Bug 1459910 - Latest update seems to block dac_read_search on many services at boot time
Latest update seems to block dac_read_search on many services at boot time
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
27
Unspecified Unspecified
unspecified Severity low
: ---
: ---
Assigned To: Lukas Vrabec
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-08 10:14 EDT by David Hill
Modified: 2018-05-22 06:53 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-283.34.fc27
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-05-22 06:53:44 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Hill 2017-06-08 10:14:36 EDT
Description of problem:
Latest update seems to block dac_read_search on many services at boot time

[root@otto audit]# grep denied audit.log  | grep dac_read
type=AVC msg=audit(1496931060.717:98): avc:  denied  { dac_read_search } for  pid=1216 comm="accounts-daemon" capability=2  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931060.735:105): avc:  denied  { dac_read_search } for  pid=1218 comm="abrtd" capability=2  scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=capability permissive=1
type=AVC msg=audit(1496931060.754:111): avc:  denied  { dac_read_search } for  pid=1295 comm="chronyc" capability=2  scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931062.279:148): avc:  denied  { dac_read_search } for  pid=1216 comm="accounts-daemon" capability=2  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931062.406:149): avc:  denied  { dac_read_search } for  pid=1994 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931063.312:207): avc:  denied  { dac_read_search } for  pid=2249 comm="chronyc" capability=2  scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931063.444:211): avc:  denied  { dac_read_search } for  pid=1259 comm="systemd-logind" capability=2  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931063.497:215): avc:  denied  { dac_read_search } for  pid=2303 comm="chronyc" capability=2  scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931063.499:216): avc:  denied  { dac_read_search } for  pid=2304 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931064.560:234): avc:  denied  { dac_read_search } for  pid=1216 comm="accounts-daemon" capability=2  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931067.679:243): avc:  denied  { dac_read_search } for  pid=1216 comm="accounts-daemon" capability=2  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931068.277:253): avc:  denied  { dac_read_search } for  pid=2822 comm="sm-notify" capability=2  scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:system_r:rpcd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931068.297:256): avc:  denied  { dac_read_search } for  pid=2840 comm="chronyc" capability=2  scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931069.935:257): avc:  denied  { dac_read_search } for  pid=2905 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=capability permissive=1
type=AVC msg=audit(1496931057.918:260): avc:  denied  { dac_read_search } for  pid=2937 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=capability permissive=1
type=AVC msg=audit(1496931058.957:266): avc:  denied  { dac_read_search } for  pid=2943 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931061.811:275): avc:  denied  { dac_read_search } for  pid=1216 comm="accounts-daemon" capability=2  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931064.017:278): avc:  denied  { dac_read_search } for  pid=3466 comm="abrt-dbus" capability=2  scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=capability permissive=1

Version-Release number of selected component (if applicable):


How reproducible:
Update

Steps to Reproduce:
1. Reboot
2.
3.

Actual results:
Lot's of selinux dac_read_search denied

Expected results:
Hidden or allowed

Additional info:
Comment 1 Jan Kurik 2017-08-15 03:44:12 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 2 Mustafa Mahudhawala 2017-08-25 00:40:53 EDT
I have the same problem after updating to F25. Looks like this blog from Dan Walsh explains this error well ..

http://danwalsh.livejournal.com/69478.html

And I did notice that we generally use 000 for /etc/shadow

# ls -l /etc/shadow*
----------. 1 root root 1352 Jul  4 18:40 /etc/shadow
----------. 1 root root 1478 Jul  4 18:40 /etc/shadow-

Which is where the services seems to be complaining about.

Is setting 600 for /etc/shadow a recommendation then based on above blog from Dan ?
Comment 3 Mustafa Mahudhawala 2017-08-25 00:42:21 EDT
Or at least 400 for /etc/shadow ?
Comment 4 Jan Pazdziora 2018-05-10 05:05:38 EDT
I no longer seem to see the issue with selinux-policy-3.13.1-283.34.fc27.noarch, for chronyd (bug 1449108) nor openssh (bug 1449110). Should this bugzilla be closed CURRENTRELEASE, with some fixed in version set?

Note You need to log in before you can comment on or make changes to this bug.