Bug 1576998
Summary: | SELinux is preventing kworker/u8:4 from using the 'dac_override' capabilities. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Christian Kujau <redhat> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 28 | CC: | dwalsh, lvrabec, mgrepl, plautrba, pmoore |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:fa6f20a84a5f05687b6f1f1177c54533cb780ae6bfce1274df3db0637c2da0f8;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.14.2-22.fc29 selinux-policy-3.14.1-32.fc28 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-06-09 20:42:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Christian Kujau
2018-05-11 00:08:37 UTC
FWIW, the NFS access is still permitted, so files on that share can still be read/written to, but each access triggers a new SELinux alert. Also, after the upgrade to F28 I relabled the root disk by creating /.autorelabel and rebooting, but the SELinux alerts are still being generated. The same alerts are being generated for CIFS shares on the same machine, so it's not specific to NFS shares: $ grep /data /proc/mounts cake:/mnt/data /mnt/nfs/data nfs4 rw,nosuid,nodev,noexec,relatime,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.0.115,fsc,local_lock=none,addr=192.168.0.100 0 0 //cake/data /mnt/smb/data cifs rw,nosuid,nodev,noexec,relatime,vers=3.0,sec=none,cache=strict,domain=,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.0.100,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,fsc,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1 0 0 For the time being, disabling cachefilesd or mounting network shares without "fsc" makes these alerts go away. selinux-policy-3.14.1-29.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364 selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364 selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. This is still happening. Rebooted, even relabled the rootfs, no dice: $ rpm -q selinux-policy cachefilesd selinux-policy-3.14.1-29.fc28.noarch cachefilesd-0.10.10-4.fc28.x86_64 $ cat /mnt/smb/media/foo.mp3 > /dev/null; echo $? 0 $ sudo ausearch -m avc -ts recent ---- time->Wed May 30 00:24:45 2018 type=AVC msg=audit(1527665085.631:11902): avc: denied { dac_override } for pid=26755 comm="kworker/u8:2" capability=1 scontext=system_u:system_r:cachefiles_kernel_t:s0 tcontext=system_u:system_r:cachefiles_kernel_t:s0 tclass=capability permissive=0 $ mount | grep fsc //cake/media on /mnt/smb/media type cifs (ro,nosuid,nodev,noexec,relatime,vers=3.0,sec=none,cache=strict,domain=,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.0.100,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,fsc,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1) You are right. Sorry for that. Will be fixed in next selinux-policy update. selinux-policy-3.14.1-32.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-743a9247de selinux-policy-3.14.1-32.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-743a9247de selinux-policy-3.14.1-32.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |