SELinux is preventing mktemp from using the dac_read_search capability.

[Robert Moskowitz <rgm@xxxxxxxxxxxxxxx>]

I had this on F30 and pretty much ignored it.  Now I am getting it on 
this new F32 install:

What daily process is causing this?

SELinux is preventing mktemp from using the dac_read_search capability.

*****  Plugin dac_override (91.4 confidence) suggests **********************

If you want to help identify if domain needs this access or you have a 
file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending 
file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests **************************

If you believe that mktemp should have the dac_read_search capability by 
default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mktemp' --raw | audit2allow -M my-mktemp
# semodule -X 300 -i my-mktemp.pp

Additional Information:
Source Context system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023
Target Context system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability ]
Source                        mktemp
Source Path                   mktemp
Port                          <Unknown>
Host                          lx140e.htt-consult.com
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.5-32.fc32.noarch
Local Policy RPM selinux-policy-targeted-3.14.5-32.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     lx140e.htt-consult.com
Platform                      Linux lx140e.htt-consult.com 
5.6.8-300.fc32.x86_64
                              #1 SMP Wed Apr 29 19:01:34 UTC 2020 
x86_64 x86_64
Alert Count                   16
First Seen                    2020-05-06 03:43:05 EDT
Last Seen                     2020-05-06 03:43:12 EDT
Local ID                      88c0f18b-7f43-40fd-afc1-fde6d590f581

Raw Audit Messages
type=AVC msg=audit(1588750992.932:940): avc:  denied  { dac_read_search 
} for  pid=18029 comm="chmod" capability=2 
scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 
tclass=capability permissive=0


Hash: mktemp,logwatch_mail_t,logwatch_mail_t,capability,dac_read_search



_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx