Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1509277 - SELinux prevents several domains from doing dac_read_search
SELinux prevents several domains from doing dac_read_search
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.5-Alt
All Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks: 1477564
  Show dependency treegraph
 
Reported: 2017-11-03 09:21 EDT by Steve Best
Modified: 2018-04-10 08:46 EDT (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-176.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 08:46:03 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
console (97.66 KB, text/plain)
2017-11-03 09:21 EDT, Steve Best 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0763 None None None 2018-04-10 08:46 EDT

  None (edit)
Description Steve Best 2017-11-03 09:21:44 EDT 
Created attachment 1347348 [details]
console

Description of problem:
There are numerous audit msgs on RHEL 7.5-ALT nightly 
[   45.896682] audit: type=1400 audit(1509723988.131:6): avc:  denied  { execute
_no_trans } for  pid=2945 comm="chrony-helper" path="/usr/bin/chronyc" dev="dm-0
" ino=34078725 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_
r:chronyc_exec_t:s0 tclass=file permissive=0
[   47.600873] audit: type=1400 audit(1509723989.841:7): avc:  denied  { dac_rea
d_search } for  pid=3099 comm="find" capability=2  scontext=system_u:system_r:po
stfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capabili
ty permissive=0
[   47.600966] audit: type=1400 audit(1509723989.841:8): avc:  denied  { dac_rea
d_search } for  pid=3099 comm="find" capability=2  scontext=system_u:system_r:po
stfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capabili
ty permissive=0

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1.Using RHEL-ALT-7.5-20171103.n.0
2.look at console log 
3.

Actual results:
numerous audit avc

Expected results:
no avcs

Additional info:
Comment 2 Steve Grubb 2017-11-03 22:25:16 EDT 
This is a bit like opening a bug against rsyslog and saying there's messages in my logs. :-)

If I understand it right, you are seeing AVC's which might indicate there is a problem with selinux policy because there should be no AVC's. If this is correct, this bz should be transferred to selinux-policy so they can fix the policy to match system activity.
Comment 3 Milos Malik 2017-11-06 04:08:52 EST 
When the attachment file is piped into audit2allow, audit2allow says that following rules are missing:

allow getty_t self:capability dac_read_search;
allow passwd_t self:capability dac_read_search;
allow postfix_master_t self:capability dac_read_search;
Comment 6 Ilari Stenroth 2018-02-17 03:27:39 EST 
I'm suggesting this as a duplicate of #1532022.
Comment 9 errata-xmlrpc 2018-04-10 08:46:03 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.