Bug 1931470
| Summary: | avc: denied { fowner } comm="groupadd" comm="mandb" capability=3 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Bruno Goncalves <bgoncalv> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 33 | CC: | dwalsh, grepl.miroslav, lvrabec, mikhail.v.gavrilov, mmalik, omosnace, plautrba, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.6-37.fc33 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-09 01:15:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Note for groupadd we have it allowed in rawhide:
commit 7bc150ab60d036691955ec1a5a8f2f8b8a3ba567
Author: Zdenek Pytela <zpytela>
Date: Tue Nov 24 18:08:26 2020 +0100
Add groupadd_t fowner capability
The sssd daemon is configured to run as a non-root user. Its database
files need to have ownership changed accordingly, as a result some
capabilities may be required to change metadata of the files.
When sss_cache is called as a child of groupadd executed from a confined
domain, e. g. rpm_script_t, it needs the fowner capability for groupadd_t
to complete the groupadd command and run utime() syscall.
Resolves: rhbz#1884179
another similar occurrence:
time->Tue Mar 2 23:30:06 2021
type=AVC msg=audit(1614745806.165:116): avc: denied { fowner } for pid=732 comm="sadc" capability=3 scontext=system_u:system_r:sysstat_t:s0 tcontext=system_u:system_r:sysstat_t:s0 tclass=capability permissive=1
The AVC denial does not show the syscall which triggered it. Can you share the reproducing steps, or enable full auditing to gather additional information? 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run the scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today *** Bug 1938573 has been marked as a duplicate of this bug. *** Cherry-picking the dontaudit rawhide commit: https://github.com/fedora-selinux/selinux-policy/pull/703 FEDORA-2021-050d4e8def has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-050d4e8def FEDORA-2021-050d4e8def has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-050d4e8def` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-050d4e8def See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-050d4e8def has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: During CKI test on upstream kernel (kernel 5.11.0) we hit some avc denied: selinux-policy-3.14.6-34.fc33.noarch ---- time->Mon Feb 22 14:27:32 2021 type=AVC msg=audit(1614000452.281:189): avc: denied { fowner } for pid=11315 comm="groupadd" capability=3 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=capability permissive=1 ---- time->Mon Feb 22 14:27:32 2021 type=AVC msg=audit(1614000452.297:190): avc: denied { fowner } for pid=11315 comm="groupadd" capability=3 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=capability permissive=1 ---- time->Mon Feb 22 14:27:43 2021 type=AVC msg=audit(1614000463.134:220): avc: denied { fowner } for pid=11463 comm="mandb" capability=3 scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:system_r:mandb_t:s0 tclass=capability permissive=1 Version-Release number of selected component (if applicable): selinux-policy-3.14.6-34.fc33.noarch How reproducible: 100% Steps to Reproduce: 1. Install Fedora 33 on beaker server, update kernel to kernel 5.11.0 kernel used can be found at https://xci32.lab.eng.rdu2.redhat.com/cki-project/cki-pipeline/-/jobs/1109559/artifacts/raw/artifacts/kernel-block-x86_64-2709d6ab511e0401303c6706c2af8a45ef5b49f4.tar.gz 2. clone kernel-tests repo from https://gitlab.com/cki-project/kernel-tests 3. run tests like acpi/acpitable and filesystems/cifs/connectathon Actual results: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-3.14.6-34.fc33.noarch ---- time->Mon Feb 22 14:27:32 2021 type=AVC msg=audit(1614000452.281:189): avc: denied { fowner } for pid=11315 comm="groupadd" capability=3 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=capability permissive=1 ---- time->Mon Feb 22 14:27:32 2021 type=AVC msg=audit(1614000452.297:190): avc: denied { fowner } for pid=11315 comm="groupadd" capability=3 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=capability permissive=1 ---- time->Mon Feb 22 14:27:43 2021 type=AVC msg=audit(1614000463.134:220): avc: denied { fowner } for pid=11463 comm="mandb" capability=3 scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:system_r:mandb_t:s0 tclass=capability permissive=1