Bug 711995
Summary: | SELinux is preventing /usr/sbin/vnstatd from using the 'dac_override' capabilities. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | john.haxby <john.haxby> | ||||||
Component: | vnstat | Assignee: | Adrian Reber <adrian> | ||||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 15 | CC: | adrian, blackcode, bugzilla.redhat, dominick.grift, dwalsh, h.reindl, mgrepl | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | setroubleshoot_trace_hash:143244ca6c169b509493ce800c9a3d3e82abbffbab847523b36ac8866dfbaa16 | ||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2011-06-30 09:01:42 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
john.haxby@oracle.com
2011-06-09 08:48:25 UTC
Could you turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent Created attachment 503870 [details]
Output of ausearch
I thought you might want that ...
Note that I get exactly the same problem on two different machines with two different sets of network devices.
What is the permissions and ownership on /var/lib/vnstat/vboxnet0 The problem is root is not allowed to access the file via permissions/ownership. It doesn't exist: $ ls -la /var/lib/vnstat total 0 drwxr-xr-x. 1 vnstat vnstat 0 Jun 2 13:25 . drwxr-xr-x. 1 root root 760 Jun 9 09:37 .. $ ls -lZa /var/lib/vnstat ls -lZa /var/lib/vnstat drwxr-xr-x. vnstat vnstat system_u:object_r:vnstatd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. /usr/sbin/vnstatd appears to be correct: $ ls -lZ /usr/sbin/vnstatd -rwxr-xr-x. root root system_u:object_r:vnstatd_exec_t:s0 /usr/sbin/vnstatd Starting vnstatd simply by executing "/usr/sbin/vnstatd -d" works and having done that, "systemctl start vnstat.service" works because the problematic files have been created in /var/lib/vnstat: $ ls -la /var/lib/vnstat total 20 drwxr-xr-x. 1 vnstat vnstat 88 Jun 10 08:29 . drwxr-xr-x. 1 root root 760 Jun 9 09:37 .. -rw-r-----. 1 root root 2792 Jun 10 08:29 .em1 -rw-r-----. 1 root root 2792 Jun 10 08:29 .vboxnet0 -rw-r-----. 1 root root 2792 Jun 10 08:29 .vpn0 -rw-r-----. 1 root root 2792 Jun 10 08:29 .wlan0 -rw-r--r--. 1 root root 2792 Jun 10 08:29 em1 -rw-r--r--. 1 root root 2792 Jun 10 08:29 vboxnet0 -rw-r--r--. 1 root root 2792 Jun 10 08:29 vpn0 -rw-r--r--. 1 root root 2792 Jun 10 08:29 wlan0 $ ls -lZa /var/lib/vnstat drwxr-xr-x. vnstat vnstat system_u:object_r:vnstatd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. -rw-r-----. root root unconfined_u:object_r:vnstatd_var_lib_t:s0 .em1 -rw-r-----. root root unconfined_u:object_r:vnstatd_var_lib_t:s0 .vboxnet0 -rw-r-----. root root unconfined_u:object_r:vnstatd_var_lib_t:s0 .vpn0 -rw-r-----. root root unconfined_u:object_r:vnstatd_var_lib_t:s0 .wlan0 -rw-r--r--. root root unconfined_u:object_r:vnstatd_var_lib_t:s0 em1 -rw-r--r--. root root unconfined_u:object_r:vnstatd_var_lib_t:s0 vboxnet0 -rw-r--r--. root root unconfined_u:object_r:vnstatd_var_lib_t:s0 vpn0 -rw-r--r--. root root unconfined_u:object_r:vnstatd_var_lib_t:s0 wlan0 (Today I have a vpn0 in addition to the others I had yesterday.) Can you a get-me-started guide for selinux? I know that the problem is that the files can't be created, but I don't know what to do to fix it. I would figure the file is being opened by the root process type=AVC msg=audit(1307608675.747:264): avc: denied { dac_override } for pid=21656 comm="vnstatd" capability=1 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:system_r:vnstatd_t:s0 tclass=capability type=SYSCALL msg=audit(1307608675.747:264): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffc2c115e0 a1=241 a2=1b6 a3=9 items=0 ppid=21655 pid=21656 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=vnstatd exe=/usr/sbin/vnstatd subj=system_u:system_r:vnstatd_t:s0 key=(null) uid=0 Since the directory is owned by vnstat and group is vnstat, root is not allowed to write. If you change the permissions on the directory to chgrp root /var/lib/vnstat chmod g+w /var/lib/vnstat The SELinux issue will go away. Or if you changed the process to run as vnstat it would go away, Seems like you either misconfigured this app or vnstatd has a bug. Thanks. I think vnstatd has a bug: I didn't do any configuration so I guess vnstatd has a bug. When running vnstat from cron it runs as user vnstat, when running via /etc/init.d/vnstat it runs as root. This seems to be indeed a bug. vnstat-1.11-2.fc16 should fix this. The daemon is now started as the vnstat user. well, you should fix the pid-file tto /var/ is not writeable for the user "vnstat" afaik best practivce here would be /var/run/vnstat/vnstat.pid but remember: this subfolders has to be created via tempfiles.d under systemd-envirnonment - btw: why is this not converted to a systemd-unit? Created attachment 527039 [details]
source-rpm with fixed pid-file and converted to systemd-unit
please take this one for >= F16 because it works and it is time to get the crappy sysv/lsb/systemd-mix away from the standard-apckages!
|