Hi Philippe
I'm running into a SELinux permission issue when simply changing
the ownership of a directory and I've got no clue why this happens.
The program in question is smokeping. It runs as root with the context of
"system_u:system_r:smokeping_t" and tries to write to /var/lib/smokeping/rrd.
When having /var/lib/smokeping (and its subfolders) owned by root, everything works
fine.
As soon as I change the ownership to apache:apache and remove permissions for other users
(e.g. 0770), an EACCES pops up but no avc denied shows up in the audit log.
Here's what I got so far:
$ ls -dZ /var/lib/smokeping/rrd
drwxr-xr-x. root root system_u:object_r:smokeping_var_lib_t:s0 /var/lib/smokeping/rrd
$ runcon -t smokeping_t -r system_r smokeping --debug
# (works fine)
$ chown apache: /var/lib/smokeping/rrd
$ chmod 770 /var/lib/smokeping/rrd
$ ls -dZ /var/lib/smokeping/rrd
drwxrwx---. apache apache system_u:object_r:smokeping_var_lib_t:s0
/var/lib/smokeping/rrd
$ runcon -t smokeping_t -r system_r smokeping --debug
# (breaks)
an strace shows:
$ grep -h EACCES /tmp/smokeping.pid.*
open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
stat("/var/lib/smokeping/rrd/foo.rrd", 0x1219138) = -1 EACCES (Permission
denied)
open("/var/lib/smokeping/rrd/foo.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1
EACCES (Permission denied)
stat("/var/lib/smokeping/rrd/foo~bar.rrd", 0x1219138) = -1 EACCES (Permission
denied)
open("/var/lib/smokeping/rrd/foo~bar.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1
EACCES (Permission denied)
stat("/var/lib/smokeping/rrd/foo~baz.rrd", 0x1219138) = -1 EACCES (Permission
denied)
open("/var/lib/smokeping/rrd/foo~baz.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1
EACCES (Permission denied)
stat("/var/lib/smokeping/rrd/threshold", 0x1219138) = -1 EACCES (Permission
denied)
mkdir("/var/lib/smokeping/rrd/threshold", 0755) = -1 EACCES (Permission denied)
As the process runs confined, root is not the same root as if you run it
interactively after sudo su - or the like.
Root for the somkeping process is like a normal user. It can't override
DAC permissions. If root has no permissions to write to the folder it
simply can't overrule that permission because DAC_OVERRIDE is denied.
There should be some audit messages logged with dac_override .
A Dan Walsh blogpost about dac override with some details:
https://danwalsh.livejournal.com/80232.html
- Thomas