1931470 – avc: denied { fowner } comm="groupadd" comm="mandb" capability=3

Bug 1931470 - avc: denied { fowner } comm="groupadd" comm="mandb" capability=3

Summary: avc: denied { fowner } comm="groupadd" comm="mandb" capability=3

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	33
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1938573 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-02-22 13:41 UTC by Bruno Goncalves
Modified:	2021-05-09 01:15 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-3.14.6-37.fc33
Clone Of:
Environment:
Last Closed:	2021-05-09 01:15:07 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Bruno Goncalves 2021-02-22 13:41:43 UTC

Description of problem:
During CKI test on upstream kernel (kernel 5.11.0) we hit some avc denied:

selinux-policy-3.14.6-34.fc33.noarch
----
time->Mon Feb 22 14:27:32 2021
type=AVC msg=audit(1614000452.281:189): avc:  denied  { fowner } for  pid=11315 comm="groupadd" capability=3  scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=capability permissive=1
----
time->Mon Feb 22 14:27:32 2021
type=AVC msg=audit(1614000452.297:190): avc:  denied  { fowner } for  pid=11315 comm="groupadd" capability=3  scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=capability permissive=1
----
time->Mon Feb 22 14:27:43 2021
type=AVC msg=audit(1614000463.134:220): avc:  denied  { fowner } for  pid=11463 comm="mandb" capability=3  scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:system_r:mandb_t:s0 tclass=capability permissive=1


Version-Release number of selected component (if applicable):
selinux-policy-3.14.6-34.fc33.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install Fedora 33 on beaker server, update kernel to kernel 5.11.0

kernel used can be found at https://xci32.lab.eng.rdu2.redhat.com/cki-project/cki-pipeline/-/jobs/1109559/artifacts/raw/artifacts/kernel-block-x86_64-2709d6ab511e0401303c6706c2af8a45ef5b49f4.tar.gz

2. clone kernel-tests repo from https://gitlab.com/cki-project/kernel-tests

3. run tests like acpi/acpitable and filesystems/cifs/connectathon

Actual results:


SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-3.14.6-34.fc33.noarch
----
time->Mon Feb 22 14:27:32 2021
type=AVC msg=audit(1614000452.281:189): avc:  denied  { fowner } for  pid=11315 comm="groupadd" capability=3  scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=capability permissive=1
----
time->Mon Feb 22 14:27:32 2021
type=AVC msg=audit(1614000452.297:190): avc:  denied  { fowner } for  pid=11315 comm="groupadd" capability=3  scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=capability permissive=1
----
time->Mon Feb 22 14:27:43 2021
type=AVC msg=audit(1614000463.134:220): avc:  denied  { fowner } for  pid=11463 comm="mandb" capability=3  scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:system_r:mandb_t:s0 tclass=capability permissive=1

Comment 3 Zdenek Pytela 2021-02-22 13:54:36 UTC

Note for groupadd we have it allowed in rawhide:

commit 7bc150ab60d036691955ec1a5a8f2f8b8a3ba567
Author: Zdenek Pytela <zpytela>
Date:   Tue Nov 24 18:08:26 2020 +0100

    Add groupadd_t fowner capability

    The sssd daemon is configured to run as a non-root user. Its database
    files need to have ownership changed accordingly, as a result some
    capabilities may be required to change metadata of the files.

    When sss_cache is called as a child of groupadd executed from a confined
    domain, e. g. rpm_script_t, it needs the fowner capability for groupadd_t
    to complete the groupadd command and run utime() syscall.

    Resolves: rhbz#1884179

Comment 4 Bruno Goncalves 2021-03-03 12:27:24 UTC

another similar occurrence:

time->Tue Mar  2 23:30:06 2021
type=AVC msg=audit(1614745806.165:116): avc:  denied  { fowner } for  pid=732 comm="sadc" capability=3  scontext=system_u:system_r:sysstat_t:s0 tcontext=system_u:system_r:sysstat_t:s0 tclass=capability permissive=1

Comment 6 Zdenek Pytela 2021-03-03 13:48:21 UTC

The AVC denial does not show the syscall which triggered it. Can you share the reproducing steps, or enable full auditing to gather additional information?

1) Open the /etc/audit/rules.d/audit.rules file in an editor.
2) Remove the following line if it exists:
-a task,never
3) Add the following line to the end of the file:
-w /etc/shadow -p w
4) Restart the audit daemon:
  # service auditd restart
5) Re-run the scenario.
6) Collect AVC denials:
  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Comment 7 Zdenek Pytela 2021-03-16 19:24:43 UTC

*** Bug 1938573 has been marked as a duplicate of this bug. ***

Comment 9 Zdenek Pytela 2021-04-27 10:12:09 UTC

Cherry-picking the dontaudit rawhide commit:
https://github.com/fedora-selinux/selinux-policy/pull/703

Comment 10 Fedora Update System 2021-04-28 11:34:02 UTC

FEDORA-2021-050d4e8def has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-050d4e8def

Comment 11 Fedora Update System 2021-04-29 01:45:43 UTC

FEDORA-2021-050d4e8def has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-050d4e8def`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-050d4e8def

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 12 Fedora Update System 2021-05-09 01:15:07 UTC

FEDORA-2021-050d4e8def has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.