Bug 710572 - SELinux is preventing /usr/sbin/afsd from using the 'dac_override' capabilities.
Summary: SELinux is preventing /usr/sbin/afsd from using the 'dac_override' capabilities.
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:876e494ac8d...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-03 18:14 UTC by Daniel Scott
Modified: 2011-06-09 18:12 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-06 16:01:13 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Daniel Scott 2011-06-03 18:14:52 UTC 
SELinux is preventing /usr/sbin/afsd from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests  ***********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it, 
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that afsd should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep afsd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:afs_t:s0
Target Context                system_u:system_r:afs_t:s0
Target Objects                Unknown [ capability ]
Source                        afsd
Source Path                   /usr/sbin/afsd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           openafs-client-1.6.0-0.pre4.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-26.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.6-27.fc15.x86_64 #1
                              SMP Sun May 15 17:23:28 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 03 Jun 2011 12:30:47 PM EDT
Last Seen                     Fri 03 Jun 2011 12:30:47 PM EDT
Local ID                      f78f287f-d4dc-42d7-adc2-f1d4a3c983f9

Raw Audit Messages
type=AVC msg=audit(1307118647.779:22): avc:  denied  { dac_override } for  pid=1227 comm="afsd" capability=1  scontext=system_u:system_r:afs_t:s0 tcontext=system_u:system_r:afs_t:s0 tclass=capability


type=SYSCALL msg=audit(1307118647.779:22): arch=x86_64 syscall=open success=no exit=EACCES a0=423ba3 a1=442 a2=1b6 a3=7fffdea66180 items=0 ppid=1226 pid=1227 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=afsd exe=/usr/sbin/afsd subj=system_u:system_r:afs_t:s0 key=(null)

Hash: afsd,afs_t,afs_t,capability,dac_override

audit2allow

#============= afs_t ==============
allow afs_t self:capability dac_override;

audit2allow -R

#============= afs_t ==============
allow afs_t self:capability dac_override;
Comment 1 Daniel Walsh 2011-06-03 20:19:39 UTC 
Nalin does this look good to you?

Would afsd have to be able to user/modify files/directories that root does not have access to?
Comment 2 Daniel Scott 2011-06-03 21:00:20 UTC 
I think that afsd will have access to files that root cannot access.

We're using FreeIPA to provide the authentication for AFS - the root user doesn't have a Kerberos ticket and can't access files in the /afs tree.
Comment 3 Daniel Walsh 2011-06-03 21:12:19 UTC 
Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it, 
otherwise report as a bugzilla.
Comment 4 Daniel Scott 2011-06-06 14:39:51 UTC 
I haven't been able to recreate this, so does not appear to be a problem any longer.
Comment 5 Nalin Dahyabhai 2011-06-09 13:47:40 UTC 
Here's what I'm seeing at reboot, with selinux-policy-targeted-3.9.16-26.fc15.noarch:

type=PATH msg=audit(1307626798.656:28): item=0 name="/etc/mtab" inode=16297 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:afs_t:s0
type=SYSCALL msg=audit(1307626798.656:28): arch=c000003e syscall=2 success=no exit=-13 a0=423b94 a1=442 a2=1b6 a3=7fff1b0e3a90 items=1 ppid=1623 pid=1630 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="afsd" exe="/usr/vice/etc/afsd" subj=system_u:system_r:afs_t:s0 key=(null)
type=AVC msg=audit(1307626798.656:28): avc:  denied  { dac_override } for  pid=1630 comm="afsd" capability=1  scontext=system_u:system_r:afs_t:s0 tcontext=system_u:system_r:afs_t:s0 tclass=capability

That agrees with the diagnostics in this thread: https://lists.openafs.org/pipermail/openafs-info/2011-June/036260.html
Comment 6 Daniel Walsh 2011-06-09 18:12:01 UTC 
So afsd is trying to write to /etc/mtab which is a link to /proc/mounts and the kernel is raising a dac_overrides.

So since we do not ship afs I can leave this closed


Daniel to get this to stop complaining you can do 

# grep dac_override /var/log/audit/audit.log | audit2allow -DM myafsd
# semodule -i myafsd.pp
Note You need to log in before you can comment on or make changes to this bug.