Summary: SELinux is preventing /usr/bin/newrole "setpcap" access . Detailed Description: SELinux denied access requested by newrole. It is not expected that this access is required by newrole and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context staff_u:staff_r:newrole_t:s0 Target Context staff_u:staff_r:newrole_t:s0 Target Objects None [ capability ] Source newrole Source Path /usr/bin/newrole Port <Unknown> Host (removed) Source RPM Packages policycoreutils-newrole-2.0.83-33.4.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-16.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.35.9-64.fc14.x86_64 #1 SMP Fri Dec 3 12:19:41 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Di 14 Dez 2010 09:49:37 CET Last Seen Di 14 Dez 2010 09:49:37 CET Local ID 0502d23a-30c8-455a-b218-928bdf22608b Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1292316577.915:84): avc: denied { setpcap } for pid=14739 comm="newrole" capability=8 scontext=staff_u:staff_r:newrole_t:s0 tcontext=staff_u:staff_r:newrole_t:s0 tclass=capability node=(removed) type=SYSCALL msg=audit(1292316577.915:84): arch=c000003e syscall=157 success=no exit=-1 a0=18 a1=0 a2=0 a3=0 items=0 ppid=14662 pid=14739 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="newrole" exe="/usr/bin/newrole" subj=staff_u:staff_r:newrole_t:s0 key=(null) Hash String generated from catchall,newrole,newrole_t,newrole_t,capability,setpcap audit2allow suggests: #============= newrole_t ============== allow newrole_t self:capability setpcap;
After some more investigation I found out that a newrole does not work anymore since an upgrade of policycoreutils. Either one would need to add some SELinux rules or change the behaviour of policycoreutils back. It worked fine with policycoreutils version 2.0.83-33.2 but not with 2.0.83-33.4 anymore. Btw. the command I was issuing was: newrole -r unconfined_r
Miroslav, newrole needs this access in order to drop capabilities.
Stefan, you can allow it for now using # grep newrole /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Miroslav, this does not work. The only AVC message I get is the one from above. If I create a module and load it, I still cannot change my role: % newrole -r unconfined_r Password: newrole: incorrect password for stefan Error sending audit message. The log files of auditd are empty (yes, auditd is running ;-)) also dmesg does not show anything.
What does id -Z show? id -Z ls -l /usr/bin/newrole getfcap /usr/bin/newrole
Interesting, even if SELinux is in permissive mode, I cannot change my role: $ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: targeted $ id -Z staff_u:staff_r:staff_t:s0 $ ls -l /usr/bin/newrole -rwsr-xr-x. 1 root root 27376 7. Dez 15:32 /usr/bin/newrole $ getcap -v /usr/bin/newrole /usr/bin/newrole
Today I tried the new versions (2.0.83-33.6 and 2.0.83-33.10) but both aren't working. I still get an error when I try to change my role (even in permissive mode). Therefore, I have to downgrade to version 2.0.83-33.2. Is there something I can do, to help debugging?
Miroslav can you back port the fixes from Rawhide for selinuxutil.te
Fixed in selinux-policy-3.9.7-23.fc14
selinux-policy-3.9.7-25.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-25.fc14
selinux-policy-3.9.7-25.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-25.fc14
I guess we are speaking beside each other. Again, I also have this problem in permissive mode. So this can't be a problem just because some policy entries are missing (but to make sure I also tested the new one and it still fails). The problem is with the package _policycoreutils_. Version 2.0.83-33.2 runs fine but version 2.0.83-33.4 not anymore. Or does the package selinux-policy provide anything else then just the basic policy? Did I miss something?
Nope us just being dopes. I am looking into it.
selinux-policy-3.9.7-25.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
Its working in F15.
Fixed in policycoreutils-2.0.83-33.13.fc14
policycoreutils-2.0.85-19.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/policycoreutils-2.0.85-19.fc14
While using version 2.0.85-19 a newrole has no effect on my system: $ newrole -r unconfined_r Password: $ id uid=500(stefan) gid=500(stefan) groups=500(stefan),18(dialout),489(mock) context=staff_u:staff_r:staff_t:s0 The role was not changed. Maybe the following might help debugging: $ newrole -r unconfined_r Password: $ echo $? 255 No error message just a non zero return value ... Again, I still have to downgrade to version 2.0.83-33.2 to have a working F14 :/
Strange I had this happen once, then I built a debug version and installed it, newrole then worked. Now if I remove it and reinstall the 2.0.85-19 version it works, everytime. Could you try to upgrade again and see if it works.
I removed and installed policycoreutils (version 2.0.85-19) several times without luck. As soon as I install version 2.0.83-33.2 it works fine. I also gave it a shot and installed the debuginfo packages, but without any luck. Any other ideas?
Nope can you download the source and install it directly to see if it works that way? I think it is definitely failing when it drops caps. Since everywhere else it should print something.
I did a test with a more or less fresh installation of F14, added a new user (useradd test, passwd test and semanage login -a -s staff_u test). Afterwards I tried to newrole but again I get a return value 255. Also installing directly from source did not help. Btw. all tests so far have been done in permissive mode.
Can you comment out the drop_capabilities call to see if this is what is crashing?
If drop_capabilities is commented out, then newrole works.
Narrowing it a bit down. The problem seems to be with capng_lock, if only this call is commented out it works, too: // if (capng_lock() < 0) // return -1; But I can't see a problem here. The usage should be fine in this context. Latest libcap-ng is installed: 0.6.5-1.fc14
Steve any ideas?
policycoreutils-2.0.85-19.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
Problem still persists, even with policycoreutils-2.0.85-28.fc14
Since this version of Fedora is no longer supported I am closing this bugs. If you are still seeing this bug in a current version of fedora, please reopen the bugzilla with the appropriate version number.