Description of problem: SELinux is preventing plymouthd from using the 'dac_override' capabilities. ***** Plugin dac_override (91.4 confidence) suggests ********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then attivare l'auditing completo per ottenere le informazioni del percorso del file incriminato e generare nuovamente l'errore. Do Attivare il controllo completo auditing # auditctl -w /etc/shadow -p w Provare a ricreare AVC. Eseguire quindi # ausearch -m avc -ts recent Qualora si noti il record PATH, controllare la proprietà/i permessi sul file e correggerli, altrimenti registrare un bugzilla. ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that plymouthd should have the dac_override capability by default. Then si dovrebbe riportare il problema come bug. E' possibile generare un modulo di politica locale per consentire questo accesso. Do allow this access for now by executing: # ausearch -c 'plymouthd' --raw | audit2allow -M my-plymouthd # semodule -X 300 -i my-plymouthd.pp Additional Information: Source Context system_u:system_r:plymouthd_t:s0 Target Context system_u:system_r:plymouthd_t:s0 Target Objects Unknown [ capability ] Source plymouthd Source Path plymouthd Port <Sconosciuto> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.1-24.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.16.6-300.fc28.x86_64 #1 SMP Mon Apr 30 14:27:38 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-05-03 08:22:37 CEST Last Seen 2018-05-03 08:22:37 CEST Local ID af3507f3-6183-4c1b-8b5a-02df7794f96b Raw Audit Messages type=AVC msg=audit(1525328557.29:414): avc: denied { dac_override } for pid=6467 comm="plymouthd" capability=1 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=capability permissive=1 Hash: plymouthd,plymouthd_t,plymouthd_t,capability,dac_override Version-Release number of selected component: selinux-policy-3.14.1-24.fc28.noarch Additional info: component: selinux-policy reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.6-300.fc28.x86_64 type: libreport
Hi, Do you observe some issues on your system, or you just reported this SELinux denial but systems looks generally ok?
(In reply to Lukas Vrabec from comment #1) > Hi, > > Do you observe some issues on your system, or you just reported this SELinux > denial but systems looks generally ok? I'm running in permissive mode so I can't give feedback on this. I didn't see this happening anymore after this single event.
Hi, Could you turn on full auditing and then reproduce the scenario and add logs from audit log? ***** Plugin dac_override (91.4 confidence) suggests ********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then attivare l'auditing completo per ottenere le informazioni del percorso del file incriminato e generare nuovamente l'errore. Do Attivare il controllo completo auditing # auditctl -w /etc/shadow -p w Provare a ricreare AVC. Eseguire quindi # ausearch -m avc -ts recent Qualora si noti il record PATH, controllare la proprietà/i permessi sul file e correggerli, altrimenti registrare un bugzilla. Thanks, Lukas.
Hi, I'm not able to reproduce on my system.
Thank you for testing, if you'll be able to reproduce it, feel free to re-open this BZ. Lukas.