This repository has been archived by the owner on Sep 18, 2019. It is now read-only.
Fix AVC dac_read_search with new kernel #6
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 3 commits
March 17, 2018 19:35
There are two simmilar capabilities DAC_READ_SEARCH and DAC_OVERRIDE capability. DAC stands for Discretionary Access Control. DAC Means standard Linux Ownership/permission flags. Process running as UID=0 with DAC_READ_SEARCH can read any file on the system, even if the permission flags would not allow a root process to read it. Similarly DAC_OVERRIDE, means the process can ignore all permission/ownerships of all files on the system. And ipa-custodia needn't modify anything from dogtag.
time->Fri Mar 16 12:38:20 2018
type=PATH msg=audit(1521218300.002:578): item=0
name="/etc/pki/pki-tomcat/password.conf" inode=25537522 dev=fd:00
mode=0100660 ouid=17 ogid=17 rdev=00:00
obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 nametype=NORMAL
cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1521218300.002:578): cwd="/"
type=SYSCALL msg=audit(1521218300.002:578): arch=c000003e syscall=257
success=yes exit=8 a0=ffffffffffffff9c a1=7f4004d85a70 a2=80000 a3=0
items=1 ppid=32585 pid=3864 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="ipa-custodia" exe="/usr/bin/python3.6"
subj=system_u:system_r:ipa_custodia_t:s0 key=(null)
type=AVC msg=audit(1521218300.002:578): avc: denied { dac_read_search }
for pid=3864 comm="ipa-custodia" capability=2
scontext=system_u:system_r:ipa_custodia_t:s0
tcontext=system_u:system_r:ipa_custodia_t:s0
tclass=capability permissive=1
Version of base selinux policy: selinux-policy-3.13.1-283.26.fc27.noarch
If a process tried to read /etc/shadow, it would be allowed if it had
either DAC_OVERRIDE or DAC_READ_SEARCH.
Older kernel's had pseudo code like
if DAC_OVERRIDE or DAC_READ_SEARCH:
New Kernel switched to:
if DAC_READ_SEARCH or DAC_OVERRIDE
See also: https://danwalsh.livejournal.com/77140.html
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes AVC on fedora 27 + remove unnecessary capability.
Tested on: el7.5 and fedora 27
See also: https://danwalsh.livejournal.com/77140.html
@wrabcak, could you review from SELinux POV?