Hi Dave,
On Wed, Jul 4, 2012 at 7:36 PM, David Quigley <selinux@xxxxxxxxxxxxxxx> wrote:
> On 07/04/2012 11:28, suvayu ali wrote:
>>
>> Hi,
>>
>> Every time I start openafs with "systemctl start openafs.service", I get
>> the following SELinux AVC denial.
>>
>> SELinux is preventing /usr/sbin/afsd from using the dac_override
>> capability.
>>
>> # systemctl status openafs.service
>> openafs.service - LSB: start and stop OpenAFS
>> Loaded: loaded (/etc/rc.d/init.d/openafs)
>> Active: active (running) since Wed, 04 Jul 2012 17:17:20
>> +0200; 8min ago
>> Process: 15673 ExecStart=/etc/rc.d/init.d/openafs start
>> (code=exited, status=0/SUCCESS)
>> CGroup: name=systemd:/system/openafs.service
>> └ 15696 /usr/sbin/afsd -mountdir /afs -confdir
>> /etc/openafs -stat 2000 -dcache 800 -daemons 3 -volumes 70 -nosettime
>> -memcache -afsdb -dynroot
>>
>> Jul 04 17:17:20 <localhost> openafs[15673]: Loading AFS kernel
>> module: [ OK ]
>> Jul 04 17:17:20 <localhost> openafs[15673]: Starting AFS client:
>> afsd: All AFS daemons started.
>> Jul 04 17:17:20 <localhost> openafs[15673]: afsd: All AFS daemons
>> started.
>> Jul 04 17:17:20 <localhost> openafs[15673]: Can't open /etc/mtab for
>> writing (errno 13); not adding an entry for AFS
>> Jul 04 17:17:20 <localhost> openafs[15673]: [ OK ]
>>
>> # auditctl -w /etc/shadow -p w
>> # ausearch -m avc -ts recent
>> time->Wed Jul 4 17:17:20 2012
>> type=SYSCALL msg=audit(1341415040.319:275): arch=c000003e syscall=2
>> success=no exit=-13 a0=42402b a1=80442 a2=1b6 a3=238 items=0
>> ppid=15688 pid=15689 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
>> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="afsd"
>> exe="/usr/sbin/afsd" subj=system_u:system_r:afs_t:s0 key=(null)
>> type=AVC msg=audit(1341415040.319:275): avc: denied { dac_override }
>> for pid=15689 comm="afsd" capability=1
>> scontext=system_u:system_r:afs_t:s0
>> tcontext=system_u:system_r:afs_t:s0 tclass=capability
>>
>> Can someone shed some light if this is a policy bug or an issue at my
>> end?
>>
>
> What are your permissions on /etc/mtab. The AVC is basically saying that the
> AFS daemon was trying to override the normal permission checks and access
> the file anyway. It looks like the daemon is running as root and on my box
> /etc/mtab is owned by root so it looks to me like it shouldn't need to.
>
The permissions seem to be as I would expect them to be:
# lt /etc/mtab; ls -Z /etc/mtab
lrwxrwxrwx. 1 root root 12 Jun 28 09:53 /etc/mtab -> /proc/mounts
lrwxrwxrwx. root root unconfined_u:object_r:etc_t:s0 /etc/mtab -> /proc/mounts
Since I am starting the daemon with systemctl the daemon should be
running as root. I see no potential conflicts here then. Am I right?
--
Suvayu
Open source is the future. It sets us free.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
