Bug 517728
| Summary: | Changes for lowering capabilities project | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Steve Grubb <sgrubb> | ||||||||
| Component: | smartmontools | Assignee: | Michal Hlavinka <mhlavink> | ||||||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | low | ||||||||||
| Version: | rawhide | CC: | dwalsh, mgrepl, mhlavink, ykopkova | ||||||||
| Target Milestone: | --- | Keywords: | Reopened | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2009-09-03 14:39:43 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 519823 | ||||||||||
| Attachments: |
|
||||||||||
Thanks for the patch. Is this patch tested? Sent upstream? I am running with it on my F-11 system. I have not sent it upstream. The capability confinement is based on selinux policy settings which I assume no one is complaining about. OK, I've build new package with the patch. One question remains: Should this patch be sent to upstream or it's only fedora specific? A slight variation on this patch should be sent upstream. I need to add the m4 macro to it for distros that may not have libcap-ng well integrated. By the way, I think forgot to tell you that you need to also BuildRequires: libcap-ng-devel and that you will need to add: touch ChangeLog autoreconf -i to the spec file in the %build section (re-opening the bz for this, sorry). If you want, I can attach the patch that would be upstreamed to the bz. ok btw, I understand the autoreconf -i part, but why there's need to touch ChangeLog? ok, attach that new patch when ready thanks If you don't do the touch ChangeLog, the build fails with: Makefile.am: required file `./ChangeLog' not found autoreconf: automake failed with exit status: 1 error: Bad exit status from /home/sgrubb/working/tmp/rpm-tmp.r5zEfY (%build) Created attachment 358261 [details]
Patch to drop capabilities
This patch fixes configure.in for more distros to use.
I forgot to mention that you need to add BuildRequires: libcap-ng-devel so that configure finds the library to link against it. Do you mind re-spinning with the BR added? Thanks. ok, I'll do it. I'll also send this patch to upstream as I presume you did not send it, right? there are required some changes in SELinux:
SELinux is preventing smartd (fsdaemon_t) "getcap" fsdaemon_t.
SELinux is preventing smartd (fsdaemon_t) "setcap" fsdaemon_t.
SELinux is preventing smartd (fsdaemon_t) "setpcap" fsdaemon_t.
changes are required for Fedora 11 and rawhide
-----------------------------------
Additional Information:
Source Context unconfined_u:system_r:fsdaemon_t:s0
Target Context unconfined_u:system_r:fsdaemon_t:s0
Target Objects None [ process ]
Source smartd
Source Path /usr/sbin/smartd
Port <Unknown>
Host krles.englab.brq.redhat.com
Source RPM Packages smartmontools-5.38-15.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.12-78.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall
Host Name krles.englab.brq.redhat.com
Platform Linux krles.englab.brq.redhat.com
2.6.30.5-32.fc11.x86_64 #1 SMP Mon Aug 17 16:38:32
EDT 2009 x86_64 x86_64
Alert Count 3
First Seen Wed 26 Aug 2009 05:33:53 PM CEST
Last Seen Wed 26 Aug 2009 06:01:02 PM CEST
Local ID e04d5805-f48a-41fa-bf3a-089b7f4ec6bc
Line Numbers
Raw Audit Messages
node=krles.englab.brq.redhat.com type=AVC msg=audit(1251302462.690:34287): avc: denied { getcap } for pid=20186 comm="smartd" scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=process
node=krles.englab.brq.redhat.com type=SYSCALL msg=audit(1251302462.690:34287): arch=c000003e syscall=125 success=yes exit=0 a0=7f1dfaa70714 a1=7f1dfaa7071c a2=2 a3=7fff1fd02d70 items=0 ppid=20185 pid=20186 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="smartd" exe="/usr/sbin/smartd" subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null)
--------------------------
Additional Information:
Source Context unconfined_u:system_r:fsdaemon_t:s0
Target Context unconfined_u:system_r:fsdaemon_t:s0
Target Objects None [ capability ]
Source smartd
Source Path /usr/sbin/smartd
Port <Unknown>
Host krles.englab.brq.redhat.com
Source RPM Packages smartmontools-5.38-15.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.12-78.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall
Host Name krles.englab.brq.redhat.com
Platform Linux krles.englab.brq.redhat.com
2.6.30.5-32.fc11.x86_64 #1 SMP Mon Aug 17 16:38:32
EDT 2009 x86_64 x86_64
Alert Count 3
First Seen Wed 26 Aug 2009 05:33:53 PM CEST
Last Seen Wed 26 Aug 2009 06:01:02 PM CEST
Local ID bae0fad4-75db-4736-b642-88542321dbb4
Line Numbers
Raw Audit Messages
node=krles.englab.brq.redhat.com type=AVC msg=audit(1251302462.690:34288): avc: denied { setpcap } for pid=20186 comm="smartd" capability=8 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability
node=krles.englab.brq.redhat.com type=SYSCALL msg=audit(1251302462.690:34288): arch=c000003e syscall=157 success=yes exit=0 a0=18 a1=0 a2=1 a3=0 items=0 ppid=20185 pid=20186 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="smartd" exe="/usr/sbin/smartd" subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null)
--------------------------
Additional Information:
Source Context unconfined_u:system_r:fsdaemon_t:s0
Target Context unconfined_u:system_r:fsdaemon_t:s0
Target Objects None [ process ]
Source smartd
Source Path /usr/sbin/smartd
Port <Unknown>
Host krles.englab.brq.redhat.com
Source RPM Packages smartmontools-5.38-15.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.12-78.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall
Host Name krles.englab.brq.redhat.com
Platform Linux krles.englab.brq.redhat.com
2.6.30.5-32.fc11.x86_64 #1 SMP Mon Aug 17 16:38:32
EDT 2009 x86_64 x86_64
Alert Count 3
First Seen Wed 26 Aug 2009 05:33:53 PM CEST
Last Seen Wed 26 Aug 2009 06:01:02 PM CEST
Local ID 52d961fc-f7b6-4475-a327-74e4c48e6384
Line Numbers
Raw Audit Messages
node=krles.englab.brq.redhat.com type=AVC msg=audit(1251302462.690:34289): avc: denied { setcap } for pid=20186 comm="smartd" scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=process
node=krles.englab.brq.redhat.com type=SYSCALL msg=audit(1251302462.690:34289): arch=c000003e syscall=126 success=yes exit=0 a0=7f1dfaa70714 a1=7f1dfaa7071c a2=2 a3=7fff1fd02d70 items=0 ppid=20185 pid=20186 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="smartd" exe="/usr/sbin/smartd" subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null)
adding dwalsh to cc-list for selinux part of this bug Miroslov can you add
allow fsdaemon_t self:capability setpcap;
allow fsdaemon_t self:process { getcap setcap };
to smartmon.te
Added to selinux-policy-3.6.12-82.fc11 Created attachment 359632 [details]
Patch to drop capabilities
just for record, this patch was used
|
Created attachment 357567 [details] Patch to drop capabilities Description of problem: As part of the lowering capabilities project, we should drop all unnecessary capabilities in all daemons.