OpenAFS and SELinux

suvayu ali fatkasuvayu+linux at gmail.com
Wed Jul 4 18:56:01 UTC 2012 

Hi Dave,

On Wed, Jul 4, 2012 at 7:36 PM, David Quigley <selinux at davequigley.com> wrote:
> On 07/04/2012 11:28, suvayu ali wrote:
>>
>> Hi,
>>
>> Every time I start openafs with "systemctl start openafs.service", I get
>> the following SELinux AVC denial.
>>
>>   SELinux is preventing /usr/sbin/afsd from using the dac_override
>>   capability.
>>
>>   # systemctl status openafs.service
>>   openafs.service - LSB: start and stop OpenAFS
>>             Loaded: loaded (/etc/rc.d/init.d/openafs)
>>             Active: active (running) since Wed, 04 Jul 2012 17:17:20
>> +0200; 8min ago
>>            Process: 15673 ExecStart=/etc/rc.d/init.d/openafs start
>> (code=exited, status=0/SUCCESS)
>>             CGroup: name=systemd:/system/openafs.service
>>                     └ 15696 /usr/sbin/afsd -mountdir /afs -confdir
>> /etc/openafs -stat 2000 -dcache 800 -daemons 3 -volumes 70 -nosettime
>> -memcache -afsdb -dynroot
>>
>>   Jul 04 17:17:20 <localhost> openafs[15673]: Loading AFS kernel
>> module:  [  OK  ]
>>   Jul 04 17:17:20 <localhost> openafs[15673]: Starting AFS client:
>> afsd: All AFS daemons started.
>>   Jul 04 17:17:20 <localhost> openafs[15673]: afsd: All AFS daemons
>> started.
>>   Jul 04 17:17:20 <localhost> openafs[15673]: Can't open /etc/mtab for
>> writing (errno 13); not adding an entry for AFS
>>   Jul 04 17:17:20 <localhost> openafs[15673]: [  OK  ]
>>
>>   # auditctl -w /etc/shadow -p w
>>   # ausearch -m avc -ts recent
>>   time->Wed Jul  4 17:17:20 2012
>>   type=SYSCALL msg=audit(1341415040.319:275): arch=c000003e syscall=2
>>   success=no exit=-13 a0=42402b a1=80442 a2=1b6 a3=238 items=0
>>   ppid=15688 pid=15689 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
>>   egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="afsd"
>>   exe="/usr/sbin/afsd" subj=system_u:system_r:afs_t:s0 key=(null)
>>   type=AVC msg=audit(1341415040.319:275): avc: denied { dac_override }
>>   for pid=15689 comm="afsd" capability=1
>>   scontext=system_u:system_r:afs_t:s0
>>   tcontext=system_u:system_r:afs_t:s0 tclass=capability
>>
>> Can someone shed some light if this is a policy bug or an issue at my
>> end?
>>
>
> What are your permissions on /etc/mtab. The AVC is basically saying that the
> AFS daemon was trying to override the normal permission checks and access
> the file anyway. It looks like the daemon is running as root and on my box
> /etc/mtab is owned by root so it looks to me like it shouldn't need to.
>

The permissions seem to be as I would expect them to be:

# lt /etc/mtab; ls -Z /etc/mtab
lrwxrwxrwx. 1 root root 12 Jun 28 09:53 /etc/mtab -> /proc/mounts
lrwxrwxrwx. root root unconfined_u:object_r:etc_t:s0   /etc/mtab -> /proc/mounts

Since I am starting the daemon with systemctl the daemon should be
running as root. I see no potential conflicts here then. Am I right?


-- 
Suvayu

Open source is the future. It sets us free.

More information about the users mailing list