881031 – SELinux is preventing /usr/bin/perl from using the 'dac_read_search' capabilities.

Bug 881031 - SELinux is preventing /usr/bin/perl from using the 'dac_read_search' capabilities.

Summary: SELinux is preventing /usr/bin/perl from using the 'dac_read_search' capabili...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	17
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:90aedddcf5e509167d9f179a63c...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-11-28 13:12 UTC by Matthew Saltzman
Modified:	2013-01-07 04:02 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-01-07 04:02:18 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: type (9 bytes, text/plain) 2012-11-28 13:12 UTC, Matthew Saltzman	no flags	Details
File: hashmarkername (14 bytes, text/plain) 2012-11-28 13:12 UTC, Matthew Saltzman	no flags	Details
View All

Description Matthew Saltzman 2012-11-28 13:12:52 UTC

Additional info:
libreport version: 2.0.18
kernel:         3.6.7-4.fc17.x86_64

description:
:SELinux is preventing /usr/bin/perl from using the 'dac_read_search' capabilities.
:
:*****  Plugin dac_override (91.4 confidence) suggests  ***********************
:
:If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
:Then turn on full auditing to get path information about the offending file and generate the error again.
:Do
:
:Turn on full auditing
:# auditctl -w /etc/shadow -p w
:Try to recreate AVC. Then execute
:# ausearch -m avc -ts recent
:If you see PATH record check ownership/permissions on file, and fix it, 
:otherwise report as a bugzilla.
:
:*****  Plugin catchall (9.59 confidence) suggests  ***************************
:
:If you believe that perl should have the dac_read_search capability by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep sa-update /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:spamd_update_t:s0-s0:c0.c1023
:Target Context                system_u:system_r:spamd_update_t:s0-s0:c0.c1023
:Target Objects                 [ capability ]
:Source                        sa-update
:Source Path                   /usr/bin/perl
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           perl-5.14.3-217.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-161.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.7-4.fc17.x86_64 #1 SMP Tue Nov
:                              20 19:40:01 UTC 2012 x86_64 x86_64
:Alert Count                   8
:First Seen                    2012-11-28 04:10:02 EST
:Last Seen                     2012-11-28 06:00:13 EST
:Local ID                      1b4806a6-15a3-4228-af1c-733a70c9767d
:
:Raw Audit Messages
:type=AVC msg=audit(1354100413.729:1255): avc:  denied  { dac_read_search } for  pid=17354 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
:
:
:type=SYSCALL msg=audit(1354100413.729:1255): arch=x86_64 syscall=open success=no exit=EACCES a0=7f3654b1e6eb a1=80000 a2=1b6 a3=238 items=0 ppid=16908 pid=17354 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=138 comm=sa-update exe=/usr/bin/perl subj=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 key=(null)
:
:Hash: sa-update,spamd_update_t,spamd_update_t,capability,dac_read_search
:
:audit2allow
:
:#============= spamd_update_t ==============
:allow spamd_update_t self:capability dac_read_search;
:
:audit2allow -R
:
:#============= spamd_update_t ==============
:allow spamd_update_t self:capability dac_read_search;
:

Comment 1 Matthew Saltzman 2012-11-28 13:12:56 UTC

Created attachment 653512 [details]
File: type

Comment 2 Matthew Saltzman 2012-11-28 13:12:58 UTC

Created attachment 653513 [details]
File: hashmarkername

Comment 3 Daniel Walsh 2012-11-28 15:38:55 UTC

Is spamd_update_t running as root while the sa_update directory is owned by spamd user?

Comment 4 Matthew Saltzman 2012-11-28 15:45:41 UTC

Not sure how to tell.  This is a standard installation of spamassassin-3.3.2-14.fc17.x86_64 that I use with evolution-spamassassin-3.4.4-2.fc17.x86_64.  I haven't made any changes post-install except to turn on spam checking in evolution.

Comment 5 Vladislav Grigoryev 2012-12-08 15:39:52 UTC

Confirm.

# grep SELinux /var/log/messages
Dec  8 05:05:19 srv08 setroubleshoot: SELinux is preventing /usr/bin/perl from using the dac_read_search capability. For complete SELinux messages. run sealert -l b9c001bb-5858-4c78-9d3f-a7515f00e96a

# rpm -q selinux-policy spamassassin perl 
selinux-policy-3.10.0-161.fc17.noarch
spamassassin-3.3.2-14.fc17.x86_64
perl-5.14.3-217.fc17.x86_64

Comment 6 Miroslav Grepl 2012-12-10 09:40:52 UTC

commit 0230bde3e44dd9f0e6cfcea387e51742f8b9430d
Author: Miroslav Grepl <mgrepl>
Date:   Mon Dec 10 10:39:25 2012 +0100

    Allow spamd_update to create spamd_var_lib_t directories and ignore DAC when searching for directories

Comment 7 Fedora Update System 2012-12-17 18:42:55 UTC

selinux-policy-3.10.0-165.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-165.fc17

Comment 8 Fedora Update System 2012-12-18 02:38:44 UTC

Package selinux-policy-3.10.0-165.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-165.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-165.fc17
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2013-01-05 06:43:29 UTC

Package selinux-policy-3.10.0-166.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-166.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-166.fc17
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2013-01-07 04:02:19 UTC

selinux-policy-3.10.0-166.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.