711995 – SELinux is preventing /usr/sbin/vnstatd from using the 'dac_override' capabilities.

Bug 711995 - SELinux is preventing /usr/sbin/vnstatd from using the 'dac_override' capabilities.

Summary: SELinux is preventing /usr/sbin/vnstatd from using the 'dac_override' capabil...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	vnstat
Sub Component:
Version:	15
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Adrian Reber
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:143244ca6c1...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-06-09 08:48 UTC by john.haxby@oracle.com
Modified:	2011-10-08 18:42 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-06-30 09:01:42 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Output of ausearch (4.11 KB, text/plain) 2011-06-09 11:13 UTC, john.haxby@oracle.com	no flags	Details
source-rpm with fixed pid-file and converted to systemd-unit (87.52 KB, application/x-rpm) 2011-10-08 18:42 UTC, Harald Reindl	no flags	Details
View All

Description john.haxby@oracle.com 2011-06-09 08:48:25 UTC

SELinux is preventing /usr/sbin/vnstatd from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests  ***********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it, 
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that vnstatd should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep vnstatd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:vnstatd_t:s0
Target Context                system_u:system_r:vnstatd_t:s0
Target Objects                Unknown [ capability ]
Source                        vnstatd
Source Path                   /usr/sbin/vnstatd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           vnstat-1.11-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-26.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.7-30.fc15.x86_64
                              #1 SMP Fri May 27 05:15:53 UTC 2011 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 09 Jun 2011 09:37:55 BST
Last Seen                     Thu 09 Jun 2011 09:37:55 BST
Local ID                      4423e5da-a746-469d-9bad-37760b5cdabb

Raw Audit Messages
type=AVC msg=audit(1307608675.747:264): avc:  denied  { dac_override } for  pid=21656 comm="vnstatd" capability=1  scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:system_r:vnstatd_t:s0 tclass=capability


type=SYSCALL msg=audit(1307608675.747:264): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffc2c115e0 a1=241 a2=1b6 a3=9 items=0 ppid=21655 pid=21656 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=vnstatd exe=/usr/sbin/vnstatd subj=system_u:system_r:vnstatd_t:s0 key=(null)

Hash: vnstatd,vnstatd_t,vnstatd_t,capability,dac_override

audit2allow

#============= vnstatd_t ==============
allow vnstatd_t self:capability dac_override;

audit2allow -R

#============= vnstatd_t ==============
allow vnstatd_t self:capability dac_override;

Comment 1 Miroslav Grepl 2011-06-09 11:00:46 UTC

Could you turn on full auditing

# auditctl -w /etc/shadow -p w

Try to recreate AVC. Then execute

# ausearch -m avc -ts recent

Comment 2 john.haxby@oracle.com 2011-06-09 11:13:55 UTC

Created attachment 503870 [details]
Output of ausearch

I thought you might want that ...

Note that I get exactly the same problem on two different machines with two different sets of network devices.

Comment 3 Daniel Walsh 2011-06-09 18:18:12 UTC

What is the permissions and ownership on /var/lib/vnstat/vboxnet0

The problem is root is not allowed to access the file via permissions/ownership.

Comment 4 john.haxby@oracle.com 2011-06-10 07:32:39 UTC

It doesn't exist:

$ ls -la /var/lib/vnstat
total 0
drwxr-xr-x. 1 vnstat vnstat   0 Jun  2 13:25 .
drwxr-xr-x. 1 root   root   760 Jun  9 09:37 ..

$ ls -lZa /var/lib/vnstat
ls -lZa /var/lib/vnstat
drwxr-xr-x. vnstat vnstat system_u:object_r:vnstatd_var_lib_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:var_lib_t:s0   ..

/usr/sbin/vnstatd appears to be correct:

$ ls -lZ /usr/sbin/vnstatd
-rwxr-xr-x. root root system_u:object_r:vnstatd_exec_t:s0 /usr/sbin/vnstatd

Starting vnstatd simply by executing "/usr/sbin/vnstatd -d" works and having done that, "systemctl start vnstat.service" works because the problematic files have been created in /var/lib/vnstat:

