Re: dac_override and dac_read_search ... again!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/01/2010 10:53 AM, Mr Dash Four wrote:
> Having upgraded selinux-policy(-targeted) from 3.7.19-37 to 3.7.19-39 I 
> started getting heaps of the two avc types from variety of 
> programs/processes. Logs follow below.
> 
> I have not done anything unusual apart from upgrading and patching 3 
> policy module files (though I am getting exactly the same avcs if using 
> the pre-built policies packages!).
> 
> The OS image is built in exactly the same way (with kickstart file and 
> using livecd tools) as it was with the 3.7.19-37 version (and it worked 
> there without any problems). I first though that it might be labelling 
> problem, but as is evident from the file label listings below that 
> appear not to be the case.
> 
> When I try and boot from that image, the first sign of trouble comes 
> when the auditd service does not start, hence why I do not have 
> audit.log listing to include. The only way I could activate auditd is to 
> force selinux into permissive mode (echo 0 > /selinux/enforce) and then 
> execute "service auditd start".
> 
> What could be the cause for this? I can't see the file permissions to be 
> too restrictive either (which was the root cause of my previous dac_* 
> problems). Any ideas as to how to solve this sorry mess are welcome!
> 
> ====================/var/log/messages
> Aug  1 12:13:57 test1 kernel: type=1400 audit(1280664734.151:4): avc:  
> denied  { dac_override } for  pid=378 comm="hostname" capability=1  
> scontext=system_u:system_r:hostname_t:s0 
> tcontext=system_u:system_r:hostname_t:s0 tclass=capability
> Aug  1 12:13:57 test1 kernel: type=1400 audit(1280664734.152:5): avc:  
> denied  { dac_read_search } for  pid=378 comm="hostname" capability=2  
> scontext=system_u:system_r:hostname_t:s0 
> tcontext=system_u:system_r:hostname_t:s0 tclass=capability
> Aug  1 12:13:57 test1 kernel: type=1400 audit(1280664738.378:8): avc:  
> denied  { dac_override } for  pid=386 comm="dmesg" capability=1  
> scontext=system_u:system_r:dmesg_t:s0 
> tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> Aug  1 12:13:57 test1 kernel: type=1400 audit(1280664738.378:9): avc:  
> denied  { dac_read_search } for  pid=386 comm="dmesg" capability=2  
> scontext=system_u:system_r:dmesg_t:s0 
> tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
> Aug  1 12:13:57 test1 kernel: type=1400 audit(1280661191.023:12): avc:  
> denied  { dac_override } for  pid=689 comm="ip" capability=1  
> scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 
> tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability
> Aug  1 12:13:57 test1 kernel: type=1400 audit(1280661191.027:13): avc:  
> denied  { dac_read_search } for  pid=689 comm="ip" capability=2  
> scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 
> tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability
> Aug  1 12:13:57 test1 kernel: type=1400 audit(1280661193.668:16): avc:  
> denied  { dac_override } for  pid=714 comm="ifconfig" capability=1  
> scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 
> tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability
> Aug  1 12:13:57 test1 kernel: type=1400 audit(1280661193.671:17): avc:  
> denied  { dac_read_search } for  pid=714 comm="ifconfig" capability=2  
> scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 
> tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability
> Aug  1 12:13:57 test1 kernel: type=1400 audit(1280661197.508:20): avc:  
> denied  { dac_override } for  pid=729 comm="hostname" capability=1  
> scontext=system_u:system_r:hostname_t:s0 
> tcontext=system_u:system_r:hostname_t:s0 tclass=capability
> Aug  1 12:13:57 test1 kernel: type=1400 audit(1280661197.510:21): avc:  
> denied  { dac_read_search } for  pid=729 comm="hostname" capability=2  
> scontext=system_u:system_r:hostname_t:s0 
> tcontext=system_u:system_r:hostname_t:s0 tclass=capability
> Aug  1 12:13:57 test1 kernel: type=1400 audit(1280661229.399:54): avc:  
> denied  { dac_override } for  pid=922 comm="arping" capability=1  
> scontext=system_u:system_r:netutils_t:s0 
> tcontext=system_u:system_r:netutils_t:s0 tclass=capability
> Aug  1 12:13:57 test1 kernel: type=1400 audit(1280661229.399:55): avc:  
> denied  { dac_read_search } for  pid=922 comm="arping" capability=2  
