Bug 517728 - Changes for lowering capabilities project
Summary: Changes for lowering capabilities project
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: smartmontools (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
low
medium
Target Milestone: ---
Assignee: Michal Hlavinka
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: Reopened
Depends On:
Blocks: 519823
TreeView+ depends on / blocked
 
Reported: 2009-08-16 12:16 UTC by Steve Grubb
Modified: 2010-02-01 09:54 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-03 14:39:43 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to drop capabilities (1.88 KB, patch)
2009-08-16 12:16 UTC, Steve Grubb
no flags Details | Diff
Patch to drop capabilities (2.86 KB, patch)
2009-08-21 16:12 UTC, Steve Grubb
no flags Details | Diff
Patch to drop capabilities (2.89 KB, patch)
2009-09-03 07:19 UTC, Michal Hlavinka
no flags Details | Diff

Description Steve Grubb 2009-08-16 12:16:41 UTC
Created attachment 357567 [details]
Patch to drop capabilities

Description of problem:
As part of the lowering capabilities project, we should drop all unnecessary
capabilities in all daemons.

Comment 1 Michal Hlavinka 2009-08-17 09:54:03 UTC
Thanks for the patch. Is this patch tested? Sent upstream?

Comment 2 Steve Grubb 2009-08-20 13:56:52 UTC
I am running with it on my F-11 system. I have not sent it upstream. The capability confinement is based on selinux policy settings which I assume no one is complaining about.

Comment 3 Michal Hlavinka 2009-08-21 11:03:09 UTC
OK, I've build new package with the patch. One question remains: Should this patch be sent to upstream or it's only fedora specific?

Comment 4 Steve Grubb 2009-08-21 13:44:53 UTC
A slight variation on this patch should be sent upstream. I need to add the m4 macro to it for distros that may not have libcap-ng well integrated. 

By the way, I think forgot to tell you that you need to also 
BuildRequires: libcap-ng-devel and that you will need to add:

touch ChangeLog
autoreconf -i

to the spec file in the %build section (re-opening the bz for this, sorry). If you want, I can attach the patch that would be upstreamed to the bz.

Comment 5 Michal Hlavinka 2009-08-21 13:55:49 UTC
ok

btw, I understand the autoreconf -i part, but why there's need to touch ChangeLog?

ok, attach that new patch when ready

thanks

Comment 6 Steve Grubb 2009-08-21 16:11:11 UTC
If you don't do the touch ChangeLog, the build fails with:

Makefile.am: required file `./ChangeLog' not found
autoreconf: automake failed with exit status: 1
error: Bad exit status from /home/sgrubb/working/tmp/rpm-tmp.r5zEfY (%build)

Comment 7 Steve Grubb 2009-08-21 16:12:22 UTC
Created attachment 358261 [details]
Patch to drop capabilities

This patch fixes configure.in for more distros to use.

Comment 8 Steve Grubb 2009-08-24 12:35:08 UTC
I forgot to mention that you need to add BuildRequires: libcap-ng-devel so that configure finds the library to link against it. Do you mind re-spinning with the BR added? Thanks.

Comment 9 Michal Hlavinka 2009-08-26 15:16:24 UTC
ok, I'll do it.

I'll also send this patch to upstream as I presume you did not send it, right?

Comment 10 Michal Hlavinka 2009-08-27 06:37:24 UTC
there are required some changes in SELinux:

SELinux is preventing smartd (fsdaemon_t) "getcap" fsdaemon_t. 
SELinux is preventing smartd (fsdaemon_t) "setcap" fsdaemon_t. 
SELinux is preventing smartd (fsdaemon_t) "setpcap" fsdaemon_t. 

changes are required for Fedora 11 and rawhide

-----------------------------------

Additional Information:

Source Context                unconfined_u:system_r:fsdaemon_t:s0
Target Context                unconfined_u:system_r:fsdaemon_t:s0
Target Objects                None [ process ]
Source                        smartd
Source Path                   /usr/sbin/smartd
Port                          <Unknown>
Host                          krles.englab.brq.redhat.com
Source RPM Packages           smartmontools-5.38-15.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-78.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     krles.englab.brq.redhat.com
Platform                      Linux krles.englab.brq.redhat.com
                              2.6.30.5-32.fc11.x86_64 #1 SMP Mon Aug 17 16:38:32
                              EDT 2009 x86_64 x86_64
Alert Count                   3
First Seen                    Wed 26 Aug 2009 05:33:53 PM CEST
Last Seen                     Wed 26 Aug 2009 06:01:02 PM CEST
Local ID                      e04d5805-f48a-41fa-bf3a-089b7f4ec6bc
Line Numbers                  

Raw Audit Messages            

node=krles.englab.brq.redhat.com type=AVC msg=audit(1251302462.690:34287): avc:  denied  { getcap } for  pid=20186 comm="smartd" scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=process

node=krles.englab.brq.redhat.com type=SYSCALL msg=audit(1251302462.690:34287): arch=c000003e syscall=125 success=yes exit=0 a0=7f1dfaa70714 a1=7f1dfaa7071c a2=2 a3=7fff1fd02d70 items=0 ppid=20185 pid=20186 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="smartd" exe="/usr/sbin/smartd" subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null)

--------------------------

Additional Information:

Source Context                unconfined_u:system_r:fsdaemon_t:s0
Target Context                unconfined_u:system_r:fsdaemon_t:s0
Target Objects                None [ capability ]
Source                        smartd
Source Path                   /usr/sbin/smartd
Port                          <Unknown>
Host                          krles.englab.brq.redhat.com
Source RPM Packages           smartmontools-5.38-15.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-78.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     krles.englab.brq.redhat.com
Platform                      Linux krles.englab.brq.redhat.com
                              2.6.30.5-32.fc11.x86_64 #1 SMP Mon Aug 17 16:38:32
                              EDT 2009 x86_64 x86_64
Alert Count                   3
First Seen                    Wed 26 Aug 2009 05:33:53 PM CEST
Last Seen                     Wed 26 Aug 2009 06:01:02 PM CEST
Local ID                      bae0fad4-75db-4736-b642-88542321dbb4
Line Numbers                  

Raw Audit Messages            

node=krles.englab.brq.redhat.com type=AVC msg=audit(1251302462.690:34288): avc:  denied  { setpcap } for  pid=20186 comm="smartd" capability=8 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability

node=krles.englab.brq.redhat.com type=SYSCALL msg=audit(1251302462.690:34288): arch=c000003e syscall=157 success=yes exit=0 a0=18 a1=0 a2=1 a3=0 items=0 ppid=20185 pid=20186 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="smartd" exe="/usr/sbin/smartd" subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null)

--------------------------

Additional Information:

Source Context                unconfined_u:system_r:fsdaemon_t:s0
Target Context                unconfined_u:system_r:fsdaemon_t:s0
Target Objects                None [ process ]
Source                        smartd
Source Path                   /usr/sbin/smartd
Port                          <Unknown>
Host                          krles.englab.brq.redhat.com
Source RPM Packages           smartmontools-5.38-15.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-78.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     krles.englab.brq.redhat.com
Platform                      Linux krles.englab.brq.redhat.com
                              2.6.30.5-32.fc11.x86_64 #1 SMP Mon Aug 17 16:38:32
                              EDT 2009 x86_64 x86_64
Alert Count                   3
First Seen                    Wed 26 Aug 2009 05:33:53 PM CEST
Last Seen                     Wed 26 Aug 2009 06:01:02 PM CEST
Local ID                      52d961fc-f7b6-4475-a327-74e4c48e6384
Line Numbers                  

Raw Audit Messages            

node=krles.englab.brq.redhat.com type=AVC msg=audit(1251302462.690:34289): avc:  denied  { setcap } for  pid=20186 comm="smartd" scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=process

node=krles.englab.brq.redhat.com type=SYSCALL msg=audit(1251302462.690:34289): arch=c000003e syscall=126 success=yes exit=0 a0=7f1dfaa70714 a1=7f1dfaa7071c a2=2 a3=7fff1fd02d70 items=0 ppid=20185 pid=20186 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="smartd" exe="/usr/sbin/smartd" subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null)

Comment 11 Michal Hlavinka 2009-08-27 06:39:49 UTC
adding dwalsh to cc-list for selinux part of this bug

Comment 12 Daniel Walsh 2009-08-27 12:44:46 UTC
Miroslov can you add

allow fsdaemon_t self:capability setpcap;
allow fsdaemon_t self:process { getcap setcap };

to smartmon.te

Comment 13 Miroslav Grepl 2009-09-02 14:13:50 UTC
Added to selinux-policy-3.6.12-82.fc11

Comment 14 Michal Hlavinka 2009-09-03 07:19:00 UTC
Created attachment 359632 [details]
 Patch to drop capabilities

just for record, this patch was used


Note You need to log in before you can comment on or make changes to this bug.