Bug 1588016

Summary: root directory misses write permission
Product: [Fedora] Fedora Reporter: Tomáš Korbař <tomas.korb>
Component: filesystemAssignee: Ondrej Vasik <ovasik>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: jskarvad, kdudka, ovasik, pknirsch
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-06 14:13:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomáš Korbař 2018-06-06 13:24:47 UTC 
Description of problem:
/root directory misses write permission. This causes AVC dac_override for services that uses /root directory and runs under user root.

Version-Release number of selected component (if applicable):
3.8-2.fc28

How reproducible:
rpmls filesystem | grep root

Steps to Reproduce:
1.
2.
3.

Actual results:
dr-xr-x---  /root

Expected results:
drwxr-xr-x  /root

Additional info:
Comment 1 Kamil Dudka 2018-06-06 13:52:58 UTC 
(In reply to Tomáš Korbař from comment #0)
> Expected results:
> drwxr-xr-x  /root

Do you seriously think that /root should be world-readable?
Comment 2 Jaroslav Škarvada 2018-06-06 13:54:41 UTC 
(In reply to Kamil Dudka from comment #1)
> (In reply to Tomáš Korbař from comment #0)
> > Expected results:
> > drwxr-xr-x  /root
> 
> Do you seriously think that /root should be world-readable?

No, but it should be onwer writeable :)
drwxr-x---  /root
Comment 3 Jaroslav Škarvada 2018-06-06 13:55:34 UTC 
(In reply to Jaroslav Škarvada from comment #2)
> (In reply to Kamil Dudka from comment #1)
> > (In reply to Tomáš Korbař from comment #0)
> > > Expected results:
> > > drwxr-xr-x  /root
> > 
> > Do you seriously think that /root should be world-readable?
> 
> No, but it should be onwer writeable :)
> drwxr-x---  /root

Is there any reason for read only mode?
Comment 4 Jaroslav Škarvada 2018-06-06 13:57:58 UTC 
(In reply to Jaroslav Škarvada from comment #3)
> (In reply to Jaroslav Škarvada from comment #2)
> > (In reply to Kamil Dudka from comment #1)
> > > (In reply to Tomáš Korbař from comment #0)
> > > > Expected results:
> > > > drwxr-xr-x  /root
> > > 
> > > Do you seriously think that /root should be world-readable?
> > 
> > No, but it should be onwer writeable :)
> > drwxr-x---  /root
> 
> Is there any reason for read only mode?

I am able to reproduce it on my f27 machine too. Maybe it's there for a longer time and it has been just spotted due to change in SELinux policy enforcing dac_override check in f28+ :)
Comment 5 Jaroslav Škarvada 2018-06-06 14:04:06 UTC 
(In reply to Jaroslav Škarvada from comment #4)
> (In reply to Jaroslav Škarvada from comment #3)
> > (In reply to Jaroslav Škarvada from comment #2)
> > > (In reply to Kamil Dudka from comment #1)
> > > > (In reply to Tomáš Korbař from comment #0)
> > > > > Expected results:
> > > > > drwxr-xr-x  /root
> > > > 
> > > > Do you seriously think that /root should be world-readable?
> > > 
> > > No, but it should be onwer writeable :)
> > > drwxr-x---  /root
> > 
> > Is there any reason for read only mode?
> 
> I am able to reproduce it on my f27 machine too. Maybe it's there for a
> longer time and it has been just spotted due to change in SELinux policy
> enforcing dac_override check in f28+ :)

It seems it's there since 2009, commit cd01d2d6d54f59ef8e177d0391bc734fba470ef4, change due to bug 517575.
Comment 6 Jaroslav Škarvada 2018-06-06 14:08:38 UTC 
(In reply to Jaroslav Škarvada from comment #5)
> (In reply to Jaroslav Škarvada from comment #4)
> > (In reply to Jaroslav Škarvada from comment #3)
> > > (In reply to Jaroslav Škarvada from comment #2)
> > > > (In reply to Kamil Dudka from comment #1)
> > > > > (In reply to Tomáš Korbař from comment #0)
> > > > > > Expected results:
> > > > > > drwxr-xr-x  /root
> > > > > 
> > > > > Do you seriously think that /root should be world-readable?
> > > > 
> > > > No, but it should be onwer writeable :)
> > > > drwxr-x---  /root
> > > 
> > > Is there any reason for read only mode?
> > 
> > I am able to reproduce it on my f27 machine too. Maybe it's there for a
> > longer time and it has been just spotted due to change in SELinux policy
> > enforcing dac_override check in f28+ :)
> 
> It seems it's there since 2009, commit
> cd01d2d6d54f59ef8e177d0391bc734fba470ef4, change due to bug 517575.

So it is intentional :) Well, personally, I can say that I don't like this "hack".
Comment 7 Jaroslav Škarvada 2018-06-06 14:13:25 UTC 
I am closing it as a dupe of bug 517575, because I do not have any real issue (so far) with this change, I just don't like this approach :)

*** This bug has been marked as a duplicate of bug 517575 ***