OpenAFS and SELinux

suvayu ali <fatkasuvayu+linux@xxxxxxxxx> · Wed, 4 Jul 2012 17:28:26 +0200

Hi,

Every time I start openafs with "systemctl start openafs.service", I get
the following SELinux AVC denial.

  SELinux is preventing /usr/sbin/afsd from using the dac_override
  capability.

  # systemctl status openafs.service
  openafs.service - LSB: start and stop OpenAFS
            Loaded: loaded (/etc/rc.d/init.d/openafs)
            Active: active (running) since Wed, 04 Jul 2012 17:17:20
+0200; 8min ago
           Process: 15673 ExecStart=/etc/rc.d/init.d/openafs start
(code=exited, status=0/SUCCESS)
            CGroup: name=systemd:/system/openafs.service
                    └ 15696 /usr/sbin/afsd -mountdir /afs -confdir
/etc/openafs -stat 2000 -dcache 800 -daemons 3 -volumes 70 -nosettime
-memcache -afsdb -dynroot

  Jul 04 17:17:20 <localhost> openafs[15673]: Loading AFS kernel
module:  [  OK  ]
  Jul 04 17:17:20 <localhost> openafs[15673]: Starting AFS client:
afsd: All AFS daemons started.
  Jul 04 17:17:20 <localhost> openafs[15673]: afsd: All AFS daemons started.
  Jul 04 17:17:20 <localhost> openafs[15673]: Can't open /etc/mtab for
writing (errno 13); not adding an entry for AFS
  Jul 04 17:17:20 <localhost> openafs[15673]: [  OK  ]

  # auditctl -w /etc/shadow -p w
  # ausearch -m avc -ts recent
  time->Wed Jul  4 17:17:20 2012
  type=SYSCALL msg=audit(1341415040.319:275): arch=c000003e syscall=2
  success=no exit=-13 a0=42402b a1=80442 a2=1b6 a3=238 items=0
  ppid=15688 pid=15689 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
  egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="afsd"
  exe="/usr/sbin/afsd" subj=system_u:system_r:afs_t:s0 key=(null)
  type=AVC msg=audit(1341415040.319:275): avc: denied { dac_override }
  for pid=15689 comm="afsd" capability=1
  scontext=system_u:system_r:afs_t:s0
  tcontext=system_u:system_r:afs_t:s0 tclass=capability

Can someone shed some light if this is a policy bug or an issue at my
end?

--
Suvayu

Open source is the future. It sets us free.
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org