Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1686910 - "SELinux is preventing /usr/sbin/sanlock from using the dac_override capability" when attempting remote sanlock commands
Summary: "SELinux is preventing /usr/sbin/sanlock from using the dac_override capabili...
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.0
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: rc
: 8.1
Assignee: Lukas Vrabec
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On: 1682526
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-08 16:18 UTC by Corey Marthaler
Modified: 2019-03-17 19:19 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description Corey Marthaler 2019-03-08 16:18:11 UTC
Description of problem:
This seems similar to rhel7 bug 1614965.


[cmarthal@dhcp80-218 bin]$ qarsh root@host-083 sanlock client host_status                                                                                                                                                                          
[cmarthal@dhcp80-218 bin]$ qarsh root@host-083 sanlock status                                                                                                                                                                                      
                                                                                                                                                                                                                                                   
                                                                                                                                                                                                                                                   
Mar  8 10:12:18 host-083 systemd[1]: Started qarsh Per-Connection Server (10.15.80.218:40990).                                                                                                                                                     
Mar  8 10:12:18 host-083 qarshd[8231]: Talking to peer ::ffff:10.15.80.218:40990 (IPv6)                                                                                                                                                            
Mar  8 10:12:18 host-083 qarshd[8231]: Running cmdline: sanlock client host_status                                                                                                                                                                 
Mar  8 10:12:18 host-083 dbus-daemon[776]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.19544' (uid=0 pid=740 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using servicehelper)   
Mar  8 10:12:20 host-083 dbus-daemon[776]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'                                                                                                                             
Mar  8 10:12:21 host-083 setroubleshoot[8237]: SELinux is preventing /usr/sbin/sanlock from using the dac_override capability. For complete SELinux messages run: sealert -l 19d51972-d6b7-4f53-832d-3da20ee033d7                                  
Mar  8 10:12:21 host-083 platform-python[8237]: SELinux is preventing /usr/sbin/sanlock from using the dac_override capability.#012#012*****  Plugin dac_override (91.4 confidence) suggests   **********************#012#012If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system#012Then turn on full auditing to get path information about the offending file and generate the error again.#012Do#012#012Turn on full auditing#012# auditctl -w /etc/shadow -p w#012Try to recreate AVC. Then execute#012# ausearch -m avc -ts recent#012If you see PATH record check ownership/permissions on file, and fix it,#012otherwise report as a bugzilla.#012#012*****  Plugin catchall (9.59 confidence) suggests   **************************#012#012If you believe that sanlock should have the dac_override capability by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sanlock' --raw | audit2allow -M my-sanlock#012# semodule -X 300 -i my-sanlock.pp#012




Mar  8 10:12:30 host-083 systemd[1]: Started qarsh Per-Connection Server (10.15.80.218:41026).
Mar  8 10:12:30 host-083 qarshd[8250]: Talking to peer ::ffff:10.15.80.218:41026 (IPv6)
Mar  8 10:12:30 host-083 qarshd[8250]: Running cmdline: sanlock status
Mar  8 10:12:30 host-083 setroubleshoot[8237]: SELinux is preventing /usr/sbin/sanlock from using the dac_override capability. For complete SELinux messages run: sealert -l 19d51972-d6b7-4f53-832d-3da20ee033d7
Mar  8 10:12:30 host-083 platform-python[8237]: SELinux is preventing /usr/sbin/sanlock from using the dac_override capability.#012#012*****  Plugin dac_override (91.4 confidence) suggests   **********************#012#012If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system#012Then turn on full auditing to get path information about the offending file and generate the error again.#012Do#012#012Turn on full auditing#012# auditctl -w /etc/shadow -p w#012Try to recreate AVC. Then execute#012# ausearch -m avc -ts recent#012If you see PATH record check ownership/permissions on file, and fix it,#012otherwise report as a bugzilla.#012#012*****  Plugin catchall (9.59 confidence) suggests   **************************#012#012If you believe that sanlock should have the dac_override capability by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sanlock' --raw | audit2allow -M my-sanlock#012# semodule -X 300 -i my-sanlock.pp#012



Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-61.el8.noarch   BUILT:  Fri 22 Feb 2019 05:19:38 AM CST
sanlock-3.6.0-5.el8    BUILT: Thu Dec  6 13:31:26 CST 2018
sanlock-lib-3.6.0-5.el8    BUILT: Thu Dec  6 13:31:26 CST 2018
kernel-4.18.0-74.el8    BUILT: Wed Feb 27 12:52:17 CST 2019


How reproducible:
Everytime


Note You need to log in before you can comment on or make changes to this bug.