SELinux is preventing /bin/bash from using the 'dac_override' capabilities. ***** Plugin dac_override (91.4 confidence) suggests *********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that bash should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep smartdnotify /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:fsdaemon_t:s0 Target Context system_u:system_r:fsdaemon_t:s0 Target Objects Unknown [ capability ] Source smartdnotify Source Path /bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.2.10-2.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-26.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.7-30.fc15.x86_64 #1 SMP Fri May 27 05:15:53 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Wed 15 Jun 2011 12:42:09 PM IRDT Last Seen Wed 15 Jun 2011 12:42:09 PM IRDT Local ID 2f4f52ec-9dda-4de8-bb0e-16fcb591cdcf Raw Audit Messages type=AVC msg=audit(1308125529.505:112): avc: denied { dac_override } for pid=3794 comm="smartdnotify" capability=1 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1308125529.505:112): arch=x86_64 syscall=open success=no exit=EACCES a0=1d68580 a1=201 a2=1b6 a3=1 items=0 ppid=3793 pid=3794 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=smartdnotify exe=/bin/bash subj=system_u:system_r:fsdaemon_t:s0 key=(null) Hash: smartdnotify,fsdaemon_t,fsdaemon_t,capability,dac_override audit2allow #============= fsdaemon_t ============== allow fsdaemon_t self:capability dac_override; audit2allow -R #============= fsdaemon_t ============== allow fsdaemon_t self:capability dac_override;
Could you try to do these steps Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent
The second command gives this result: <no matches>
Did you recreate the error?
I can't, cause I don't remember what I was doing when this error occurred.
Ok we have a similar bug. This is fsdaemon using the who command to figure out who is logged in and sending a message to all terminals that your disk is in trouble. I have a fix for this checked into Rawhide.
Daniel--I'm getting the same SVC with fsdaemon and the ausearch query for me also shows nothing. What do you mean by "your disk is in trouble"? Donald
Donald, what does # rpm -q selinux-policy also try to execute # semodule -DB re-test it and # ausearch -m avc -ts recent |grep fsdaemon
[donald@Zonotrichia ~]$ rpm -q selinux-policy selinux-policy-3.9.16-35.fc15.noarch [donald@Zonotrichia ~]$ sudo semodule -DB [sudo] password for donald: [donald@Zonotrichia ~]$ sudo ausearch -m avc -ts recent |grep fsdaemon [donald@Zonotrichia ~]$ I have not seen the AVC recently and do not know how to generate it. If I see it again I'll run the ausearch command. Donald
Michal could tell you more.
> What do you mean by "your disk is in trouble"? smartd sends email when it finds something "interesting" (i.e. disk failure) to tell you. But it depends on configuration and it can be just something "safe" like "you've put your laptop on a pillow and disk cooling is insufficient" :) Hard to guess, what it tried to tell you... > I have not seen the AVC recently and do not know how to generate it. in /etc/smartd.conf you have something like: DEVICESCAN -H -m root -M exec ..... so just add " -M test" at the end of that line and restart smartd: service smartd restart and it will send you some test message, which should trigger selinux denial
I had to re-enable dontaudit rules with semodule -B to get the AVC. Here is the result of the ausearch query: [donald@Zonotrichia ~]$ sudo ausearch -m avc -ts recent |grep fsdaemon type=SYSCALL msg=audit(1314225138.906:17360): arch=c000003e syscall=62 success=no exit=-13 a0=6c5 a1=0 a2=10ee030 a3=8 items=0 ppid=30203 pid=30204 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="who" exe="/usr/bin/who" subj=system_u:system_r:fsdaemon_t:s0 key=(null) type=AVC msg=audit(1314225138.906:17360): avc: denied { signull } for pid=30204 comm="who" scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1314225138.907:17361): arch=c000003e syscall=62 success=no exit=-1 a0=78b a1=0 a2=10ee030 a3=8 items=0 ppid=30203 pid=30204 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="who" exe="/usr/bin/who" subj=system_u:system_r:fsdaemon_t:s0 key=(null) type=AVC msg=audit(1314225138.907:17361): avc: denied { kill } for pid=30204 comm="who" capability=5 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1314225138.907:17362): arch=c000003e syscall=62 success=no exit=-1 a0=3896 a1=0 a2=10ee030 a3=8 items=0 ppid=30203 pid=30204 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="who" exe="/usr/bin/who" subj=system_u:system_r:fsdaemon_t:s0 key=(null) type=AVC msg=audit(1314225138.907:17362): avc: denied { kill } for pid=30204 comm="who" capability=5 