Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1815789 - SELinux is preventing /usr/libexec/platform-python3.6 from using the dac_override capability.
Summary: SELinux is preventing /usr/libexec/platform-python3.6 from using the dac_over...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.1
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: rc
: 8.0
Assignee: Zdenek Pytela
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-21 18:18 UTC by Simon Sekidde
Modified: 2020-04-30 14:02 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-30 14:02:37 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description Simon Sekidde 2020-03-21 18:18:27 UTC
Description of problem:

SELinux is preventing /usr/libexec/platform-python3.6 from using the dac_override capability.

Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-20.el8.noarch

Actual results:

SELinux is preventing /usr/libexec/platform-python3.6 from using the dac_override capability.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that platform-python3.6 should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rhsmd' --raw | audit2allow -M my-rhsmd
# semodule -X 300 -i my-rhsmd.pp


Additional Information:
Source Context                system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability ]
Source                        rhsmd
Source Path                   /usr/libexec/platform-python3.6
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           platform-python-3.6.8-15.1.el8.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              4.18.0-147.5.1.el8_1.x86_64 #1 SMP Tue Jan 14
                              15:50:19 UTC 2020 x86_64 x86_64
Alert Count                   12
First Seen                    2020-03-21 13:28:09 EDT
Last Seen                     2020-03-21 13:32:23 EDT
Local ID                      4e23965c-09fd-43d9-b912-c873629743e5

Raw Audit Messages
type=AVC msg=audit(1584811943.222:165): avc:  denied  { dac_override } for  pid=8392 comm="rhsmd" capability=1  scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tclass=capability permissive=0


type=SYSCALL msg=audit(1584811943.222:165): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7f035e831958 a2=800c1 a3=1a4 items=0 ppid=8391 pid=8392 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rhsmd exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=openat AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root

Hash: rhsmd,rhsmcertd_t,rhsmcertd_t,capability,dac_override

Comment 1 Zdenek Pytela 2020-03-23 07:35:28 UTC
Hi Simon,

Thank you for reporting the issue. The dac_override permission is requested on an access attempt where DAC permission do not allow this access, the file path is not audited though. Please follow the recommendations of the restorecon plugin to turn on full auditing and when reproduced again, check permissions for the file or directory.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

Comment 2 Zdenek Pytela 2020-04-29 15:55:33 UTC
Simon,

Did you manage to check if permissions are correct? If you want us to continue working on this bz, could you provide the requested information or reproducer steps?

Comment 3 Simon Sekidde 2020-04-30 14:02:37 UTC
Zdenek, 

I am unable to reproduce this issue on a clean OS install. Thanks.


Note You need to log in before you can comment on or make changes to this bug.