Bug 1276958 - SELinux is preventing /usr/bin/lua from using the dac_override capability.
SELinux is preventing /usr/bin/lua from using the dac_override capability.
Status: CLOSED DUPLICATE of bug 1276956
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.1
All Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-01 13:14 EST by Brian J. Murrell
Modified: 2016-03-29 04:06 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-02 02:30:50 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Brian J. Murrell 2015-11-01 13:14:51 EST
SELinux is preventing /usr/bin/lua from using the dac_override capability.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing 
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that lua should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep lua /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:prosody_t:s0
Target Context                system_u:system_r:prosody_t:s0
Target Objects                Unknown [ capability ]
Source                        lua
Source Path                   /usr/bin/lua
Port                          <Unknown>
Host                          server.interlinx.bc.ca
Source RPM Packages           lua-5.1.4-14.el7.x86_64
Target RPM Packages   
Policy RPM                    selinux-policy-3.13.1-23.el7_1.17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     server.interlinx.bc.ca
Platform                      Linux server.interlinx.bc.ca
                              3.10.0-229.11.1.el7.x86_64 #1 SMP Thu Aug 6
                              01:06:18 UTC 2015 x86_64 x86_64
Alert Count                   16
First Seen                    2015-11-01 08:52:44 EST
Last Seen                     2015-11-01 10:56:53 EST
Local ID                      50a61fd6-8f40-49f1-8ee5-ecc2dc67f684

Raw Audit Messages
type=AVC msg=audit(1446393413.76:33625): avc:  denied  { dac_override } for  pid=17716 comm="lua" capability=1  scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:system_r:prosody_t:s0 tclass=capability


type=AVC msg=audit(1446393413.76:33625): avc:  denied  { dac_read_search } for  pid=17716 comm="lua" capability=2  scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:system_r:prosody_t:s0 tclass=capability


type=SYSCALL msg=audit(1446393413.76:33625): arch=x86_64 syscall=chdir success=no exit=EACCES a0=133b848 a1=10 a2=1342ca0 a3=1342c20 items=0 ppid=1 pid=17716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=lua exe=/usr/bin/lua subj=system_u:system_r:prosody_t:s0 key=(null)

Hash: lua,prosody_t,prosody_t,capability,dac_override
Comment 2 Miroslav Grepl 2015-11-02 02:30:50 EST

*** This bug has been marked as a duplicate of bug 1276956 ***

Note You need to log in before you can comment on or make changes to this bug.