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1314225138.929:17363): arch=c000003e syscall=2 success=no exit=-13 a0=1c8f350 a1=241 a2=1b6 a3=1 items=0 ppid=30198 pid=30199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smartdnotify" exe="/bin/bash" subj=system_u:system_r:fsdaemon_t:s0 key=(null) type=AVC msg=audit(1314225138.929:17363): avc: denied { dac_override } for pid=30199 comm="smartdnotify" capability=1 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1314225138.929:17364): arch=c000003e syscall=2 success=no exit=-13 a0=1c8f350 a1=201 a2=1b6 a3=1 items=0 ppid=30198 pid=30199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smartdnotify" exe="/bin/bash" subj=system_u:system_r:fsdaemon_t:s0 key=(null) type=AVC msg=audit(1314225138.929:17364): avc: denied { dac_override } for pid=30199 comm="smartdnotify" capability=1 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1314225138.929:17365): arch=c000003e syscall=2 success=no exit=-13 a0=1c8f100 a1=241 a2=1b6 a3=1 items=0 ppid=30198 pid=30199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smartdnotify" exe="/bin/bash" subj=system_u:system_r:fsdaemon_t:s0 key=(null) type=AVC msg=audit(1314225138.929:17365): avc: denied { dac_override } for pid=30199 comm="smartdnotify" capability=1 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1314225138.929:17366): arch=c000003e syscall=2 success=no exit=-13 a0=1c8f100 a1=201 a2=1b6 a3=1 items=0 ppid=30198 pid=30199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smartdnotify" exe="/bin/bash" subj=system_u:system_r:fsdaemon_t:s0 key=(null) type=AVC msg=audit(1314225138.929:17366): avc: denied { dac_override } for pid=30199 comm="smartdnotify" capability=1 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1314225140.818:17367): arch=c000003e syscall=62 success=no exit=-13 a0=6c5 a1=0 a2=16ff030 a3=8 items=0 ppid=30217 pid=30218 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="who" exe="/usr/bin/who" subj=system_u:system_r:fsdaemon_t:s0 key=(null) type=AVC msg=audit(1314225140.818:17367): avc: denied { signull } for pid=30218 comm="who" scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1314225140.820:17368): arch=c000003e syscall=62 success=no exit=-1 a0=78b a1=0 a2=16ff030 a3=8 items=0 ppid=30217 pid=30218 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="who" exe="/usr/bin/who" subj=system_u:system_r:fsdaemon_t:s0 key=(null) type=AVC msg=audit(1314225140.820:17368): avc: denied { kill } for pid=30218 comm="who" capability=5 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1314225140.821:17369): arch=c000003e syscall=62 success=no exit=-1 a0=3896 a1=0 a2=16ff030 a3=8 items=0 ppid=30217 pid=30218 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="who" exe="/usr/bin/who" subj=system_u:system_r:fsdaemon_t:s0 key=(null) type=AVC msg=audit(1314225140.821:17369): avc: denied { kill } for pid=30218 comm="who" capability=5 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1314225140.834:17370): arch=c000003e syscall=2 success=no exit=-13 a0=15d53c0 a1=241 a2=1b6 a3=1 items=0 ppid=30212 pid=30213 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smartdnotify" exe="/bin/bash" subj=system_u:system_r:fsdaemon_t:s0 key=(null) type=AVC msg=audit(1314225140.834:17370): avc: denied { dac_override } for pid=30213 comm="smartdnotify" capability=1 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1314225140.834:17371): arch=c000003e syscall=2 success=no exit=-13 a0=15d53c0 a1=201 a2=1b6 a3=1 items=0 ppid=30212 pid=30213 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smartdnotify" exe="/bin/bash" subj=system_u:system_r:fsdaemon_t:s0 key=(null) type=AVC msg=audit(1314225140.834:17371): avc: denied { dac_override } for pid=30213 comm="smartdnotify" capability=1 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1314225140.834:17372): arch=c000003e syscall=2 success=no exit=-13 a0=15d5360 a1=241 a2=1b6 a3=1 items=0 ppid=30212 pid=30213 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smartdnotify" exe="/bin/bash" subj=system_u:system_r:fsdaemon_t:s0 key=(null) type=AVC msg=audit(1314225140.834:17372): avc: denied { dac_override } for pid=30213 comm="smartdnotify" capability=1 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1314225140.834:17373): arch=c000003e syscall=2 success=no exit=-13 a0=15d5360 a1=201 a2=1b6 a3=1 items=0 ppid=30212 pid=30213 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smartdnotify" exe="/bin/bash" subj=system_u:system_r:fsdaemon_t:s0 key=(null) type=AVC msg=audit(1314225140.834:17373): avc: denied { dac_override } for pid=30213 comm="smartdnotify" capability=1 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability [donald@Zonotrichia ~]$
Fedora 16 has these AVCs allowed.
