Description of problem: SELinux is preventing mandb from using the 'sys_admin' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mandb should have the sys_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'mandb' --raw | audit2allow -M my-mandb # semodule -X 300 -i my-mandb.pp Additional Information: Source Context system_u:system_r:mandb_t:s0 Target Context system_u:system_r:mandb_t:s0 Target Objects Unknown [ capability ] Source mandb Source Path mandb Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.5-42.fc32.noarch Local Policy RPM selinux-policy-targeted-3.14.5-42.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.6.18-300.fc32.x86_64 #1 SMP Wed Jun 10 21:38:25 UTC 2020 x86_64 x86_64 Alert Count 72 First Seen 2020-07-22 13:56:25 CDT Last Seen 2020-07-27 12:06:50 CDT Local ID 2ee9cf25-f3b0-4c6f-8672-5424d1099c27 Raw Audit Messages type=AVC msg=audit(1595869610.186:96582): avc: denied { sys_admin } for pid=2363759 comm="mandb" capability=21 scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:system_r:mandb_t:s0 tclass=capability permissive=0 Hash: mandb,mandb_t,mandb_t,capability,sys_admin Version-Release number of selected component: selinux-policy-targeted-3.14.5-42.fc32.noarch Additional info: component: selinux-policy reporter: libreport-2.13.1 hashmarkername: setroubleshoot kernel: 5.6.18-300.fc32.x86_64 type: libreport
Hi, The sys_admin capability is very powerful so it should net be required. Do you know at which condition the request has been made? Has something changed in the services recently or is it a result of a configuration change? To investigate further, you can enable full auditing in the audit daemon: 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario or wait for the nightly job to run. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today refer to capabilities(7): CAP_SYS_ADMIN Note: this capability is overloaded; see Notes to kernel developers, below. * Perform a range of system administration operations including: quotactl(2), mount(2), umount(2), pivot_root(2), swapon(2), swapoff(2), sethostname(2), and setdomainname(2); * perform privileged syslog(2) operations (since Linux 2.6.37, CAP_SYSLOG should be used to permit such operations); * perform VM86_REQUEST_IRQ vm86(2) command; * perform IPC_SET and IPC_RMID operations on arbitrary System V IPC objects; * override RLIMIT_NPROC resource limit; * perform operations on trusted and security Extended Attributes (see xattr(7)); * use lookup_dcookie(2); * use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before Linux 2.6.25) IOPRIO_CLASS_IDLE I/O scheduling classes; * forge PID when passing socket credentials via UNIX domain sockets; * exceed /proc/sys/fs/file-max, the system-wide limit on the number of open files, in system calls that open files (e.g., accept(2), execve(2), open(2), pipe(2)); * employ CLONE_* flags that create new namespaces with clone(2) and unshare(2) (but, since Linux 3.8, creating user namespaces does not require any capabil‐ ity); * call perf_event_open(2); * access privileged perf event information; * call setns(2) (requires CAP_SYS_ADMIN in the target namespace); * call fanotify_init(2); * call bpf(2); * perform privileged KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2) operations; * perform madvise(2) MADV_HWPOISON operation; * employ the TIOCSTI ioctl(2) to insert characters into the input queue of a ter‐ minal other than the caller's controlling terminal; * employ the obsolete nfsservctl(2) system call; * employ the obsolete bdflush(2) system call; * perform various privileged block-device ioctl(2) operations; * perform various privileged filesystem ioctl(2) operations; * perform privileged ioctl(2) operations on the /dev/random device (see ran‐ dom(4)); * install a seccomp(2) filter without first having to set the no_new_privs thread attribute; * modify allow/deny rules for device control groups; * employ the ptrace(2) PTRACE_SECCOMP_GET_FILTER operation to dump tracee's sec‐ comp filters; * employ the ptrace(2) PTRACE_SETOPTIONS operation to suspend the tracee's sec‐ comp protections (i.e., the PTRACE_O_SUSPEND_SECCOMP flag); * perform administrative operations on many device drivers.
Whatever caused this I have not been able to reproduce it since so I'm just closing this as NOTABUG.