Description of problem: After upgrading to F28, accessing files on an NFS share (with cachefilesd.service enabled on the client) triggers this this warning. The "SELinux Alert Browser" shows only one alert, but in fact 190 alerts were triggered within 3 seconds: # ausearch -m avc -ts recent | grep -B1 cachefiles_kernel_ | grep -c 17:02:0[6-9] 190 # ausearch -m avc -ts recent | tail -1 type=AVC msg=audit(1525996930.024:922): avc: denied { dac_override } for pid=228 comm="kworker/u8:2" capability=1 scontext=system_u:system_r:cachefiles_kernel_t:s0 tcontext=system_u:system_r:cachefiles_kernel_t:s0 tclass=capability permissive=0 SELinux is preventing kworker/u8:4 from using the 'dac_override' capabilities. ***** Plugin dac_override (91.4 confidence) suggests ********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that u8:4 should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'kworker/u8:4' --raw | audit2allow -M my-kworkeru84 # semodule -X 300 -i my-kworkeru84.pp Additional Information: Source Context system_u:system_r:cachefiles_kernel_t:s0 Target Context system_u:system_r:cachefiles_kernel_t:s0 Target Objects Unknown [ capability ] Source kworker/u8:4 Source Path kworker/u8:4 Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.1-24.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.16.7-300.fc28.x86_64 #1 SMP Wed May 2 20:09:13 UTC 2018 x86_64 x86_64 Alert Count 812 First Seen 2018-05-10 15:57:48 PDT Last Seen 2018-05-10 17:02:10 PDT Local ID 6fc24d18-109f-4117-86f0-3950396d6211 Raw Audit Messages type=AVC msg=audit(1525996930.75:926): avc: denied { dac_override } for pid=70 comm="kworker/u8:1" capability=1 scontext=system_u:system_r:cachefiles_kernel_t:s0 tcontext=system_u:system_r:cachefiles_kernel_t:s0 tclass=capability permissive=0 Hash: kworker/u8:4,cachefiles_kernel_t,cachefiles_kernel_t,capability,dac_override Version-Release number of selected component: selinux-policy-3.14.1-24.fc28.noarch Additional info: component: selinux-policy reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.7-300.fc28.x86_64 type: libreport
FWIW, the NFS access is still permitted, so files on that share can still be read/written to, but each access triggers a new SELinux alert. Also, after the upgrade to F28 I relabled the root disk by creating /.autorelabel and rebooting, but the SELinux alerts are still being generated.
The same alerts are being generated for CIFS shares on the same machine, so it's not specific to NFS shares: $ grep /data /proc/mounts cake:/mnt/data /mnt/nfs/data nfs4 rw,nosuid,nodev,noexec,relatime,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.0.115,fsc,local_lock=none,addr=192.168.0.100 0 0 //cake/data /mnt/smb/data cifs rw,nosuid,nodev,noexec,relatime,vers=3.0,sec=none,cache=strict,domain=,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.0.100,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,fsc,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1 0 0 For the time being, disabling cachefilesd or mounting network shares without "fsc" makes these alerts go away.
selinux-policy-3.14.1-29.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
This is still happening. Rebooted, even relabled the rootfs, no dice: $ rpm -q selinux-policy cachefilesd selinux-policy-3.14.1-29.fc28.noarch cachefilesd-0.10.10-4.fc28.x86_64 $ cat /mnt/smb/media/foo.mp3 > /dev/null; echo $? 0 $ sudo ausearch -m avc -ts recent ---- time->Wed May 30 00:24:45 2018 type=AVC msg=audit(1527665085.631:11902): avc: denied { dac_override } for pid=26755 comm="kworker/u8:2" capability=1 scontext=system_u:system_r:cachefiles_kernel_t:s0 tcontext=system_u:system_r:cachefiles_kernel_t:s0 tclass=capability permissive=0 $ mount | grep fsc //cake/media on /mnt/smb/media type cifs (ro,nosuid,nodev,noexec,relatime,vers=3.0,sec=none,cache=strict,domain=,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.0.100,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,fsc,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1)
You are right. Sorry for that. Will be fixed in next selinux-policy update.
selinux-policy-3.14.1-32.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-743a9247de
selinux-policy-3.14.1-32.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-743a9247de
selinux-policy-3.14.1-32.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.