Bug 1459910 - Latest update seems to block dac_read_search on many services at boot time
Latest update seems to block dac_read_search on many services at boot time
Status: NEW
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
27
Unspecified Unspecified
unspecified Severity low
: ---
: ---
Assigned To: Lukas Vrabec
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-08 10:14 EDT by David Hill
Modified: 2017-08-15 03:44 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Hill 2017-06-08 10:14:36 EDT
Description of problem:
Latest update seems to block dac_read_search on many services at boot time

[root@otto audit]# grep denied audit.log  | grep dac_read
type=AVC msg=audit(1496931060.717:98): avc:  denied  { dac_read_search } for  pid=1216 comm="accounts-daemon" capability=2  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931060.735:105): avc:  denied  { dac_read_search } for  pid=1218 comm="abrtd" capability=2  scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=capability permissive=1
type=AVC msg=audit(1496931060.754:111): avc:  denied  { dac_read_search } for  pid=1295 comm="chronyc" capability=2  scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931062.279:148): avc:  denied  { dac_read_search } for  pid=1216 comm="accounts-daemon" capability=2  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931062.406:149): avc:  denied  { dac_read_search } for  pid=1994 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931063.312:207): avc:  denied  { dac_read_search } for  pid=2249 comm="chronyc" capability=2  scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931063.444:211): avc:  denied  { dac_read_search } for  pid=1259 comm="systemd-logind" capability=2  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931063.497:215): avc:  denied  { dac_read_search } for  pid=2303 comm="chronyc" capability=2  scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931063.499:216): avc:  denied  { dac_read_search } for  pid=2304 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931064.560:234): avc:  denied  { dac_read_search } for  pid=1216 comm="accounts-daemon" capability=2  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931067.679:243): avc:  denied  { dac_read_search } for  pid=1216 comm="accounts-daemon" capability=2  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931068.277:253): avc:  denied  { dac_read_search } for  pid=2822 comm="sm-notify" capability=2  scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:system_r:rpcd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931068.297:256): avc:  denied  { dac_read_search } for  pid=2840 comm="chronyc" capability=2  scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931069.935:257): avc:  denied  { dac_read_search } for  pid=2905 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=capability permissive=1
type=AVC msg=audit(1496931057.918:260): avc:  denied  { dac_read_search } for  pid=2937 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=capability permissive=1
type=AVC msg=audit(1496931058.957:266): avc:  denied  { dac_read_search } for  pid=2943 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931061.811:275): avc:  denied  { dac_read_search } for  pid=1216 comm="accounts-daemon" capability=2  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1496931064.017:278): avc:  denied  { dac_read_search } for  pid=3466 comm="abrt-dbus" capability=2  scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=capability permissive=1

Version-Release number of selected component (if applicable):


How reproducible:
Update

Steps to Reproduce:
1. Reboot
2.
3.

Actual results:
Lot's of selinux dac_read_search denied

Expected results:
Hidden or allowed

Additional info:
Comment 1 Jan Kurik 2017-08-15 03:44:12 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Note You need to log in before you can comment on or make changes to this bug.