OpenAFS and SELinux

Wed Jul 11 14:39:52 UTC 2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/06/2012 05:34 AM, suvayu ali wrote:
> Hi Daniel,
> 
> On Thu, Jul 5, 2012 at 12:27 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> After turning on full auditing can you try it again and get the full
>> AVC, including the PATH record.
> 
> On a freshly booted system, I turned on full auditing like this:
> 
> # auditctl -w /etc/shadow -p w
> 
> Then I started openafs like this:
> 
> # systemctl start openafs.service
> 
> which generated an AVC denial (output below).
> 
> # ausearch -m avc -ts recent
> 
> time->Fri Jul  6 11:20:49 2012
> 
> type=PATH msg=audit(1341566449.720:133): item=0 name="/etc/mtab" 
> inode=36536 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 
> obj=system_u:system_r:afs_t:s0
> 
> type=CWD msg=audit(1341566449.720:133):  cwd="/"
> 
> type=SYSCALL msg=audit(1341566449.720:133): arch=c000003e syscall=2 
> success=no exit=-13 a0=42402b a1=80442 a2=1b6 a3=238 items=1 ppid=2752 
> pid=2753 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="afsd" exe="/usr/sbin/afsd"
> subj=system_u:system_r:afs_t:s0 key=(null)
> 
> type=AVC msg=audit(1341566449.720:133): avc: denied { dac_override } for
> pid=2753 comm="afsd" capability=1 scontext=system_u:system_r:afs_t:s0 
> tcontext=system_u:system_r:afs_t:s0 tclass=capability
> 
> Another strange thing, running systemctl status tells me "Can't open 
> /etc/mtab for writing (errno 13); not adding an entry for AFS", but I see
> that /etc/mtab has the following line:
> 
> AFS /afs afs rw,relatime 0 0
> 
> I hope I have provided all the required information.
> 

ls -l /etc/mtab  It should be world readable.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/9kDcACgkQrlYvE4MpobOa6wCgnrdnRdhH5jcWHj946A522MlG
BIMAn1wIlOXqS/Hq8TaFNd4FFYT9tCVb
=J+mB
-----END PGP SIGNATURE-----