OpenAFS and SELinux
suvayu ali
fatkasuvayu+linux at gmail.com
Wed Jul 4 15:28:26 UTC 2012
Hi,
Every time I start openafs with "systemctl start openafs.service", I get
the following SELinux AVC denial.
SELinux is preventing /usr/sbin/afsd from using the dac_override
capability.
# systemctl status openafs.service
openafs.service - LSB: start and stop OpenAFS
Loaded: loaded (/etc/rc.d/init.d/openafs)
Active: active (running) since Wed, 04 Jul 2012 17:17:20
+0200; 8min ago
Process: 15673 ExecStart=/etc/rc.d/init.d/openafs start
(code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/openafs.service
└ 15696 /usr/sbin/afsd -mountdir /afs -confdir
/etc/openafs -stat 2000 -dcache 800 -daemons 3 -volumes 70 -nosettime
-memcache -afsdb -dynroot
Jul 04 17:17:20 <localhost> openafs[15673]: Loading AFS kernel
module: [ OK ]
Jul 04 17:17:20 <localhost> openafs[15673]: Starting AFS client:
afsd: All AFS daemons started.
Jul 04 17:17:20 <localhost> openafs[15673]: afsd: All AFS daemons started.
Jul 04 17:17:20 <localhost> openafs[15673]: Can't open /etc/mtab for
writing (errno 13); not adding an entry for AFS
Jul 04 17:17:20 <localhost> openafs[15673]: [ OK ]
# auditctl -w /etc/shadow -p w
# ausearch -m avc -ts recent
time->Wed Jul 4 17:17:20 2012
type=SYSCALL msg=audit(1341415040.319:275): arch=c000003e syscall=2
success=no exit=-13 a0=42402b a1=80442 a2=1b6 a3=238 items=0
ppid=15688 pid=15689 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="afsd"
exe="/usr/sbin/afsd" subj=system_u:system_r:afs_t:s0 key=(null)
type=AVC msg=audit(1341415040.319:275): avc: denied { dac_override }
for pid=15689 comm="afsd" capability=1
scontext=system_u:system_r:afs_t:s0
tcontext=system_u:system_r:afs_t:s0 tclass=capability
Can someone shed some light if this is a policy bug or an issue at my
end?
--
Suvayu
Open source is the future. It sets us free.
More information about the users
mailing list