$ ls -la /var/lib/vnstat
total 20
drwxr-xr-x. 1 vnstat vnstat   88 Jun 10 08:29 .
drwxr-xr-x. 1 root   root    760 Jun  9 09:37 ..
-rw-r-----. 1 root   root   2792 Jun 10 08:29 .em1
-rw-r-----. 1 root   root   2792 Jun 10 08:29 .vboxnet0
-rw-r-----. 1 root   root   2792 Jun 10 08:29 .vpn0
-rw-r-----. 1 root   root   2792 Jun 10 08:29 .wlan0
-rw-r--r--. 1 root   root   2792 Jun 10 08:29 em1
-rw-r--r--. 1 root   root   2792 Jun 10 08:29 vboxnet0
-rw-r--r--. 1 root   root   2792 Jun 10 08:29 vpn0
-rw-r--r--. 1 root   root   2792 Jun 10 08:29 wlan0

$ ls -lZa /var/lib/vnstat
drwxr-xr-x. vnstat vnstat system_u:object_r:vnstatd_var_lib_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:var_lib_t:s0   ..
-rw-r-----. root   root   unconfined_u:object_r:vnstatd_var_lib_t:s0 .em1
-rw-r-----. root   root   unconfined_u:object_r:vnstatd_var_lib_t:s0 .vboxnet0
-rw-r-----. root   root   unconfined_u:object_r:vnstatd_var_lib_t:s0 .vpn0
-rw-r-----. root   root   unconfined_u:object_r:vnstatd_var_lib_t:s0 .wlan0
-rw-r--r--. root   root   unconfined_u:object_r:vnstatd_var_lib_t:s0 em1
-rw-r--r--. root   root   unconfined_u:object_r:vnstatd_var_lib_t:s0 vboxnet0
-rw-r--r--. root   root   unconfined_u:object_r:vnstatd_var_lib_t:s0 vpn0
-rw-r--r--. root   root   unconfined_u:object_r:vnstatd_var_lib_t:s0 wlan0

(Today I have a vpn0 in addition to the others I had yesterday.)

Can you a get-me-started guide for selinux?   I know that the problem is that the files can't be created, but I don't know what to do to fix it.

Comment 5 Daniel Walsh 2011-06-10 16:05:01 UTC

I would figure the file is being opened by the root process

type=AVC msg=audit(1307608675.747:264): avc:  denied  { dac_override } for 
pid=21656 comm="vnstatd" capability=1  scontext=system_u:system_r:vnstatd_t:s0
tcontext=system_u:system_r:vnstatd_t:s0 tclass=capability


type=SYSCALL msg=audit(1307608675.747:264): arch=x86_64 syscall=open success=no
exit=EACCES a0=7fffc2c115e0 a1=241 a2=1b6 a3=9 items=0 ppid=21655 pid=21656
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm=vnstatd exe=/usr/sbin/vnstatd
subj=system_u:system_r:vnstatd_t:s0 key=(null)

uid=0

Since the directory is owned by vnstat and group is vnstat, root is not allowed to write.

If you change the permissions on the directory to 

chgrp root /var/lib/vnstat
chmod g+w /var/lib/vnstat

The SELinux issue will go away.

Or if you changed the process to run as vnstat it would go away, 

Seems like you either misconfigured this app or vnstatd has a bug.

Comment 6 john.haxby@oracle.com 2011-06-10 16:10:37 UTC

Thanks.  I think vnstatd has a bug: I didn't do any configuration so I guess vnstatd has a bug.

Comment 7 Adrian Reber 2011-06-16 12:16:51 UTC

When running vnstat from cron it runs as user vnstat, when running via /etc/init.d/vnstat it runs as root. This seems to be indeed a bug.

Comment 8 Adrian Reber 2011-06-30 09:01:42 UTC

vnstat-1.11-2.fc16 should fix this. The daemon is now started as the vnstat user.

Comment 9 Harald Reindl 2011-10-08 15:49:09 UTC

well, you should fix the pid-file tto
/var/ is not writeable for the user "vnstat"
afaik best practivce here would be /var/run/vnstat/vnstat.pid

but remember: this subfolders has to be created via tempfiles.d under systemd-envirnonment - btw: why is this not converted to a systemd-unit?

Comment 10 Harald Reindl 2011-10-08 18:42:11 UTC

Created attachment 527039 [details]
source-rpm with fixed pid-file and converted to systemd-unit

please take this one for >= F16 because it works and it is time to get the crappy sysv/lsb/systemd-mix away from the standard-apckages!

Note You need to log in before you can comment on or make changes to this bug.