Bug 1283243 - SELinux is preventing snapperd from using the 'sys_admin' capabilities.
SELinux is preventing snapperd from using the 'sys_admin' capabilities.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
x86_64 Unspecified
medium Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
abrt_hash:92968ee5266767b5eeeeb027b8d...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-18 08:53 EST by Ezequiel Birman
Modified: 2016-07-13 20:24 EDT (History)
9 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-184.fc24 selinux-policy-3.13.1-158.21.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-13 20:24:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ezequiel Birman 2015-11-18 08:53:00 EST
Description of problem:
trying to run 'sudo snapper -c home delete-config'
SELinux is preventing snapperd from using the 'sys_admin' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

If cree que snapperd debería tener la capacidad de sys_admin de forma predeterminada.
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso momentáneamente executando:
# grep snapperd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:snapperd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:snapperd_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability ]
Source                        snapperd
Source Path                   snapperd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-154.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.5-300.fc23.x86_64 #1 SMP Tue
                              Oct 27 04:29:56 UTC 2015 x86_64 x86_64
Alert Count                   2
First Seen                    2015-11-18 10:45:02 ART
Last Seen                     2015-11-18 10:50:48 ART
Local ID                      8f75e8bd-9d17-4972-99f3-777d90f4f759

Raw Audit Messages
type=AVC msg=audit(1447854648.340:954): avc:  denied  { sys_admin } for  pid=14688 comm="snapperd" capability=21  scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=capability permissive=0


Hash: snapperd,snapperd_t,snapperd_t,capability,sys_admin

Version-Release number of selected component:
selinux-policy-3.13.1-154.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.5-300.fc23.x86_64
type:           libreport
Comment 1 David Haller 2016-01-24 08:03:54 EST
Description of problem:
Deleting a snapshot with snapper delete fails because snapperd does not have the sys_admin capability. See previous bug https://bugzilla.redhat.com/show_bug.cgi?id=1282836, where the dac_override capability was missing which is fixed in Fedora 23 now, but the fix is incomplete as it doesn't cover all snapper commands.

Version-Release number of selected component:
selinux-policy-3.13.1-158.2.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.3.3-301.fc23.x86_64
type:           libreport
Comment 2 David Strauss 2016-04-26 16:37:17 EDT
Description of problem:
Attempted to delete a snapshot. Restoring selinux context to /.snapshots did not fix the issue.

Version-Release number of selected component:
selinux-policy-3.13.1-158.14.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.4.7-300.fc23.x86_64
type:           libreport
Comment 3 Rabin 2016-06-16 06:51:08 EDT
Some more information i like to add to this ticket, 
when I try to run `snapper status 65..66` I get SELinux AVC message, with this information, 

``` 
SELinux is preventing snapperd from using the fowner capability.
```

```
# ausearch -c 'snapperd' --raw | audit2allow

#============= snapperd_t ==============
allow snapperd_t NetworkManager_initrc_exec_t:lnk_file getattr;

#!!!! The file '/.snapshots/65/snapshot/etc/firewalld/firewalld.conf' is mislabeled on your system.  
#!!!! Fix with $ restorecon -R -v /.snapshots/65/snapshot/etc/firewalld/firewalld.conf
allow snapperd_t firewalld_etc_rw_t:lnk_file getattr;

#!!!! This avc is allowed in the current policy
allow snapperd_t self:capability sys_admin;
allow snapperd_t self:capability fowner;

#!!!! This avc is allowed in the current policy
allow snapperd_t user_home_dir_t:dir { rmdir create };

#!!!! This avc is allowed in the current policy
allow snapperd_t user_home_dir_t:file { rename write unlink create };

#!!!! This avc is allowed in the current policy
allow snapperd_t user_home_t:dir rmdir;

#!!!! This avc is allowed in the current policy
allow snapperd_t user_home_t:file unlink;
allow snapperd_t virt_etc_rw_t:lnk_file getattr;

```

```
Additional Information:
Source Context                system_u:system_r:snapperd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:snapperd_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability ]
Source                        snapperd
Source Path                   snapperd
Port                          <Unknown>
Host                          ---
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-158.15.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ---
Platform                      Linux --- 4.5.6-200.fc23.x86_64 #1
                              SMP Wed Jun 1 21:28:20 UTC 2016 x86_64 x86_64
Alert Count                   8
First Seen                    2016-06-16 12:12:21 IDT
Last Seen                     2016-06-16 13:44:51 IDT
Local ID                      db958b26-d230-4bbc-ae02-2773096d3b0f

```
Comment 4 Fedora Update System 2016-06-22 18:58:49 EDT
selinux-policy-3.13.1-158.20.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-4c9c2badcb
Comment 5 Fedora Update System 2016-07-02 16:54:48 EDT
selinux-policy-3.13.1-158.21.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7bed6e7c72
Comment 6 Fedora Update System 2016-07-13 20:23:35 EDT
selinux-policy-3.13.1-158.21.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.