Donald, what does # rpm -q selinux-policy
[donald@Zonotrichia ~]$ rpm -q selinux-policy selinux-policy-3.9.16-38.fc15.noarch [donald@Zonotrichia ~]$
I installed selinux-policy-3.9.16-39 from testing, but the avc happened again at 8:48 pm. Here's what /var/log/messages says at 8:48 pm: Sep 10 20:48:18 Zonotrichia smartd[785]: Device: /dev/sdb [USB Cypress], open() failed: No such device Sep 10 21:18:17 Zonotrichia smartd[785]: Device: /dev/sdb [USB Cypress], open() failed: No such device I was not using the computer at the time. I tried the ausearch command discussed above, but obtained no matches. I entered "semodule -DB" and then tried to recreate the avc (by restarting smartd after having edited smartd.conf as discussed above), but the denial did not occur again. Donald
So is this a issues caused by SELinux? Does it work in permissive mode?
(In reply to comment #16) > So is this a issues caused by SELinux? Does it work in permissive mode? I have not seen this AVC since 10 September and I am unable to trigger it. Donald
Ok lets pretend it did not happen :^(. Probably caused by a file with the wrong permissions. Reopen bug if it happens again.
See comment #10 for instructions how to reproduce this. It's still not fixed (I've just tested it.)
Michal, so you are still getting the same AVC msg?
SELinux is preventing /bin/bash from using the dac_override capability. ... ... Additional Information: Source Context system_u:system_r:fsdaemon_t:s0 Target Context system_u:system_r:fsdaemon_t:s0 Target Objects Unknown [ capability ] Source smartdnotify Source Path /bin/bash ... # ausearch -m avc -ts today ---- time->Fri Sep 23 09:39:20 2011 type=SYSCALL msg=audit(1316763560.393:2664): arch=c000003e syscall=2 success=yes exit=3 a0=15ac350 a1=241 a2=1b6 a3=0 items=0 ppid=25081 pid=25082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smartdnotify" exe="/bin/bash" subj=system_u:system_r:fsdaemon_t:s0 key=(null) type=AVC msg=audit(1316763560.393:2664): avc: denied { open } for pid=25082 comm="smartdnotify" name="0" dev=devpts ino=3 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1316763560.393:2664): avc: denied { dac_override } for pid=25082 comm="smartdnotify" capability=1 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability this is Fedora 16 box, but I guess there is no change compared to F15
So smartnotify is opening terminals owned by user uid and blasting messages to them. I guess root is not allowed to talk to /dev/tty/0 by permissions so dac_override is required.
I see dac_ovverride in F16 policy but not in F15, need to back port to RHEL6 also.
Well, as Michal wrote this is on Fedora 16 box. Or Michal did you mean F15 box? I am adding it F15, RHEL6.
I've just tried to reproduce this on two Fedora 16 boxes and it works fine. My prev. F16 testing box was not updated to F16 yet, it was still F15 . So Dan is correct
Fixed in selinux-policy-3.9.16-41.fc15
selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15
Package selinux-policy-3.9.16-48.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.