Bug 1460882 - SELinux is preventing sm-notify from using the dac_read_search capability
SELinux is preventing sm-notify from using the dac_read_search capability
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
26
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
: 1460880 1460881 1460884 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-12 23:23 EDT by Chris Murphy
Modified: 2017-11-15 15:10 EST (History)
12 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-260.14.fc26
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-11-15 15:10:36 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
journal (329.77 KB, text/x-vhdl)
2017-06-12 23:24 EDT, Chris Murphy
no flags Details

  None (edit)
Description Chris Murphy 2017-06-12 23:23:46 EDT
Description of problem:

SETroubleshoot notification at login appears, with this complaint.


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-254.fc26.noarch
4.12.0-0.rc5.git0.1.fc27.x86_64


How reproducible:
Each boot.


Steps to Reproduce:
1. Boot
2.
3.

Actual results:

SELinux alert notification

Raw Audit Messages
type=AVC msg=audit(1497323290.409:242): avc:  denied  { dac_read_search } for  pid=1656 comm="sm-notify" capability=2  scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:system_r:rpcd_t:s0 tclass=capability permissive=0


Expected results:

No notification for just booting and logging in.


Additional info:

Could be related to upgrading the kernel from 4.11.3 to 4.12rc5; I don't recall these SELinux alerts happening prior to the upgrade.
Comment 1 Chris Murphy 2017-06-12 23:24 EDT
Created attachment 1287141 [details]
journal
Comment 2 Chris Murphy 2017-06-12 23:54:56 EDT
Also happens with selinux-policy-3.13.1-257.fc26.noarch and manually relabelled.
Comment 3 Lukas Vrabec 2017-06-13 08:53:12 EDT
*** Bug 1460884 has been marked as a duplicate of this bug. ***
Comment 4 Lukas Vrabec 2017-06-13 08:53:20 EDT
*** Bug 1460880 has been marked as a duplicate of this bug. ***
Comment 5 Lukas Vrabec 2017-06-13 08:53:24 EDT
*** Bug 1460881 has been marked as a duplicate of this bug. ***
Comment 6 Daniel Walsh 2017-06-14 10:54:53 EDT
dac_read_search usually indicates that a process running as root is trying to search through a directory that root does not have access to via ownership permissions.  IE A directory with permissions like

550 where ownership and group are not root.
Comment 7 Chris Murphy 2017-07-04 21:23:38 EDT
OK this definitely only happens with 4.12.0 kernels.
Comment 8 Daniel Walsh 2017-07-06 07:41:51 EDT
I believe there was a recent change in the kernel to do dac_read_search checks before dac_override.  This means a lot of confined domains that allow access to dac_override are now going to get dav_read_search avcs.  Probably this will not block any access, but give an ugly avc message.

Kernel checks dac_read_search and then dac_override, if access is allowed in either the access is allowed.

There is probably a good bit of policy that should switch to only allowing dav_read_search and not allow dac_override, since dac_override is a lot more powerful.
Comment 9 Chris Murphy 2017-08-03 12:34:28 EDT
Fedora 25 and Fedora 26 will soon rebase on kernel 4.12. I get SELinux Troubleshooter notifications in GNOME throughout the day, it's super annoying. Yes I can disable all alerts, but I suspect once F25/F26 get 4.12 there are going to be a lot more complaints.
Comment 10 Justin M. Forbes 2017-08-11 09:47:56 EDT
4.12 is in updates-testing and 4.11 has been discontinued upstream.
Comment 11 Dusty Mabe 2017-08-14 08:46:20 EDT
(In reply to Justin M. Forbes from comment #10)
> 4.12 is in updates-testing and 4.11 has been discontinued upstream.

I think the point was that 4.12 is broken. We needed to coordinate with selinux and try to get them to fix this BEFORE the 4.12 kernel was sent to stable. We really need this prioritized now by the SELinux team.
Comment 12 Lukas Vrabec 2017-08-14 09:44:24 EDT
Hi Dusty, 

All we need is to push updates to bodhi. Will do asap today ;)
Comment 13 Fedora Update System 2017-10-26 08:31:20 EDT
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d312739a4e
Comment 14 Fedora Update System 2017-11-15 15:10:36 EST
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.