Hi Philippe,
On 4/24/19 1:10 PM, Thomas Mueller wrote:
>
> Hi Philippe
>
>
>> I'm running into a SELinux permission issue when simply changing the
>> ownership of a directory and I've got no clue why this happens.
>>
>> The program in question is smokeping. It runs as root with the context
>> of "system_u:system_r:smokeping_t" and tries to write to
>> /var/lib/smokeping/rrd.
>> When having /var/lib/smokeping (and its subfolders) owned by root,
>> everything works fine.
>> As soon as I change the ownership to apache:apache and remove
>> permissions for other users (e.g. 0770), an EACCES pops up but no avc
>> denied shows up in the audit log.
>>
>> Here's what I got so far:
>>
>> $ ls -dZ /var/lib/smokeping/rrd
>> drwxr-xr-x. root root system_u:object_r:smokeping_var_lib_t:s0
>> /var/lib/smokeping/rrd
>> $ runcon -t smokeping_t -r system_r smokeping --debug
>> # (works fine)
>>
>> $ chown apache: /var/lib/smokeping/rrd
>> $ chmod 770 /var/lib/smokeping/rrd
>> $ ls -dZ /var/lib/smokeping/rrd
>> drwxrwx---. apache apache system_u:object_r:smokeping_var_lib_t:s0
>> /var/lib/smokeping/rrd
>> $ runcon -t smokeping_t -r system_r smokeping --debug
>> # (breaks)
>>
>> an strace shows:
>>
>> $ grep -h EACCES /tmp/smokeping.pid.*
>> open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
>> stat("/var/lib/smokeping/rrd/foo.rrd", 0x1219138) = -1 EACCES
>> (Permission denied)
>> open("/var/lib/smokeping/rrd/foo.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) =
>> -1 EACCES (Permission denied)
>> stat("/var/lib/smokeping/rrd/foo~bar.rrd", 0x1219138) = -1 EACCES
>> (Permission denied)
>> open("/var/lib/smokeping/rrd/foo~bar.rrd", O_RDWR|O_CREAT|O_TRUNC,
>> 0666) = -1 EACCES (Permission denied)
>> stat("/var/lib/smokeping/rrd/foo~baz.rrd", 0x1219138) = -1 EACCES
>> (Permission denied)
>> open("/var/lib/smokeping/rrd/foo~baz.rrd", O_RDWR|O_CREAT|O_TRUNC,
>> 0666) = -1 EACCES (Permission denied)
>> stat("/var/lib/smokeping/rrd/threshold", 0x1219138) = -1 EACCES
>> (Permission denied)
>> mkdir("/var/lib/smokeping/rrd/threshold", 0755) = -1 EACCES
>> (Permission denied)
>
> As the process runs confined, root is not the same root as if you run it
> interactively after sudo su - or the like.
>
> Root for the somkeping process is like a normal user. It can't override
> DAC permissions. If root has no permissions to write to the folder it
> simply can't overrule that permission because DAC_OVERRIDE is denied.
> There should be some audit messages logged with dac_override .
>
> A Dan Walsh blogpost about dac override with some details:
> https://danwalsh.livejournal.com/80232.html
>
Just to be sure, could you please add rerun the scenario and execute
command:
# ausearch -m AVC -ts today
and attach the output ?
Thanks,
Lukas.
> - Thomas
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>
--
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
