Bug 1451380 - SELinux is preventing systemd-logind from using the 'dac_read_search' capabilities.
Summary: SELinux is preventing systemd-logind from using the 'dac_read_search' capabil...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:3ff06b86fc6bee08fe337bf928f...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-16 14:24 UTC by Delete My Account
Modified: 2017-08-16 19:08 UTC (History)
10 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2017-08-16 19:08:17 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Delete My Account 2017-05-16 14:24:49 UTC 
Description of problem:
SELinux is preventing systemd-logind from using the 'dac_read_search' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If si vuole aiutare ad identificare se al dominio serva questo accesso o se si possiede un file con i permessi sbagliati sul sistema
Then attivare l'auditing completo per ottenere le informazioni del percorso del file incriminato e generare nuovamente l'errore.
Do

Attivare il controllo completo auditing
# auditctl -w /etc/shadow -p w
Provare a ricreare AVC. Eseguire quindi
# ausearch -m avc -ts recent
Qualora si noti il record PATH, controllare la proprietà/i permessi sul file e correggerli,
altrimenti registrare un bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If si pensa che systemd-logind dovrebbe avere funzionalità dac_read_search in modo predefinito.
Then si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Do
allow this access for now by executing:
# ausearch -c 'systemd-logind' --raw | audit2allow -M my-systemdlogind
# semodule -X 300 -i my-systemdlogind.pp

Additional Information:
Source Context                system_u:system_r:systemd_logind_t:s0
Target Context                system_u:system_r:systemd_logind_t:s0
Target Objects                Unknown [ capability ]
Source                        systemd-logind
Source Path                   systemd-logind
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-253.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.12.0-0.rc0.git9.1.fc27.x86_64 #1
                              SMP Sat May 13 13:39:12 UTC 2017 x86_64 x86_64
Alert Count                   44
First Seen                    2017-05-16 07:43:19 CEST
Last Seen                     2017-05-16 16:20:41 CEST
Local ID                      6375f0fb-e120-434c-897a-2d0bb413e2ca

Raw Audit Messages
type=AVC msg=audit(1494944441.320:294): avc:  denied  { dac_read_search } for  pid=620 comm="systemd-logind" capability=2  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=0


Hash: systemd-logind,systemd_logind_t,systemd_logind_t,capability,dac_read_search

Version-Release number of selected component:
selinux-policy-3.13.1-253.fc27.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.12.0-0.rc0.git9.1.fc27.x86_64
type:           libreport
Comment 1 Micah Abbott 2017-07-25 18:26:04 UTC 
This is being observed on Fedora Rawhide Atomic Host.

# rpm-ostree status
State: idle
Deployments:
● rawhide:fedora/rawhide/x86_64/atomic-host
                   Version: Rawhide.20170724.n.0 (2017-07-24 11:01:23)
                    Commit: 508fedeefc8c6a00516070a7edacc1c05edd34a3471c1e6ebc3f8bb4f2640f88

# rpm -q kernel selinux-policy
kernel-4.13.0-0.rc1.git4.1.fc27.x86_64
selinux-policy-3.13.1-265.fc27.noarch


# journalctl -b | grep denied
Jul 25 17:40:21 micah-f26ah-vm0725a.localdomain audit[713]: AVC avc:  denied  { dac_read_search } for  pid=713 comm="systemd-logind" capability=2  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u
:system_r:systemd_logind_t:s0 tclass=capability permissive=0
Jul 25 17:40:21 micah-f26ah-vm0725a.localdomain audit[713]: AVC avc:  denied  { dac_read_search } for  pid=713 comm="systemd-logind" capability=2  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u
:system_r:systemd_logind_t:s0 tclass=capability permissive=0
Jul 25 17:40:21 micah-f26ah-vm0725a.localdomain audit[713]: AVC avc:  denied  { dac_read_search } for  pid=713 comm="systemd-logind" capability=2  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u
:system_r:systemd_logind_t:s0 tclass=capability permissive=0
Jul 25 17:40:21 micah-f26ah-vm0725a.localdomain audit[713]: AVC avc:  denied  { dac_read_search } for  pid=713 comm="systemd-logind" capability=2  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u
:system_r:systemd_logind_t:s0 tclass=capability permissive=0
Jul 25 17:40:21 micah-f26ah-vm0725a.localdomain audit[713]: AVC avc:  denied  { dac_read_search } for  pid=713 comm="systemd-logind" capability=2  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u
:system_r:systemd_logind_t:s0 tclass=capability permissive=0
Comment 2 Jan Kurik 2017-08-15 08:54:41 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 3 Micah Abbott 2017-08-16 19:08:17 UTC 
This appears to be fixed in Rawhide Atomic Host with 'selinux-policy-3.13.1-270.fc27.noarch'

# rpm-ostree status
State: idle
Deployments:
● rawhide:fedora/rawhide/x86_64/atomic-host
                   Version: Rawhide.20170815.n.1 (2017-08-15 20:34:47)
                    Commit: a5b8ef53e3e93ed057c65e0d2b0ddea7f392862e77b930595dca9c7811abbd78

# rpm -q selinux-policy
selinux-policy-3.13.1-270.fc27.noarch

# grep 'avc: denied' /var/log/audit/audit.log 
#
Note You need to log in before you can comment on or make changes to this bug.