Description of problem: /root directory misses write permission. This causes AVC dac_override for services that uses /root directory and runs under user root. Version-Release number of selected component (if applicable): 3.8-2.fc28 How reproducible: rpmls filesystem | grep root Steps to Reproduce: 1. 2. 3. Actual results: dr-xr-x--- /root Expected results: drwxr-xr-x /root Additional info:
(In reply to Tomáš Korbař from comment #0) > Expected results: > drwxr-xr-x /root Do you seriously think that /root should be world-readable?
(In reply to Kamil Dudka from comment #1) > (In reply to Tomáš Korbař from comment #0) > > Expected results: > > drwxr-xr-x /root > > Do you seriously think that /root should be world-readable? No, but it should be onwer writeable :) drwxr-x--- /root
(In reply to Jaroslav Škarvada from comment #2) > (In reply to Kamil Dudka from comment #1) > > (In reply to Tomáš Korbař from comment #0) > > > Expected results: > > > drwxr-xr-x /root > > > > Do you seriously think that /root should be world-readable? > > No, but it should be onwer writeable :) > drwxr-x--- /root Is there any reason for read only mode?
(In reply to Jaroslav Škarvada from comment #3) > (In reply to Jaroslav Škarvada from comment #2) > > (In reply to Kamil Dudka from comment #1) > > > (In reply to Tomáš Korbař from comment #0) > > > > Expected results: > > > > drwxr-xr-x /root > > > > > > Do you seriously think that /root should be world-readable? > > > > No, but it should be onwer writeable :) > > drwxr-x--- /root > > Is there any reason for read only mode? I am able to reproduce it on my f27 machine too. Maybe it's there for a longer time and it has been just spotted due to change in SELinux policy enforcing dac_override check in f28+ :)
(In reply to Jaroslav Škarvada from comment #4) > (In reply to Jaroslav Škarvada from comment #3) > > (In reply to Jaroslav Škarvada from comment #2) > > > (In reply to Kamil Dudka from comment #1) > > > > (In reply to Tomáš Korbař from comment #0) > > > > > Expected results: > > > > > drwxr-xr-x /root > > > > > > > > Do you seriously think that /root should be world-readable? > > > > > > No, but it should be onwer writeable :) > > > drwxr-x--- /root > > > > Is there any reason for read only mode? > > I am able to reproduce it on my f27 machine too. Maybe it's there for a > longer time and it has been just spotted due to change in SELinux policy > enforcing dac_override check in f28+ :) It seems it's there since 2009, commit cd01d2d6d54f59ef8e177d0391bc734fba470ef4, change due to bug 517575.
(In reply to Jaroslav Škarvada from comment #5) > (In reply to Jaroslav Škarvada from comment #4) > > (In reply to Jaroslav Škarvada from comment #3) > > > (In reply to Jaroslav Škarvada from comment #2) > > > > (In reply to Kamil Dudka from comment #1) > > > > > (In reply to Tomáš Korbař from comment #0) > > > > > > Expected results: > > > > > > drwxr-xr-x /root > > > > > > > > > > Do you seriously think that /root should be world-readable? > > > > > > > > No, but it should be onwer writeable :) > > > > drwxr-x--- /root > > > > > > Is there any reason for read only mode? > > > > I am able to reproduce it on my f27 machine too. Maybe it's there for a > > longer time and it has been just spotted due to change in SELinux policy > > enforcing dac_override check in f28+ :) > > It seems it's there since 2009, commit > cd01d2d6d54f59ef8e177d0391bc734fba470ef4, change due to bug 517575. So it is intentional :) Well, personally, I can say that I don't like this "hack".
I am closing it as a dupe of bug 517575, because I do not have any real issue (so far) with this change, I just don't like this approach :) *** This bug has been marked as a duplicate of bug 517575 ***