On 07/04/2012 11:28, suvayu ali wrote:
Hi,
Every time I start openafs with "systemctl start openafs.service", I
get
the following SELinux AVC denial.
SELinux is preventing /usr/sbin/afsd from using the dac_override
capability.
# systemctl status openafs.service
openafs.service - LSB: start and stop OpenAFS
Loaded: loaded (/etc/rc.d/init.d/openafs)
Active: active (running) since Wed, 04 Jul 2012 17:17:20
+0200; 8min ago
Process: 15673 ExecStart=/etc/rc.d/init.d/openafs start
(code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/openafs.service
└ 15696 /usr/sbin/afsd -mountdir /afs -confdir
/etc/openafs -stat 2000 -dcache 800 -daemons 3 -volumes 70 -nosettime
-memcache -afsdb -dynroot
Jul 04 17:17:20 <localhost> openafs[15673]: Loading AFS kernel
module: [ OK ]
Jul 04 17:17:20 <localhost> openafs[15673]: Starting AFS client:
afsd: All AFS daemons started.
Jul 04 17:17:20 <localhost> openafs[15673]: afsd: All AFS daemons
started.
Jul 04 17:17:20 <localhost> openafs[15673]: Can't open /etc/mtab
for
writing (errno 13); not adding an entry for AFS
Jul 04 17:17:20 <localhost> openafs[15673]: [ OK ]
# auditctl -w /etc/shadow -p w
# ausearch -m avc -ts recent
time->Wed Jul 4 17:17:20 2012
type=SYSCALL msg=audit(1341415040.319:275): arch=c000003e syscall=2
success=no exit=-13 a0=42402b a1=80442 a2=1b6 a3=238 items=0
ppid=15688 pid=15689 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="afsd"
exe="/usr/sbin/afsd" subj=system_u:system_r:afs_t:s0 key=(null)
type=AVC msg=audit(1341415040.319:275): avc: denied { dac_override
}
for pid=15689 comm="afsd" capability=1
scontext=system_u:system_r:afs_t:s0
tcontext=system_u:system_r:afs_t:s0 tclass=capability
Can someone shed some light if this is a policy bug or an issue at my
end?
--
Suvayu
Open source is the future. It sets us free.
What are your permissions on /etc/mtab. The AVC is basically saying
that the AFS daemon was trying to override the normal permission checks
and access the file anyway. It looks like the daemon is running as root
and on my box /etc/mtab is owned by root so it looks to me like it
shouldn't need to.
Dave
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org