Re: OpenAFS and SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/11/2012 10:46 AM, suvayu ali wrote:
> On Wed, Jul 11, 2012 at 4:39 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>> 
>> On 07/06/2012 05:34 AM, suvayu ali wrote:
>>> Hi Daniel,
>>> 
>>> On Thu, Jul 5, 2012 at 12:27 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx>
>>> wrote:
>>>> After turning on full auditing can you try it again and get the full 
>>>> AVC, including the PATH record.
>>> 
>>> On a freshly booted system, I turned on full auditing like this:
>>> 
>>> # auditctl -w /etc/shadow -p w
>>> 
>>> Then I started openafs like this:
>>> 
>>> # systemctl start openafs.service
>>> 
>>> which generated an AVC denial (output below).
>>> 
>>> # ausearch -m avc -ts recent
>>> 
>>> time->Fri Jul  6 11:20:49 2012
>>> 
>>> type=PATH msg=audit(1341566449.720:133): item=0 name="/etc/mtab" 
>>> inode=36536 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 
>>> obj=system_u:system_r:afs_t:s0
>>> 
>>> type=CWD msg=audit(1341566449.720:133):  cwd="/"
>>> 
>>> type=SYSCALL msg=audit(1341566449.720:133): arch=c000003e syscall=2 
>>> success=no exit=-13 a0=42402b a1=80442 a2=1b6 a3=238 items=1 ppid=2752 
>>> pid=2753 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="afsd"
>>> exe="/usr/sbin/afsd" subj=system_u:system_r:afs_t:s0 key=(null)
>>> 
>>> type=AVC msg=audit(1341566449.720:133): avc: denied { dac_override }
>>> for pid=2753 comm="afsd" capability=1
>>> scontext=system_u:system_r:afs_t:s0 tcontext=system_u:system_r:afs_t:s0
>>> tclass=capability
>>> 
>>> Another strange thing, running systemctl status tells me "Can't open 
>>> /etc/mtab for writing (errno 13); not adding an entry for AFS", but I
>>> see that /etc/mtab has the following line:
>>> 
>>> AFS /afs afs rw,relatime 0 0
>>> 
>> 
>> ls -l /etc/mtab  It should be world readable.
>> 
> 
> It is world readable.
> 
> # ls -l /etc/mtab lrwxrwxrwx. 1 root root 12 Jun 28 09:53 /etc/mtab ->
> /proc/mounts # ls -l /proc/mounts lrwxrwxrwx. 1 root root 11 Jul 11 16:43
> /proc/mounts -> self/mounts # ls -l /proc/self/mounts -r--r--r--. 1 root
> root 0 Jul 11 16:43 /proc/self/mounts
> 
> The strange thing is, despite the error message I can access my afs 
> directory (after I get my Kerberos credentials).
> 

Well I guess we should dontaudit it then, and open it as a bug on the Kernel,
although since AFS is not adopted into the kernel, not sure how much people
will look at it.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/9mCEACgkQrlYvE4MpobMWJgCeLi1uSoYCXvyPjHsHNEKwCsL4
BgsAoLBJyxofM0tfH8N9jsKjX1mSxLmj
=NY/v
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux