Bug 881031

Summary: SELinux is preventing /usr/bin/perl from using the 'dac_read_search' capabilities.
Product: [Fedora] Fedora Reporter: Matthew Saltzman <mjs>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, mgrepl, vg.aetera
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:90aedddcf5e509167d9f179a63c6d7220302b28eb0cd66a2ce7a15ded42b5d07
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-07 04:02:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: type
none
File: hashmarkername none

Description Matthew Saltzman 2012-11-28 13:12:52 UTC 
Additional info:
libreport version: 2.0.18
kernel:         3.6.7-4.fc17.x86_64

description:
:SELinux is preventing /usr/bin/perl from using the 'dac_read_search' capabilities.
:
:*****  Plugin dac_override (91.4 confidence) suggests  ***********************
:
:If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
:Then turn on full auditing to get path information about the offending file and generate the error again.
:Do
:
:Turn on full auditing
:# auditctl -w /etc/shadow -p w
:Try to recreate AVC. Then execute
:# ausearch -m avc -ts recent
:If you see PATH record check ownership/permissions on file, and fix it, 
:otherwise report as a bugzilla.
:
:*****  Plugin catchall (9.59 confidence) suggests  ***************************
:
:If you believe that perl should have the dac_read_search capability by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep sa-update /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:spamd_update_t:s0-s0:c0.c1023
:Target Context                system_u:system_r:spamd_update_t:s0-s0:c0.c1023
:Target Objects                 [ capability ]
:Source                        sa-update
:Source Path                   /usr/bin/perl
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           perl-5.14.3-217.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-161.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.7-4.fc17.x86_64 #1 SMP Tue Nov
:                              20 19:40:01 UTC 2012 x86_64 x86_64
:Alert Count                   8
:First Seen                    2012-11-28 04:10:02 EST
:Last Seen                     2012-11-28 06:00:13 EST
:Local ID                      1b4806a6-15a3-4228-af1c-733a70c9767d
:
:Raw Audit Messages
:type=AVC msg=audit(1354100413.729:1255): avc:  denied  { dac_read_search } for  pid=17354 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
:
:
:type=SYSCALL msg=audit(1354100413.729:1255): arch=x86_64 syscall=open success=no exit=EACCES a0=7f3654b1e6eb a1=80000 a2=1b6 a3=238 items=0 ppid=16908 pid=17354 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=138 comm=sa-update exe=/usr/bin/perl subj=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 key=(null)
:
:Hash: sa-update,spamd_update_t,spamd_update_t,capability,dac_read_search
:
:audit2allow
:
:#============= spamd_update_t ==============
:allow spamd_update_t self:capability dac_read_search;
:
:audit2allow -R
:
:#============= spamd_update_t ==============
:allow spamd_update_t self:capability dac_read_search;
:
Comment 1 Matthew Saltzman 2012-11-28 13:12:56 UTC 
Created attachment 653512 [details]
File: type
Comment 2 Matthew Saltzman 2012-11-28 13:12:58 UTC 
Created attachment 653513 [details]
File: hashmarkername
Comment 3 Daniel Walsh 2012-11-28 15:38:55 UTC 
Is spamd_update_t running as root while the sa_update directory is owned by spamd user?
Comment 4 Matthew Saltzman 2012-11-28 15:45:41 UTC 
Not sure how to tell.  This is a standard installation of spamassassin-3.3.2-14.fc17.x86_64 that I use with evolution-spamassassin-3.4.4-2.fc17.x86_64.  I haven't made any changes post-install except to turn on spam checking in evolution.
Comment 5 Vladislav Grigoryev 2012-12-08 15:39:52 UTC 
Confirm.

# grep SELinux /var/log/messages
Dec  8 05:05:19 srv08 setroubleshoot: SELinux is preventing /usr/bin/perl from using the dac_read_search capability. For complete SELinux messages. run sealert -l b9c001bb-5858-4c78-9d3f-a7515f00e96a

# rpm -q selinux-policy spamassassin perl 
selinux-policy-3.10.0-161.fc17.noarch
spamassassin-3.3.2-14.fc17.x86_64
perl-5.14.3-217.fc17.x86_64
Comment 6 Miroslav Grepl 2012-12-10 09:40:52 UTC 
commit 0230bde3e44dd9f0e6cfcea387e51742f8b9430d
Author: Miroslav Grepl <mgrepl>
Date:   Mon Dec 10 10:39:25 2012 +0100

    Allow spamd_update to create spamd_var_lib_t directories and ignore DAC when searching for directories
Comment 7 Fedora Update System 2012-12-17 18:42:55 UTC 
selinux-policy-3.10.0-165.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-165.fc17
Comment 8 Fedora Update System 2012-12-18 02:38:44 UTC 
Package selinux-policy-3.10.0-165.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-165.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-165.fc17
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2013-01-05 06:43:29 UTC 
Package selinux-policy-3.10.0-166.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-166.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-166.fc17
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2013-01-07 04:02:19 UTC 
selinux-policy-3.10.0-166.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.