SELinux is preventing /usr/sbin/vnstatd from using the 'dac_override' capabilities. ***** Plugin dac_override (91.4 confidence) suggests *********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that vnstatd should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep vnstatd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:vnstatd_t:s0 Target Context system_u:system_r:vnstatd_t:s0 Target Objects Unknown [ capability ] Source vnstatd Source Path /usr/sbin/vnstatd Port <Unknown> Host (removed) Source RPM Packages vnstat-1.11-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-26.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.7-30.fc15.x86_64 #1 SMP Fri May 27 05:15:53 UTC 2011 x86_64 x86_64 Alert Count 2 First Seen Thu 09 Jun 2011 09:37:55 BST Last Seen Thu 09 Jun 2011 09:37:55 BST Local ID 4423e5da-a746-469d-9bad-37760b5cdabb Raw Audit Messages type=AVC msg=audit(1307608675.747:264): avc: denied { dac_override } for pid=21656 comm="vnstatd" capability=1 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:system_r:vnstatd_t:s0 tclass=capability type=SYSCALL msg=audit(1307608675.747:264): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffc2c115e0 a1=241 a2=1b6 a3=9 items=0 ppid=21655 pid=21656 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=vnstatd exe=/usr/sbin/vnstatd subj=system_u:system_r:vnstatd_t:s0 key=(null) Hash: vnstatd,vnstatd_t,vnstatd_t,capability,dac_override audit2allow #============= vnstatd_t ============== allow vnstatd_t self:capability dac_override; audit2allow -R #============= vnstatd_t ============== allow vnstatd_t self:capability dac_override;
Could you turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent
Created attachment 503870 [details] Output of ausearch I thought you might want that ... Note that I get exactly the same problem on two different machines with two different sets of network devices.
What is the permissions and ownership on /var/lib/vnstat/vboxnet0 The problem is root is not allowed to access the file via permissions/ownership.
It doesn't exist: $ ls -la /var/lib/vnstat total 0 drwxr-xr-x. 1 vnstat vnstat 0 Jun 2 13:25 . drwxr-xr-x. 1 root root 760 Jun 9 09:37 .. $ ls -lZa /var/lib/vnstat ls -lZa /var/lib/vnstat drwxr-xr-x. vnstat vnstat system_u:object_r:vnstatd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. /usr/sbin/vnstatd appears to be correct: $ ls -lZ /usr/sbin/vnstatd -rwxr-xr-x. root root system_u:object_r:vnstatd_exec_t:s0 /usr/sbin/vnstatd Starting vnstatd simply by executing "/usr/sbin/vnstatd -d" works and having done that, "systemctl start vnstat.service" works because the problematic files have been created in /var/lib/vnstat: $ ls -la /var/lib/vnstat total 20 drwxr-xr-x. 1 vnstat vnstat 88 Jun 10 08:29 . drwxr-xr-x. 1 root root 760 Jun 9 09:37 .. -rw-r-----. 1 root root 2792 Jun 10 08:29 .em1 -rw-r-----. 1 root root 2792 Jun 10 08:29 .vboxnet0 -rw-r-----. 1 root root 2792 Jun 10 08:29 .vpn0 -rw-r-----. 1 root root 2792 Jun 10 08:29 .wlan0 -rw-r--r--. 1 root root 2792 Jun 10 08:29 em1 -rw-r--r--. 1 root root 2792 Jun 10 08:29 vboxnet0 -rw-r--r--. 1 root root 2792 Jun 10 08:29 vpn0 -rw-r--r--. 1 root root 2792 Jun 10 08:29 wlan0 $ ls -lZa /var/lib/vnstat drwxr-xr-x. vnstat vnstat system_u:object_r:vnstatd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. -rw-r-----. root root unconfined_u:object_r:vnstatd_var_lib_t:s0 .em1 -rw-r-----. root root unconfined_u:object_r:vnstatd_var_lib_t:s0 .vboxnet0 -rw-r-----. root root unconfined_u:object_r:vnstatd_var_lib_t:s0 .vpn0 -rw-r-----. root root unconfined_u:object_r:vnstatd_var_lib_t:s0 .wlan0 -rw-r--r--. root root unconfined_u:object_r:vnstatd_var_lib_t:s0 em1 -rw-r--r--. root root unconfined_u:object_r:vnstatd_var_lib_t:s0 vboxnet0 -rw-r--r--. root root unconfined_u:object_r:vnstatd_var_lib_t:s0 vpn0 -rw-r--r--. root root unconfined_u:object_r:vnstatd_var_lib_t:s0 wlan0 (Today I have a vpn0 in addition to the others I had yesterday.) Can you a get-me-started guide for selinux? I know that the problem is that the files can't be created, but I don't know what to do to fix it.
I would figure the file is being opened by the root process type=AVC msg=audit(1307608675.747:264): avc: denied { dac_override } for pid=21656 comm="vnstatd" capability=1 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:system_r:vnstatd_t:s0 tclass=capability type=SYSCALL msg=audit(1307608675.747:264): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffc2c115e0 a1=241 a2=1b6 a3=9 items=0 ppid=21655 pid=21656 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=vnstatd exe=/usr/sbin/vnstatd subj=system_u:system_r:vnstatd_t:s0 key=(null) uid=0 Since the directory is owned by vnstat and group is vnstat, root is not allowed to write. If you change the permissions on the directory to chgrp root /var/lib/vnstat chmod g+w /var/lib/vnstat The SELinux issue will go away. Or if you changed the process to run as vnstat it would go away, Seems like you either misconfigured this app or vnstatd has a bug.
Thanks. I think vnstatd has a bug: I didn't do any configuration so I guess vnstatd has a bug.
When running vnstat from cron it runs as user vnstat, when running via /etc/init.d/vnstat it runs as root. This seems to be indeed a bug.
vnstat-1.11-2.fc16 should fix this. The daemon is now started as the vnstat user.
well, you should fix the pid-file tto /var/ is not writeable for the user "vnstat" afaik best practivce here would be /var/run/vnstat/vnstat.pid but remember: this subfolders has to be created via tempfiles.d under systemd-envirnonment - btw: why is this not converted to a systemd-unit?
Created attachment 527039 [details] source-rpm with fixed pid-file and converted to systemd-unit please take this one for >= F16 because it works and it is time to get the crappy sysv/lsb/systemd-mix away from the standard-apckages!