Description of problem: SELinux is preventing /usr/sbin/unbound-control from using the 'dac_override' capabilities. ***** Plugin dac_override (91.4 confidence) suggests *********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that unbound-control should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep unbound-control /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:dnssec_trigger_t:s0 Target Context system_u:system_r:dnssec_trigger_t:s0 Target Objects [ capability ] Source unbound-control Source Path /usr/sbin/unbound-control Port <Unknown> Host (removed) Source RPM Packages unbound-1.4.19-1.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-96.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.2-200.fc18.x86_64 #1 SMP Mon May 13 13:59:47 UTC 2013 x86_64 x86_64 Alert Count 2 First Seen 2013-05-23 05:50:29 PDT Last Seen 2013-05-23 05:52:47 PDT Local ID 951aaf6c-cb4d-4658-a211-3bce80331a98 Raw Audit Messages type=AVC msg=audit(1369313567.479:342): avc: denied { dac_override } for pid=1857 comm="unbound-control" capability=1 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:system_r:dnssec_trigger_t:s0 tclass=capability type=AVC msg=audit(1369313567.479:342): avc: denied { dac_read_search } for pid=1857 comm="unbound-control" capability=2 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:system_r:dnssec_trigger_t:s0 tclass=capability type=SYSCALL msg=audit(1369313567.479:342): arch=x86_64 syscall=open success=no exit=EACCES a0=11b2200 a1=0 a2=1b6 a3=238 items=0 ppid=1273 pid=1857 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=unbound-control exe=/usr/sbin/unbound-control subj=system_u:system_r:dnssec_trigger_t:s0 key=(null) Hash: unbound-control,dnssec_trigger_t,dnssec_trigger_t,capability,dac_override audit2allow #============= dnssec_trigger_t ============== allow dnssec_trigger_t self:capability { dac_read_search dac_override }; audit2allow -R require { type dnssec_trigger_t; class capability { dac_read_search dac_override }; } #============= dnssec_trigger_t ============== allow dnssec_trigger_t self:capability { dac_read_search dac_override }; Additional info: hashmarkername: setroubleshoot kernel: 3.9.2-200.fc18.x86_64 type: libreport
Could you please do the following steps: Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent
[user@localhost ~]$ sudo ausearch -m avc -ts recent ---- time->Sat May 25 07:41:06 2013 type=SYSCALL msg=audit(1369492866.111:317): arch=c000003e syscall=2 success=no exit=-13 a0=7fff22cbadf0 a1=241 a2=1b6 a3=238 items=0 ppid=1 pid=1108 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="unbound-anchor" exe="/usr/sbin/unbound-anchor" subj=system_u:system_r:named_t:s0 key=(null) type=AVC msg=audit(1369492866.111:317): avc: denied { write } for pid=1108 comm="unbound-anchor" name="unbound" dev="sda2" ino=1320372 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=dir ---- time->Sat May 25 07:41:06 2013 type=SYSCALL msg=audit(1369492866.348:318): arch=c000003e syscall=2 success=no exit=-13 a0=1d8cc10 a1=0 a2=1b6 a3=238 items=0 ppid=1 pid=1207 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="unbound-checkco" exe="/usr/sbin/unbound-checkconf" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1369492866.348:318): avc: denied { read } for pid=1207 comm="unbound-checkco" name="example.com.key" dev="sda2" ino=1320385 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:dnssec_t:s0 tclass=file [user@localhost ~]$
*** This bug has been marked as a duplicate of bug 966542 ***