Re: SELinux is preventing mktemp from using the dac_read_search capability.

[Ed Greshko <ed.greshko@xxxxxxxxxxx>]

On 05/01/2022 21:02, Robert Moskowitz wrote:
> I keep getting these errors.
>
> I got them back with F32 and Xfce, and now with F35 and Xfce.
>
> I asked on the SElinux list, but no one seems to be home.
>
> Here is the full detail; it looks like it may be logwatch causing the problem.  What do I do to fix this?
>
> ===============
>
> SELinux is preventing mktemp from using the dac_read_search capability.
>
> *****  Plugin dac_override (91.4 confidence) suggests **********************
>
> If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
> Then turn on full auditing to get path information about the offending file and generate the error again.
> Do
>
> Turn on full auditing
> # auditctl -w /etc/shadow -p w
> Try to recreate AVC. Then execute
> # ausearch -m avc -ts recent
> If you see PATH record check ownership/permissions on file, and fix it,
> otherwise report as a bugzilla.
>
> *****  Plugin catchall (9.59 confidence) suggests **************************
>
> If you believe that mktemp should have the dac_read_search capability by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'mktemp' --raw | audit2allow -M my-mktemp
> # semodule -X 300 -i my-mktemp.pp
>
> Additional Information:
> Source Context system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023
> Target Context system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023
> Target Objects                Unknown [ capability ]
> Source                        mktemp
> Source Path                   mktemp
> Port                          <Unknown>
> Host                          lx140e.htt-consult.com
> Source RPM Packages
> Target RPM Packages
> SELinux Policy RPM selinux-policy-targeted-35.7-1.fc35.noarch
> Local Policy RPM selinux-policy-targeted-35.7-1.fc35.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     lx140e.htt-consult.com
> Platform                      Linux lx140e.htt-consult.com
>                               5.15.11-200.fc35.x86_64 #1 SMP Wed Dec 22 15:41:11
>                               UTC 2021 x86_64 x86_64
> Alert Count                   13912
> First Seen                    2021-11-15 03:27:05 EST
> Last Seen                     2022-01-02 03:09:16 EST
> Local ID 2ef8a1a9-ddf5-42cc-b5dc-c08354265cc8
>
> Raw Audit Messages
> type=AVC msg=audit(1641110956.728:1612): avc:  denied  { dac_read_search } for  pid=24078 comm="dotlockfile" capability=2 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tclass=capability permissive=0
>
>
> Hash: mktemp,logwatch_mail_t,logwatch_mail_t,capability,dac_read_search

Before doing as suggested in the sealert output.....

What is the output of "ls -Z /usr/bin/dotlockfile" and "ls -X /usr/bin/mktemp"?


--
Did 황준호 die?
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure