Bug 710572

Summary: SELinux is preventing /usr/sbin/afsd from using the 'dac_override' capabilities.
Product: [Fedora] Fedora Reporter: Daniel Scott <dan>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: dominick.grift, dwalsh, mgrepl, nalin
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:876e494ac8df95edc02aea968f418239822063ce3e8b76f36ae5df205f11e760
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-06 16:01:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Daniel Scott 2011-06-03 18:14:52 UTC 
SELinux is preventing /usr/sbin/afsd from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests  ***********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it, 
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that afsd should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep afsd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:afs_t:s0
Target Context                system_u:system_r:afs_t:s0
Target Objects                Unknown [ capability ]
Source                        afsd
Source Path                   /usr/sbin/afsd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           openafs-client-1.6.0-0.pre4.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-26.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.6-27.fc15.x86_64 #1
                              SMP Sun May 15 17:23:28 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 03 Jun 2011 12:30:47 PM EDT
Last Seen                     Fri 03 Jun 2011 12:30:47 PM EDT
Local ID                      f78f287f-d4dc-42d7-adc2-f1d4a3c983f9

Raw Audit Messages
type=AVC msg=audit(1307118647.779:22): avc:  denied  { dac_override } for  pid=1227 comm="afsd" capability=1  scontext=system_u:system_r:afs_t:s0 tcontext=system_u:system_r:afs_t:s0 tclass=capability


type=SYSCALL msg=audit(1307118647.779:22): arch=x86_64 syscall=open success=no exit=EACCES a0=423ba3 a1=442 a2=1b6 a3=7fffdea66180 items=0 ppid=1226 pid=1227 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=afsd exe=/usr/sbin/afsd subj=system_u:system_r:afs_t:s0 key=(null)

Hash: afsd,afs_t,afs_t,capability,dac_override

audit2allow

#============= afs_t ==============
allow afs_t self:capability dac_override;

audit2allow -R

#============= afs_t ==============
allow afs_t self:capability dac_override;
Comment 1 Daniel Walsh 2011-06-03 20:19:39 UTC 
Nalin does this look good to you?

Would afsd have to be able to user/modify files/directories that root does not have access to?
Comment 2 Daniel Scott 2011-06-03 21:00:20 UTC 
I think that afsd will have access to files that root cannot access.

We're using FreeIPA to provide the authentication for AFS - the root user doesn't have a Kerberos ticket and can't access files in the /afs tree.
Comment 3 Daniel Walsh 2011-06-03 21:12:19 UTC 
Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it, 
otherwise report as a bugzilla.
Comment 4 Daniel Scott 2011-06-06 14:39:51 UTC 
I haven't been able to recreate this, so does not appear to be a problem any longer.
Comment 5 Nalin Dahyabhai 2011-06-09 13:47:40 UTC 
Here's what I'm seeing at reboot, with selinux-policy-targeted-3.9.16-26.fc15.noarch:

type=PATH msg=audit(1307626798.656:28): item=0 name="/etc/mtab" inode=16297 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:afs_t:s0
type=SYSCALL msg=audit(1307626798.656:28): arch=c000003e syscall=2 success=no exit=-13 a0=423b94 a1=442 a2=1b6 a3=7fff1b0e3a90 items=1 ppid=1623 pid=1630 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="afsd" exe="/usr/vice/etc/afsd" subj=system_u:system_r:afs_t:s0 key=(null)
type=AVC msg=audit(1307626798.656:28): avc:  denied  { dac_override } for  pid=1630 comm="afsd" capability=1  scontext=system_u:system_r:afs_t:s0 tcontext=system_u:system_r:afs_t:s0 tclass=capability

That agrees with the diagnostics in this thread: https://lists.openafs.org/pipermail/openafs-info/2011-June/036260.html
Comment 6 Daniel Walsh 2011-06-09 18:12:01 UTC 
So afsd is trying to write to /etc/mtab which is a link to /proc/mounts and the kernel is raising a dac_overrides.

So since we do not ship afs I can leave this closed


Daniel to get this to stop complaining you can do 

# grep dac_override /var/log/audit/audit.log | audit2allow -DM myafsd
# semodule -i myafsd.pp