Bug 1478643 - Some context are not allowed to use dac_read_search
Some context are not allowed to use dac_read_search
Status: NEW
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Lukas Vrabec
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2017-08-05 09:35 EDT by David Hill
Modified: 2017-08-26 17:03 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Hill 2017-08-05 09:35:08 EDT
Description of problem:
Some processes are not allowed to use dac_read_search and generates the following logs:

type=AVC msg=audit(1501939812.110:1379501): avc:  denied  { dac_read_search } for  pid=1139 comm="systemd-logind" capability=2  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1501939855.865:1379507): avc:  denied  { dac_read_search } for  pid=14932 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=capability permissive=1
type=AVC msg=audit(1501939168.731:1379226): avc:  denied  { dac_read_search } for  pid=13927 comm="smtpd" capability=2  scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=capability permissive=1

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Update to rawhide

Actual results:
Denied logs

Expected results:
Should be allowed or hidden under the carpet

Additional info:
Comment 1 Jan Kurik 2017-08-15 04:59:31 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 2 switcher 2017-08-26 17:03:49 EDT
I am encountering the error below on Fed 25
Kernel 4.12.8-200.fc25.x86_64 (server edition) causes this error to occur about 10-20 entries per minute.  I am getting 1000's of them.

Kernel 4.11.12-200.fc25.x86_64  (server edition) generates this error, but at an extremely slow rate.

SELinux is preventing unix_chkpwd from using the dac_read_search capability.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

I turned on full auditing as suggested above.  There have not been any PATH records produced by audit.

My hardware is Intel NUC7i5.  I am using raid1, LVM and no encryption.

Note You need to log in before you can comment on or make changes to this bug.