Bug 1935562
| Summary: | SELinux is preventing accounts-daemon from using the 'fowner' capabilities. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mikhail <mikhail.v.gavrilov> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, plautrba, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:66f64a7a26aff1145386ab2d2dacbc7da02721da426905e4e52c9c22c68b9af9;VARIANT_ID=workstation; | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-03-23 17:05:37 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Mikhail, Do you know when or how the avc is triggered? Do you happen to know which file was accessed? By default the other records are not audited. Mikhail, There seems to be a problem with XFS and new kernels. Could you try an older kernel, preferably from 5.11 series? (In reply to Zdenek Pytela from comment #1) > Mikhail, > > Do you know when or how the avc is triggered? Do you happen to know which > file was accessed? By default the other records are not audited. All reported avc happens during boot. *** This bug has been marked as a duplicate of bug 1933437 *** The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days |
Description of problem: SELinux is preventing accounts-daemon from using the 'fowner' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that accounts-daemon should have the fowner capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon # semodule -X 300 -i my-accountsdaemon.pp Additional Information: Source Context system_u:system_r:accountsd_t:s0 Target Context system_u:system_r:accountsd_t:s0 Target Objects Unknown [ capability ] Source accounts-daemon Source Path accounts-daemon Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.8-4.fc35.noarch Local Policy RPM selinux-policy-targeted-3.14.8-4.fc35.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.12.0-0.rc1.20210304gitf69d02e37a 85.163.fc35.x86_64 #1 SMP Fri Mar 5 03:31:05 +05 2021 x86_64 x86_64 Alert Count 1 First Seen 2021-03-05 11:54:56 +05 Last Seen 2021-03-05 11:54:56 +05 Local ID 4acc47a9-db83-4d79-8e46-6291a65bec85 Raw Audit Messages type=AVC msg=audit(1614927296.816:168): avc: denied { fowner } for pid=1209 comm="accounts-daemon" capability=3 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1 Hash: accounts-daemon,accountsd_t,accountsd_t,capability,fowner Version-Release number of selected component: selinux-policy-targeted-3.14.8-4.fc35.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.12.0-0.rc1.20210304gitf69d02e37a85.163.fc35.x86_64 type: libreport