erro novamente. Faça Ligue auditoria completa # auditctl -w /etc/shadow -p w Tente recriar o AVC. Depois execute # ausearch -m avc -ts recent Caso você veja a memória PATH verifique a propriedade ou permissões no arquivo e repare-o, caso contrário reporte como um bugzilla. ***** Plugin catchall (confiança 9.59) sugere ****************************** If you believe that logrotate should have the dac_override capability by default. Entãovocê deve informar que este é um erro. Você pode gerar um módulo de política local para permitir este acesso. Faça allow this access for now by executing: # ausearch -c 'logrotate' --raw | audit2allow -M my-logrotate # semodule -X 300 -i my-logrotate.pp Informação adicional: Contexto de origem system_u:system_r:logrotate_t:s0-s0:c0.c1023 Contexto de destino system_u:system_r:logrotate_t:s0-s0:c0.c1023 Objetos de destino Unknown [ capability ] Origem logrotate Caminho da origem logrotate Porta <Desconhecido> Máquina (removed) Pacotes RPM de origem Pacotes RPM de destino RPM da política selinux-policy-3.14.1-19.fc28.noarch Selinux habilitado True Tipo de política targeted Modo reforçado Enforcing Nome da máquina (removed) Plataforma Linux localhost.localdomain 4.16.0-300.fc28.x86_64 #1 SMP Tue Apr 3 03:44:37 UTC 2018 x86_64 x86_64 Contador de alertas 1 Visto pela primeira vez em 2018-04-08 03:46:02 WEST Visto pela última vez em 2018-04-08 03:46:02 WEST ID local fa9a0788-cdc6-4dc0-b812-8efa8449d45a Mensagens de auditoria não processadas type=AVC msg=audit(1523155562.347:369): avc: denied { dac_override } for pid=14316 comm="logrotate" capability=1 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability permissive=0 Hash: logrotate,logrotate_t,logrotate_t,capability,dac_override Version-Release number of selected component: selinux-policy-3.14.1-19.fc28.noarch Additional info: reporter: libreport-2.9.4 hashmarkername: setroubleshoot kernel: 4.16.0-300.fc28.x86_64 type: libreport Description of problem: The problem is still happening (randomly) with up-to-date software. Version-Release number of selected component: selinux-policy-3.14.1-19.fc28.noarch Additional info: reporter: libreport-2.9.4 hashmarkername: setroubleshoot kernel: 4.16.0-0.rc7.git0.1.fc28.x86_64 type: libreport Description of problem: Happened randomly Version-Release number of selected component: selinux-policy-3.14.1-19.fc28.noarch Additional info: reporter: libreport-2.9.4 hashmarkername: setroubleshoot kernel: 4.16.0-0.rc7.git0.1.fc28.x86_64 type: libreport Proposed as a Blocker for 28-final by Fedora user jonha using the blocker tracking app because: There must be no SELinux denial notifications [...] at first login after a default install of a release-blocking desktop. I understand "at first login" as during the first session after installation, you can just login and wait and (I suppose) the notification should appear after some time. Randomly got the same error: SELinux is preventing logrotate from using the dac_override capability. ***** Plugin dac_override (91.4 confidence) suggests ********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that logrotate should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'logrotate' --raw | audit2allow -M my-logrotate # semodule -X 300 -i my-logrotate.pp Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Objects Unknown [ capability ] Source logrotate Source Path logrotate Port <Unknown> Host x230 Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.1-19.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name x230 Platform Linux x230 4.16.0-300.fc28.x86_64 #1 SMP Tue Apr 3 03:44:37 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 09:34:02 CEST Last Seen 2018-04-12 09:34:02 CEST Local ID 5c431ed1-abab-46e0-a158-43c29b0e4d2c Raw Audit Messages type=AVC msg=audit(1523518442.239:310): avc: denied { dac_override } for pid=27448 comm="logrotate" capability=1 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability permissive=0 Hash: logrotate,logrotate_t,logrotate_t,capability,dac_override Description of problem: Not sure what caused the problem. Was just using my computer and the alert popped up. Version-Release number of selected component: selinux-policy-3.14.1-19.fc28.noarch Additional info: reporter: libreport-2.9.4 hashmarkername: setroubleshoot kernel: 4.16.1-300.fc28.x86_64 type: libreport Description of problem: I'm not sure if this capability is needed, it just appeared after updating to F28 ... Version-Release number of selected component: selinux-policy-3.14.1-19.fc28.noarch Additional info: reporter: libreport-2.9.4 hashmarkername: setroubleshoot kernel: 4.16.1-300.fc28.x86_64 type: libreport selinux-policy-3.14.1-21.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1148ada2a3 Discussed during the 2018-04-16 blocker review meeting: [1] The decision to classify this bug as an RejectedBlocker / AcceptedFreezeException: "We don't believe this actually happens consistently to all installs right after install, which is the scenario the criterion is intended to prevent, so we don't think it quite qualifies as a release blocker. However, it is a polish issue and should be fixed, so we grant it a freeze exception, and expect it will be fixed soon" [1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2018-04-16/f28-blocker-review.2018-04-16-16.00.log.txt selinux-policy-3.14.1-21.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1148ada2a3 selinux-policy-3.14.1-21.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |