Bug 1282836 - SELinux is preventing snapperd from using the 'dac_override' capabilities.
Summary: SELinux is preventing snapperd from using the 'dac_override' capabilities.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 23
Hardware: x86_64
OS: Unspecified
medium
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:98bc055844003ce05b0ee4f8524...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-17 15:09 UTC by David Haller
Modified: 2018-09-09 21:00 UTC (History)
13 users (show)

Fixed In Version: selinux-policy-3.13.1-158.1.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-08 00:49:08 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description David Haller 2015-11-17 15:09:22 UTC 
Description of problem:
Any snapper command fails if SELinux is enabled. However, snapper command executed by snapper-timeline.service run successfully. When I set SELinux to disabled, everything works again.
SELinux is preventing snapperd from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If sie überprüfen wollen, ob Domäne diesen Zugriff benötigt oder Sie eine Datei mit den falschen Berechtigungen auf Ihrem System haben
Then aktivieren Sie die vollständige Audit-Funktion, um die Pfad-Information der problematischen Datei zu erhalten. Dann reproduzieren Sie den Fehler erneut.
Do

Volle Audit-Funktion aktivieren
# auditctl -w /etc/shadow -p w
Versuchen Sie AVC zu reproduzieren. Führen Sie dann folgendes aus
# ausearch -m avc -ts recent
Falls PATH record ersichtlich ist, überprüfen Sie Eigentümer/ Berechtigungen der Datei und korrigieren Sie dies,
anderenfalls melden Sie dies an Bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If sie denken, dass snapperd standardmäßig dac_override Berechtigung haben sollten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# grep snapperd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:snapperd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:snapperd_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability ]
Source                        snapperd
Source Path                   snapperd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-154.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.5-300.fc23.x86_64 #1 SMP Tue
                              Oct 27 04:29:56 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-11-17 16:00:16 CET
Last Seen                     2015-11-17 16:00:16 CET
Local ID                      cbb9a7b9-de6a-4173-a361-b09b97ba9d10

Raw Audit Messages
type=AVC msg=audit(1447772416.17:591): avc:  denied  { dac_override } for  pid=12131 comm="snapperd" capability=1  scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=capability permissive=0


Hash: snapperd,snapperd_t,snapperd_t,capability,dac_override

Version-Release number of selected component:
selinux-policy-3.13.1-154.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.5-300.fc23.x86_64
type:           libreport
Comment 1 Adam Nacy 2015-11-27 08:45:50 UTC 
Description of problem:
This error occurred while trying to create a root config file for Snapper. My root partition is btrfs. 

The error was occurring when trying to run the command: 'snapper -c root create-config /'

Error also occurred after installing the dnf snapper plugin, when dnf would try to create a snapshot before a transaction. 

Version-Release number of selected component:
selinux-policy-3.13.1-155.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.6-301.fc23.x86_64
type:           libreport
Comment 2 Miroslav Grepl 2015-12-20 10:58:29 UTC 
We will need to allow it.

Adam,
does it work with

# grep snapperd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Comment 3 David Haller 2015-12-21 08:55:45 UTC 
(In reply to Miroslav Grepl from comment #2)
> We will need to allow it.
> 
> Adam,
> does it work with
> 
> # grep snapperd /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp

Yes, that works. But I have to repeat it for every snapper command, e.g create-config and delete-config.
Comment 4 Lukas Vrabec 2016-01-08 00:49:08 UTC 
commit 5b2a1bca851b93a0c10c0afe9b2bcb620ce48acd
Author: Miroslav Grepl <mgrepl>
Date:   Mon Dec 21 11:14:09 2015 +0100

    Allow snapperd dac_override capability.
    
    It is needed for: 'snapper -c root create-config /' command.
Comment 5 Ryan Rowe 2016-04-24 19:24:02 UTC 
Is this fixed? It doesn't work for me unless I setenforce 0.

selinux-policy-3.13.1-158.14.fc23.noarch
snapper-0.2.8-1.fc23.x86_64
4.4.6-301.fc23.x86_64
Comment 6 Lukas Vrabec 2016-04-25 08:03:59 UTC 
Hi, 

Could you after successful reproducing this issue attach output of:
# ausearch -m AVC 

Thank you.
Comment 7 David Haller 2016-04-27 13:12:25 UTC 
Snapper has dac_override now (this bug), but is still missing sys_admin, see other bug: https://bugzilla.redhat.com/show_bug.cgi?id=1283243

----
time->Wed Apr 27 15:05:48 2016
type=AVC msg=audit(1461762348.630:315): avc:  denied  { sys_admin } for  pid=7316 comm="snapperd" capability=21  scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=capability permissive=0
Note You need to log in before you can comment on or make changes to this bug.