OpenAFS and SELinux

suvayu ali fatkasuvayu+linux at gmail.com
Wed Jul 11 14:46:25 UTC 2012 

On Wed, Jul 11, 2012 at 4:39 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
> On 07/06/2012 05:34 AM, suvayu ali wrote:
>> Hi Daniel,
>>
>> On Thu, Jul 5, 2012 at 12:27 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>>> After turning on full auditing can you try it again and get the full
>>> AVC, including the PATH record.
>>
>> On a freshly booted system, I turned on full auditing like this:
>>
>> # auditctl -w /etc/shadow -p w
>>
>> Then I started openafs like this:
>>
>> # systemctl start openafs.service
>>
>> which generated an AVC denial (output below).
>>
>> # ausearch -m avc -ts recent
>>
>> time->Fri Jul  6 11:20:49 2012
>>
>> type=PATH msg=audit(1341566449.720:133): item=0 name="/etc/mtab"
>> inode=36536 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
>> obj=system_u:system_r:afs_t:s0
>>
>> type=CWD msg=audit(1341566449.720:133):  cwd="/"
>>
>> type=SYSCALL msg=audit(1341566449.720:133): arch=c000003e syscall=2
>> success=no exit=-13 a0=42402b a1=80442 a2=1b6 a3=238 items=1 ppid=2752
>> pid=2753 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> fsgid=0 tty=(none) ses=4294967295 comm="afsd" exe="/usr/sbin/afsd"
>> subj=system_u:system_r:afs_t:s0 key=(null)
>>
>> type=AVC msg=audit(1341566449.720:133): avc: denied { dac_override } for
>> pid=2753 comm="afsd" capability=1 scontext=system_u:system_r:afs_t:s0
>> tcontext=system_u:system_r:afs_t:s0 tclass=capability
>>
>> Another strange thing, running systemctl status tells me "Can't open
>> /etc/mtab for writing (errno 13); not adding an entry for AFS", but I see
>> that /etc/mtab has the following line:
>>
>> AFS /afs afs rw,relatime 0 0
>>
>
> ls -l /etc/mtab  It should be world readable.
>

It is world readable.

  # ls -l /etc/mtab
  lrwxrwxrwx. 1 root root 12 Jun 28 09:53 /etc/mtab -> /proc/mounts
  # ls -l /proc/mounts
  lrwxrwxrwx. 1 root root 11 Jul 11 16:43 /proc/mounts -> self/mounts
  # ls -l /proc/self/mounts
  -r--r--r--. 1 root root 0 Jul 11 16:43 /proc/self/mounts

The strange thing is, despite the error message I can access my afs
directory (after I get my Kerberos credentials).

-- 
Suvayu

Open source is the future. It sets us free.

More information about the users mailing list