From: dac.override@gmail.com (Dominick Grift) Date: Thu, 29 Dec 2016 12:55:26 +0100 Subject: [refpolicy] dac_override question In-Reply-To: References: Message-ID: <998a12a7-9622-69b8-4244-41c3db1218ac@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/29/2016 12:49 PM, cgzones via refpolicy wrote: > Hi, > I am encountering a problem regarding the dac_override capability. To quote: " It checks CAP_DAC_OVERRIDE first. If that passes, it returns 0 (success). If it fails and the mask did not request MAY_WRITE (i.e. only read/search/execute access), then it checks CAP_DAC_READ_SEARCH. If that passes, then it returns 0 (success). " This means that even though the dac_read_search is enough, you will still see the dac_override because dac_override overlaps dac_read_search and is checked first In other words, the dac_override can be dontaudited on read/search/execute, but is dac_override is required on write hth > > I am running monit (a process monitoring tool), which needs to monitor > exim4 read its pidfile: /run/exim4/exim.pid. > The directory /run/exim4 is owned by Debian-exim:Debian-exim with mode > 0750 and due to monit running as root I granted: allow monit_t > self:capability dac_read_search; > But I am still getting dac_override denials, why? > I do not want to dontaudit dac_override, cause maybe in the future > monit might really need the capability and I would miss it. > > type=PROCTITLE msg=audit(12/29/16 12:26:00.849:42386) : > proctitle=/usr/bin/monit -c /etc/monit/monitrc > type=PATH msg=audit(12/29/16 12:26:00.849:42386) : item=0 > name=/run/exim4/exim.pid inode=68815 dev=00:13 mode=file,644 ouid=root > ogid=Debian-exim rdev=00:00 obj=system_u:object_r:exim_run_t:s0 > nametype=NORMAL > type=CWD msg=audit(12/29/16 12:26:00.849:42386) : cwd=/ > type=SYSCALL msg=audit(12/29/16 12:26:00.849:42386) : arch=armeb > syscall=stat64 per=PER_LINUX_32BIT success=yes exit=0 a0=0x207bcf8 > a1=0x7ef258e0 a2=0x7ef25950 a3=0x3 items=1 ppid=1 pid=393 auid=unset > uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root > fsgid=root tty=(none) ses=unset comm=monit exe=/usr/bin/monit > subj=system_u:system_r:monit_t:s0 key=(null) > type=AVC msg=audit(12/29/16 12:26:00.849:42386) : avc: denied { > dac_override } for pid=393 comm=monit capability=dac_override > scontext=system_u:system_r:monit_t:s0 > tcontext=system_u:system_r:monit_t:s0 tclass=capability permissive=0 > > Kernel version: > Linux raspberrypi 4.9.0-v7+ #1 SMP Thu Dec 15 17:58:19 CET 2016 armv7l GNU/Linux > https://github.com/raspberrypi/linux/tree/rpi-4.9.y > > Kindly Regards, > Christian G?ttsche > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161229/29ea8cdf/attachment.bin