> scontext=system_u:system_r:netutils_t:s0 
> tcontext=system_u:system_r:netutils_t:s0 tclass=capability
> Aug  1 12:13:57 test1 kernel: type=1400 audit(1280661235.258:116): avc:  
> denied  { dac_override } for  pid=973 comm="auditd" capability=1  
> scontext=system_u:system_r:auditd_t:s0 
> tcontext=system_u:system_r:auditd_t:s0 tclass=capability
> Aug  1 12:13:57 test1 kernel: type=1400 audit(1280661235.260:117): avc:  
> denied  { dac_read_search } for  pid=973 comm="auditd" capability=2  
> scontext=system_u:system_r:auditd_t:s0 
> tcontext=system_u:system_r:auditd_t:s0 tclass=capability
> Aug  1 12:14:49 test1 kernel: type=1400 audit(1280661289.020:124): avc:  
> denied  { dac_override } for  pid=1300 comm="ip" capability=1  
> scontext=system_u:system_r:ifconfig_t:s0 
> tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
> Aug  1 12:14:49 test1 kernel: type=1400 audit(1280661289.025:125): avc:  
> denied  { dac_read_search } for  pid=1300 comm="ip" capability=2  
> scontext=system_u:system_r:ifconfig_t:s0 
> tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
> Aug  1 12:15:40 test1 kernel: type=1400 audit(1280661340.105:130): avc:  
> denied  { dac_override } for  pid=1350 comm="ip" capability=1  
> scontext=system_u:system_r:ifconfig_t:s0 
> tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
> Aug  1 12:15:40 test1 kernel: type=1400 audit(1280661340.108:131): avc:  
> denied  { dac_read_search } for  pid=1350 comm="ip" capability=2  
> scontext=system_u:system_r:ifconfig_t:s0 
> tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
> Aug  1 12:15:41 test1 kernel: type=1400 audit(1280661341.058:138): avc:  
> denied  { dac_override } for  pid=1364 comm="ip" capability=1  
> scontext=system_u:system_r:ifconfig_t:s0 
> tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
> Aug  1 12:15:41 test1 kernel: type=1400 audit(1280661341.058:139): avc:  
> denied  { dac_read_search } for  pid=1364 comm="ip" capability=2  
> scontext=system_u:system_r:ifconfig_t:s0 
> tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
> Aug  1 12:15:45 test1 kernel: type=1400 audit(1280661345.145:350): avc:  
> denied  { dac_override } for  pid=1418 comm="tc" capability=1  
> scontext=system_u:system_r:ifconfig_t:s0 
> tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
> Aug  1 12:15:45 test1 kernel: type=1400 audit(1280661345.146:351): avc:  
> denied  { dac_read_search } for  pid=1418 comm="tc" capability=2  
> scontext=system_u:system_r:ifconfig_t:s0 
> tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
> Aug  1 12:16:09 test1 kernel: type=1400 audit(1280661369.758:1176): 
> avc:  denied  { dac_override } for  pid=1615 comm="smartd" capability=1  
> scontext=system_u:system_r:fsdaemon_t:s0 
> tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability
> Aug  1 12:16:09 test1 kernel: type=1400 audit(1280661369.759:1177): 
> avc:  denied  { dac_read_search } for  pid=1615 comm="smartd" 
> capability=2  scontext=system_u:system_r:fsdaemon_t:s0 
> tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability
> ====================
> 
> ====================service start auditd
> Aug  1 13:14:05 test1 kernel: type=1400 audit(1280664845.362:1226): 
> avc:  denied  { dac_override } for  pid=1583 comm="auditd" capability=1  
> scontext=unconfined_u:system_r:auditd_t:s0 
> tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
> Aug  1 13:14:05 test1 kernel: type=1400 audit(1280664845.364:1227): 
> avc:  denied  { dac_read_search } for  pid=1583 comm="auditd" 
> capability=2  scontext=unconfined_u:system_r:auditd_t:s0 
> tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
> Aug  1 13:14:05 test1 kernel: type=1400 audit(1280664845.370:1228): 
> avc:  denied  { dac_override } for  pid=1583 comm="auditd" capability=1  
> scontext=unconfined_u:system_r:auditd_t:s0 
> tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
> Aug  1 13:14:05 test1 kernel: type=1400 audit(1280664845.371:1229): 
> avc:  denied  { dac_read_search } for  pid=1583 comm="auditd" 
> capability=2  scontext=unconfined_u:system_r:auditd_t:s0 
> tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
> Aug  1 13:14:05 test1 kernel: type=1400 audit(1280664845.436:1230): 
> avc:  denied  { dac_override } for  pid=1583 comm="auditd" capability=1  
> scontext=unconfined_u:system_r:auditd_t:s0 
> tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
> Aug  1 13:14:05 test1 kernel: type=1400 audit(1280664845.436:1231): 
> avc:  denied  { dac_read_search } for  pid=1583 comm="auditd" 
> capability=2  scontext=unconfined_u:system_r:auditd_t:s0 
> tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
> Aug  1 13:14:05 test1 kernel: type=1400 audit(1280664845.443:1232): 
> avc:  denied  { dac_override } for  pid=1583 comm="auditd" capability=1  
> scontext=unconfined_u:system_r:auditd_t:s0 
> tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
> Aug  1 13:14:05 test1 kernel: type=1400 audit(1280664845.443:1233): 
> avc:  denied  { dac_read_search } for  pid=1583 comm="auditd" 
> capability=2  scontext=unconfined_u:system_r:auditd_t:s0 
> tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
> Aug  1 13:14:05 test1 auditd: Error opening config file (Permission denied)
> Aug  1 13:14:05 test1 auditd: The audit daemon is exiting.
> ====================
> 
> ====================echo 0 > /selinux/enforce && service auditd start && 
> service smartd start
> type=AVC msg=audit(1280608935.230:327): avc:  denied  { dac_override } 
> for  pid=1368 comm="smartd" capability=1  
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability
> type=AVC msg=audit(1280608935.230:327): avc:  denied  { dac_read_search 
> } for  pid=1368 comm="smartd" capability=2  
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability
> type=SYSCALL msg=audit(1280608935.230:327): arch=40000003 syscall=33 
> success=no exit=-13 a0=21a814 a1=4 a2=21ffc4 a3=2208f8 items=0 ppid=1367 
> pid=1368 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
> tty=(none) ses=1 comm="smartd" exe="/usr/sbin/smartd" 
> subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null)
> type=AVC msg=audit(1280608935.245:328): avc:  denied  { dac_override } 
> for  pid=1368 comm="smartd" capability=1  
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability
> type=AVC msg=audit(1280608935.245:328): avc:  denied  { dac_read_search 
> } for  pid=1368 comm="smartd" capability=2  
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability
> type=SYSCALL msg=audit(1280608935.245:328): arch=40000003 syscall=5 
> success=no exit=-13 a0=21a9fe a1=0 a2=0 a3=220880 items=0 ppid=1367 
> pid=1368 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
> tty=(none) ses=1 comm="smartd" exe="/usr/sbin/smartd" 
> subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null)
> ====================
> 
> ====================ls -lasZ /etc | grep audit
> drwxr-x---. root root system_u:object_r:auditd_etc_t:s0 audit
> -rw-r-----. root root system_u:object_r:etc_t:s0       libaudit.conf
> ====================
> 
> ====================ls -lasZ /etc/audit
> drwxr-x---. root root system_u:object_r:auditd_etc_t:s0 .
> drw-r--r--. root root system_u:object_r:etc_t:s0       ..
> -rw-r-----. root root system_u:object_r:auditd_etc_t:s0 auditd.conf
> -rw-r-----. root root system_u:object_r:auditd_etc_t:s0 audit.rules
> ====================
> 
> ====================ls -lasZ /etc/init.d/auditd
> -rwxr-xr-x. root root system_u:object_r:auditd_initrc_exec_t:s0 
> /etc/init.d/auditd
> ====================
> 
> ====================ls -lasZ /sbin/auditd
> -rwxr-x---. root root system_u:object_r:auditd_exec_t:s0 /sbin/auditd
> ====================
> 
> ====================ls -lasZ /var/log | grep audit
> drwxr-xr-x. root     root     system_u:object_r:auditd_log_t:s0 audit
> ====================
> 
> ====================ls -lasZ /var/log/audit
> drwxr-xr-x. root root system_u:object_r:auditd_log_t:s0 .
> drwxr-xr-x. root root system_u:object_r:var_log_t:s0   ..
> -rw-------. root root system_u:object_r:auditd_log_t:s0 audit.log
> ====================
> 
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 

You have some file that has ownereship such that root can not access the
file via permissions.

You need to turn on full auditing to get the path of the offending file.

Execute

auditctl -w /etc/shadow -p w

And see if you can generate the error again.  Then you should get a path
with the next avc message.

Please attach the message
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxYSW4ACgkQrlYvE4MpobMAQwCcDnbzQZDoGKA9ctHpDNEAsDWV
4j4AoMhN7xAmr6RfOGBmQYXdFrCgpazV
=KuFw
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux