Bug 1815789

Summary: SELinux is preventing /usr/libexec/platform-python3.6 from using the dac_override capability.
Product: Red Hat Enterprise Linux 8 Reporter: Simon Sekidde <ssekidde>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: low    
Version: 8.1CC: lvrabec, mmalik, plautrba, ssekidde
Target Milestone: rcKeywords: Triaged
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-30 14:02:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Simon Sekidde 2020-03-21 18:18:27 UTC 
Description of problem:

SELinux is preventing /usr/libexec/platform-python3.6 from using the dac_override capability.

Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-20.el8.noarch

Actual results:

SELinux is preventing /usr/libexec/platform-python3.6 from using the dac_override capability.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that platform-python3.6 should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rhsmd' --raw | audit2allow -M my-rhsmd
# semodule -X 300 -i my-rhsmd.pp


Additional Information:
Source Context                system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability ]
Source                        rhsmd
Source Path                   /usr/libexec/platform-python3.6
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           platform-python-3.6.8-15.1.el8.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              4.18.0-147.5.1.el8_1.x86_64 #1 SMP Tue Jan 14
                              15:50:19 UTC 2020 x86_64 x86_64
Alert Count                   12
First Seen                    2020-03-21 13:28:09 EDT
Last Seen                     2020-03-21 13:32:23 EDT
Local ID                      4e23965c-09fd-43d9-b912-c873629743e5

Raw Audit Messages
type=AVC msg=audit(1584811943.222:165): avc:  denied  { dac_override } for  pid=8392 comm="rhsmd" capability=1  scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tclass=capability permissive=0


type=SYSCALL msg=audit(1584811943.222:165): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7f035e831958 a2=800c1 a3=1a4 items=0 ppid=8391 pid=8392 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rhsmd exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=openat AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root

Hash: rhsmd,rhsmcertd_t,rhsmcertd_t,capability,dac_override
Comment 1 Zdenek Pytela 2020-03-23 07:35:28 UTC 
Hi Simon,

Thank you for reporting the issue. The dac_override permission is requested on an access attempt where DAC permission do not allow this access, the file path is not audited though. Please follow the recommendations of the restorecon plugin to turn on full auditing and when reproduced again, check permissions for the file or directory.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.
Comment 2 Zdenek Pytela 2020-04-29 15:55:33 UTC 
Simon,

Did you manage to check if permissions are correct? If you want us to continue working on this bz, could you provide the requested information or reproducer steps?
Comment 3 Simon Sekidde 2020-04-30 14:02:37 UTC 
Zdenek, 

I am unable to reproduce this issue on a clean OS install. Thanks.