Bug 1797224
Summary: | SELinux is preventing /usr/lib/systemd/systemd from unlink access on the file krb5_25.rcache2 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Lukas Slebodnik <lslebodn> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 32 | CC: | dwalsh, grepl.miroslav, lvrabec, plautrba, vmojzis, zpytela |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.14.5-28.fc32 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-08 07:58:13 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lukas Slebodnik
2020-02-01 15:58:17 UTC
Reproducible on rawhide with IPA server [root@kvm-02-guest19 ~]# /bin/sh sh-5.0# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful sh-5.0# systemctl restart named-pkcs11 sh-5.0# ausearch -m avc -ts recent -i ---- type=PROCTITLE msg=audit(02/01/2020 16:54:45.872:664) : proctitle=/usr/lib/systemd/systemd --switched-root --system --deserialize 30 type=PATH msg=audit(02/01/2020 16:54:45.872:664) : item=1 name=krb5_25.rcache2 inode=26370783 dev=fd:00 mode=file,600 ouid=named ogid=named rdev=00:00 obj=system_u:object_r:named_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(02/01/2020 16:54:45.872:664) : item=0 name=/ inode=26370770 dev=fd:00 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(02/01/2020 16:54:45.872:664) : cwd=/ type=SYSCALL msg=audit(02/01/2020 16:54:45.872:664) : arch=x86_64 syscall=unlinkat success=no exit=EACCES(Permission denied) a0=0x38 a1=0x7f6808008d33 a2=0x0 a3=0x76 items=2 ppid=0 pid=1 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(02/01/2020 16:54:45.872:664) : avc: denied { unlink } for pid=1 comm=systemd name=krb5_25.rcache2 dev="dm-0" ino=26370783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:named_tmp_t:s0 tclass=file permissive=0 sh-5.0# find / -inum 26370770 /var/tmp/systemd-private-d07feaa640e346fa9b4c3478a08152eb-named-pkcs11.service-OVFDxf/tmp/krb5_25.rcache2 sh-5.0# I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy-contrib/pull/203 commit dd32a9e30993116d8cb49c176a4a593f76dfa107 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Zdenek Pytela <zpytela> Date: Mon Feb 10 10:14:38 2020 +0100 Allow systemd_private_tmp(named_tmp_t) Resolves: rhbz#1797224 This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle. Changing version to 32. BZ says it is fixed in selinux-policy-3.14.5-28.fc32 bodhi says selinux-policy-3.14.5-32.fc32 is in stable https://bodhi.fedoraproject.org/updates/FEDORA-2020-32711482f7 But this BZ is still in MODIFIED. What is the correct status? The correct status is CLOSED, thank you for reporting. |