permission denied without an (obvious) reason when changing directory permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

I'm running into a SELinux permission issue when simply changing the ownership of a directory and I've got no clue why this happens.

The program in question is smokeping. It runs as root with the context of "system_u:system_r:smokeping_t" and tries to write to /var/lib/smokeping/rrd.
When having /var/lib/smokeping (and its subfolders) owned by root, everything works fine.
As soon as I change the ownership to apache:apache and remove permissions for other users (e.g. 0770), an EACCES pops up but no avc denied shows up in the audit log.

Here's what I got so far:

$ ls -dZ /var/lib/smokeping/rrd
drwxr-xr-x. root root system_u:object_r:smokeping_var_lib_t:s0 /var/lib/smokeping/rrd
$ runcon -t smokeping_t -r system_r smokeping --debug
# (works fine)

$ chown apache: /var/lib/smokeping/rrd
$ chmod 770 /var/lib/smokeping/rrd
$ ls -dZ /var/lib/smokeping/rrd
drwxrwx---. apache apache system_u:object_r:smokeping_var_lib_t:s0 /var/lib/smokeping/rrd
$ runcon -t smokeping_t -r system_r smokeping --debug
# (breaks)

an strace shows:

$ grep -h EACCES /tmp/smokeping.pid.*
open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
stat("/var/lib/smokeping/rrd/foo.rrd", 0x1219138) = -1 EACCES (Permission denied)
open("/var/lib/smokeping/rrd/foo.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied)
stat("/var/lib/smokeping/rrd/foo~bar.rrd", 0x1219138) = -1 EACCES (Permission denied)
open("/var/lib/smokeping/rrd/foo~bar.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied)
stat("/var/lib/smokeping/rrd/foo~baz.rrd", 0x1219138) = -1 EACCES (Permission denied)
open("/var/lib/smokeping/rrd/foo~baz.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied)
stat("/var/lib/smokeping/rrd/threshold", 0x1219138) = -1 EACCES (Permission denied)
mkdir("/var/lib/smokeping/rrd/threshold", 0755) = -1 EACCES (Permission denied)

imho smokeping *should* be able to perform these actions (well, except for /etc/shadow):

$ sesearch -s smokeping_t -t smokeping_var_lib_t -Ad
Found 2 semantic av rules:
   allow smokeping_t smokeping_var_lib_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; 
   allow smokeping_t smokeping_var_lib_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 

When circumventing SELinux using either setenforce 0 or semanage permissive -a smokeping_t it works fine again.

Does anyone have a clue?

Thanks!

- Philippe
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux