OpenAFS and SELinux
Daniel J Walsh
dwalsh at redhat.com
Thu Jul 5 10:27:25 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/04/2012 02:56 PM, suvayu ali wrote:
> Hi Dave,
>
> On Wed, Jul 4, 2012 at 7:36 PM, David Quigley <selinux at davequigley.com>
> wrote:
>> On 07/04/2012 11:28, suvayu ali wrote:
>>>
>>> Hi,
>>>
>>> Every time I start openafs with "systemctl start openafs.service", I
>>> get the following SELinux AVC denial.
>>>
>>> SELinux is preventing /usr/sbin/afsd from using the dac_override
>>> capability.
>>>
>>> # systemctl status openafs.service openafs.service - LSB: start and
>>> stop OpenAFS Loaded: loaded (/etc/rc.d/init.d/openafs) Active: active
>>> (running) since Wed, 04 Jul 2012 17:17:20 +0200; 8min ago Process:
>>> 15673 ExecStart=/etc/rc.d/init.d/openafs start (code=exited,
>>> status=0/SUCCESS) CGroup: name=systemd:/system/openafs.service └ 15696
>>> /usr/sbin/afsd -mountdir /afs -confdir /etc/openafs -stat 2000 -dcache
>>> 800 -daemons 3 -volumes 70 -nosettime -memcache -afsdb -dynroot
>>>
>>> Jul 04 17:17:20 <localhost> openafs[15673]: Loading AFS kernel module:
>>> [ OK ] Jul 04 17:17:20 <localhost> openafs[15673]: Starting AFS
>>> client: afsd: All AFS daemons started. Jul 04 17:17:20 <localhost>
>>> openafs[15673]: afsd: All AFS daemons started. Jul 04 17:17:20
>>> <localhost> openafs[15673]: Can't open /etc/mtab for writing (errno
>>> 13); not adding an entry for AFS Jul 04 17:17:20 <localhost>
>>> openafs[15673]: [ OK ]
>>>
>>> # auditctl -w /etc/shadow -p w # ausearch -m avc -ts recent time->Wed
>>> Jul 4 17:17:20 2012 type=SYSCALL msg=audit(1341415040.319:275):
>>> arch=c000003e syscall=2 success=no exit=-13 a0=42402b a1=80442 a2=1b6
>>> a3=238 items=0 ppid=15688 pid=15689 auid=4294967295 uid=0 gid=0 euid=0
>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>> comm="afsd" exe="/usr/sbin/afsd" subj=system_u:system_r:afs_t:s0
>>> key=(null) type=AVC msg=audit(1341415040.319:275): avc: denied {
>>> dac_override } for pid=15689 comm="afsd" capability=1
>>> scontext=system_u:system_r:afs_t:s0 tcontext=system_u:system_r:afs_t:s0
>>> tclass=capability
>>>
>>> Can someone shed some light if this is a policy bug or an issue at my
>>> end?
>>>
>>
>> What are your permissions on /etc/mtab. The AVC is basically saying that
>> the AFS daemon was trying to override the normal permission checks and
>> access the file anyway. It looks like the daemon is running as root and
>> on my box /etc/mtab is owned by root so it looks to me like it shouldn't
>> need to.
>>
>
> The permissions seem to be as I would expect them to be:
>
> # lt /etc/mtab; ls -Z /etc/mtab lrwxrwxrwx. 1 root root 12 Jun 28 09:53
> /etc/mtab -> /proc/mounts lrwxrwxrwx. root root
> unconfined_u:object_r:etc_t:s0 /etc/mtab -> /proc/mounts
>
> Since I am starting the daemon with systemctl the daemon should be running
> as root. I see no potential conflicts here then. Am I right?
>
>
After turning on full auditing can you try it again and get the full AVC,
including the PATH record.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/1bA0ACgkQrlYvE4MpobMypQCdHsxwBLUat/SFgNp+iAms+SUr
qFoAoJ6ZxEM+He0z9Q8EUPHtPCG/GJuh
=NqWC
-----END PGP SIGNATURE-----
More information about the users
mailing list