Re: OpenAFS and SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 07/04/2012 11:28, suvayu ali wrote:

Hi,
Every time I start openafs with "systemctl start openafs.service", I get 
the following SELinux AVC denial.

  SELinux is preventing /usr/sbin/afsd from using the dac_override
  capability.

  # systemctl status openafs.service
  openafs.service - LSB: start and stop OpenAFS
            Loaded: loaded (/etc/rc.d/init.d/openafs)
            Active: active (running) since Wed, 04 Jul 2012 17:17:20
+0200; 8min ago
           Process: 15673 ExecStart=/etc/rc.d/init.d/openafs start
(code=exited, status=0/SUCCESS)
            CGroup: name=systemd:/system/openafs.service
                    └ 15696 /usr/sbin/afsd -mountdir /afs -confdir
/etc/openafs -stat 2000 -dcache 800 -daemons 3 -volumes 70 -nosettime
-memcache -afsdb -dynroot

  Jul 04 17:17:20 <localhost> openafs[15673]: Loading AFS kernel
module:  [  OK  ]
  Jul 04 17:17:20 <localhost> openafs[15673]: Starting AFS client:
afsd: All AFS daemons started.
Jul 04 17:17:20 <localhost> openafs[15673]: afsd: All AFS daemons started. Jul 04 17:17:20 <localhost> openafs[15673]: Can't open /etc/mtab for 
writing (errno 13); not adding an entry for AFS
  Jul 04 17:17:20 <localhost> openafs[15673]: [  OK  ]

  # auditctl -w /etc/shadow -p w
  # ausearch -m avc -ts recent
  time->Wed Jul  4 17:17:20 2012
  type=SYSCALL msg=audit(1341415040.319:275): arch=c000003e syscall=2
  success=no exit=-13 a0=42402b a1=80442 a2=1b6 a3=238 items=0
ppid=15688 pid=15689 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
  egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="afsd"
  exe="/usr/sbin/afsd" subj=system_u:system_r:afs_t:s0 key=(null)
type=AVC msg=audit(1341415040.319:275): avc: denied { dac_override } 
  for pid=15689 comm="afsd" capability=1
  scontext=system_u:system_r:afs_t:s0
  tcontext=system_u:system_r:afs_t:s0 tclass=capability

Can someone shed some light if this is a policy bug or an issue at my
end?

--
Suvayu

Open source is the future. It sets us free.
What are your permissions on /etc/mtab. The AVC is basically saying that the AFS daemon was trying to override the normal permission checks and access the file anyway. It looks like the daemon is running as root and on my box /etc/mtab is owned by root so it looks to me like it shouldn't need to. 

Dave
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux