Re: permission denied without an (obvious) reason when changing directory permissions

Hi Philippe > I'm running into a SELinux permission issue when simply changing the > ownership of a directory and I've got no clue why this happens. > > The program in question is smokeping. It runs as root with the context > of "system_u:system_r:smokeping_t" and tries to write to > /var/lib/smokeping/rrd. > When having /var/lib/smokeping (and its subfolders) owned by root, > everything works fine. > As soon as I change the ownership to apache:apache and remove > permissions for other users (e.g. 0770), an EACCES pops up but no avc > denied shows up in the audit log. > > Here's what I got so far: > > $ ls -dZ /var/lib/smokeping/rrd > drwxr-xr-x. root root system_u:object_r:smokeping_var_lib_t:s0 > /var/lib/smokeping/rrd > $ runcon -t smokeping_t -r system_r smokeping --debug > # (works fine) > > $ chown apache: /var/lib/smokeping/rrd > $ chmod 770 /var/lib/smokeping/rrd > $ ls -dZ /var/lib/smokeping/rrd > drwxrwx---. apache apache system_u:object_r:smokeping_var_lib_t:s0 > /var/lib/smokeping/rrd > $ runcon -t smokeping_t -r system_r smokeping --debug > # (breaks) > > an strace shows: > > $ grep -h EACCES /tmp/smokeping.pid.* > open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) > stat("/var/lib/smokeping/rrd/foo.rrd", 0x1219138) = -1 EACCES > (Permission denied) > open("/var/lib/smokeping/rrd/foo.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = > -1 EACCES (Permission denied) > stat("/var/lib/smokeping/rrd/foo~bar.rrd", 0x1219138) = -1 EACCES > (Permission denied) > open("/var/lib/smokeping/rrd/foo~bar.rrd", O_RDWR|O_CREAT|O_TRUNC, > 0666) = -1 EACCES (Permission denied) > stat("/var/lib/smokeping/rrd/foo~baz.rrd", 0x1219138) = -1 EACCES > (Permission denied) > open("/var/lib/smokeping/rrd/foo~baz.rrd", O_RDWR|O_CREAT|O_TRUNC, > 0666) = -1 EACCES (Permission denied) > stat("/var/lib/smokeping/rrd/threshold", 0x1219138) = -1 EACCES > (Permission denied) > mkdir("/var/lib/smokeping/rrd/threshold", 0755) = -1 EACCES > (Permission denied) As the process runs confined, root is not the same root as if you run it interactively after sudo su - or the like. Root for the somkeping process is like a normal user. It can't override DAC permissions. If root has no permissions to write to the folder it simply can't overrule that permission because DAC_OVERRIDE is denied. There should be some audit messages logged with dac_override . A Dan Walsh blogpost about dac override with some details: https://danwalsh.livejournal.com/80232.html

- Thomas _______________________________________________ selinux mailing list -- selinux(a)lists.fedoraproject.org To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...