Bug 1477096 - SELinux is preventing accounts-daemon from using the dac_read_search capability.
SELinux is preventing accounts-daemon from using the dac_read_search capability.
Status: MODIFIED
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
26
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-01 04:32 EDT by Germano Massullo
Modified: 2017-08-23 11:17 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-260.4.fc26
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Germano Massullo 2017-08-01 04:32:56 EDT
Description of problem:
The following SELinux alert can cause PulseAudio crashes and system unable to detect audio devices

SELinux is preventing accounts-daemon from using the dac_read_search capability.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If si vuole aiutare ad identificare se al dominio serva questo accesso o se si possiede un file con i permessi sbagliati sul sistema
Then attivare l'auditing completo per ottenere le informazioni del percorso del file incriminato e generare nuovamente l'errore.
Do

Attivare il controllo completo auditing
# auditctl -w /etc/shadow -p w
Provare a ricreare AVC. Eseguire quindi
# ausearch -m avc -ts recent
Qualora si noti il record PATH, controllare la proprietà/i permessi sul file e correggerli,
altrimenti registrare un bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If si pensa che accounts-daemon dovrebbe avere funzionalità dac_read_search in modo predefinito.
Then si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Do
allow this access for now by executing:
# ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon
# semodule -X 300 -i my-accountsdaemon.pp

Additional Information:
Source Context                system_u:system_r:accountsd_t:s0
Target Context                system_u:system_r:accountsd_t:s0
Target Objects                Unknown [ capability ]
Source                        accounts-daemon
Source Path                   accounts-daemon
Port                          <Sconosciuto>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Sconosciuto>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Platform                      Linux 4.12.3-301.fc26.x86_64 #1 SMP Tue
                              Jul 25 10:05:02 UTC 2017 x86_64 x86_64
Alert Count                   445
First Seen                    2017-07-28 09:03:28 CEST
Last Seen                     2017-08-01 10:26:26 CEST


Raw Audit Messages
type=AVC msg=audit(1501575986.814:8935): avc:  denied  { dac_read_search } for  pid=697 comm="accounts-daemon" capability=2  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=0


Hash: accounts-daemon,accountsd_t,accountsd_t,capability,dac_read_search
Comment 1 Germano Massullo 2017-08-01 10:42:21 EDT
This is very similar

SELinux is preventing systemd-logind from using the dac_read_search capability.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If si vuole aiutare ad identificare se al dominio serva questo accesso o se si possiede un file con i permessi sbagliati sul sistema
Then attivare l'auditing completo per ottenere le informazioni del percorso del file incriminato e generare nuovamente l'errore.
Do

Attivare il controllo completo auditing
# auditctl -w /etc/shadow -p w
Provare a ricreare AVC. Eseguire quindi
# ausearch -m avc -ts recent
Qualora si noti il record PATH, controllare la proprietà/i permessi sul file e correggerli,
altrimenti registrare un bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If si pensa che systemd-logind dovrebbe avere funzionalità dac_read_search in modo predefinito.
Then si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Do
allow this access for now by executing:
# ausearch -c 'systemd-logind' --raw | audit2allow -M my-systemdlogind
# semodule -X 300 -i my-systemdlogind.pp

Additional Information:
Source Context                system_u:system_r:systemd_logind_t:s0
Target Context                system_u:system_r:systemd_logind_t:s0
Target Objects                Unknown [ capability ]
Source                        systemd-logind
Source Path                   systemd-logind
Port                          <Sconosciuto>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Sconosciuto>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Platform                      Linux 4.12.3-301.fc26.x86_64 #1 SMP Tue
                              Jul 25 10:05:02 UTC 2017 x86_64 x86_64
Alert Count                   402
First Seen                    2017-07-28 09:05:07 CEST
Last Seen                     2017-08-01 15:09:30 CEST
Local ID                      95971ec2-ba72-4640-abbc-b220f611c9d4

Raw Audit Messages
type=AVC msg=audit(1501592970.116:9043): avc:  denied  { dac_read_search } for  pid=687 comm="systemd-logind" capability=2  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=0


Hash: systemd-logind,systemd_logind_t,systemd_logind_t,capability,dac_read_search
Comment 2 Germano Massullo 2017-08-01 10:43:30 EDT
SELinux is preventing unix_chkpwd from using the dac_read_search capability.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If si vuole aiutare ad identificare se al dominio serva questo accesso o se si possiede un file con i permessi sbagliati sul sistema
Then attivare l'auditing completo per ottenere le informazioni del percorso del file incriminato e generare nuovamente l'errore.
Do

Attivare il controllo completo auditing
# auditctl -w /etc/shadow -p w
Provare a ricreare AVC. Eseguire quindi
# ausearch -m avc -ts recent
Qualora si noti il record PATH, controllare la proprietà/i permessi sul file e correggerli,
altrimenti registrare un bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If si pensa che unix_chkpwd dovrebbe avere funzionalità dac_read_search in modo predefinito.
Then si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Do
allow this access for now by executing:
# ausearch -c 'unix_chkpwd' --raw | audit2allow -M my-unixchkpwd
# semodule -X 300 -i my-unixchkpwd.pp

Additional Information:
Source Context                system_u:system_r:chkpwd_t:s0
Target Context                system_u:system_r:chkpwd_t:s0
Target Objects                Unknown [ capability ]
Source                        unix_chkpwd
Source Path                   unix_chkpwd
Port                          <Sconosciuto>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Sconosciuto>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Platform                      Linux  4.12.3-301.fc26.x86_64 #1 SMP Tue
                              Jul 25 10:05:02 UTC 2017 x86_64 x86_64
Alert Count                   51
First Seen                    2017-07-28 09:04:11 CEST
Last Seen                     2017-08-01 11:56:18 CEST

Raw Audit Messages
type=AVC msg=audit(1501581378.264:8985): avc:  denied  { dac_read_search } for  pid=14729 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=capability permissive=0


Hash: unix_chkpwd,chkpwd_t,chkpwd_t,capability,dac_read_search
Comment 3 1786578565 2017-08-14 22:41:40 EDT
SELinux is preventing sm-notify and systemd_tmpfile from using the dac_read_search capability.

Note You need to log in before you can comment on or make changes to this bug.