Description of problem: SETroubleshoot notification at login appears, with this complaint. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-254.fc26.noarch 4.12.0-0.rc5.git0.1.fc27.x86_64 How reproducible: Each boot. Steps to Reproduce: 1. Boot 2. 3. Actual results: SELinux alert notification Raw Audit Messages type=AVC msg=audit(1497323290.409:242): avc: denied { dac_read_search } for pid=1656 comm="sm-notify" capability=2 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:system_r:rpcd_t:s0 tclass=capability permissive=0 Expected results: No notification for just booting and logging in. Additional info: Could be related to upgrading the kernel from 4.11.3 to 4.12rc5; I don't recall these SELinux alerts happening prior to the upgrade.
Created attachment 1287141 [details] journal
Also happens with selinux-policy-3.13.1-257.fc26.noarch and manually relabelled.
*** Bug 1460884 has been marked as a duplicate of this bug. ***
*** Bug 1460880 has been marked as a duplicate of this bug. ***
*** Bug 1460881 has been marked as a duplicate of this bug. ***
dac_read_search usually indicates that a process running as root is trying to search through a directory that root does not have access to via ownership permissions. IE A directory with permissions like 550 where ownership and group are not root.
OK this definitely only happens with 4.12.0 kernels.
I believe there was a recent change in the kernel to do dac_read_search checks before dac_override. This means a lot of confined domains that allow access to dac_override are now going to get dav_read_search avcs. Probably this will not block any access, but give an ugly avc message. Kernel checks dac_read_search and then dac_override, if access is allowed in either the access is allowed. There is probably a good bit of policy that should switch to only allowing dav_read_search and not allow dac_override, since dac_override is a lot more powerful.
Fedora 25 and Fedora 26 will soon rebase on kernel 4.12. I get SELinux Troubleshooter notifications in GNOME throughout the day, it's super annoying. Yes I can disable all alerts, but I suspect once F25/F26 get 4.12 there are going to be a lot more complaints.
4.12 is in updates-testing and 4.11 has been discontinued upstream.
(In reply to Justin M. Forbes from comment #10) > 4.12 is in updates-testing and 4.11 has been discontinued upstream. I think the point was that 4.12 is broken. We needed to coordinate with selinux and try to get them to fix this BEFORE the 4.12 kernel was sent to stable. We really need this prioritized now by the SELinux team.
Hi Dusty, All we need is to push updates to bodhi. Will do asap today ;)
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d312739a4e
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.