From: cgzones@googlemail.com (cgzones) Date: Thu, 29 Dec 2016 19:15:48 +0100 Subject: [refpolicy] dac_override question In-Reply-To: <998a12a7-9622-69b8-4244-41c3db1218ac@gmail.com> References: <998a12a7-9622-69b8-4244-41c3db1218ac@gmail.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Seems to be a known kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6 2016-12-29 12:55 GMT+01:00 Dominick Grift via refpolicy : > On 12/29/2016 12:49 PM, cgzones via refpolicy wrote: >> Hi, >> I am encountering a problem regarding the dac_override capability. > > To quote: > > " > It checks CAP_DAC_OVERRIDE first. If that passes, it returns 0 > (success). If it fails and the mask did not request MAY_WRITE (i.e. > only read/search/execute access), then it checks CAP_DAC_READ_SEARCH. > If that passes, then it returns 0 (success). > " > > This means that even though the dac_read_search is enough, you will > still see the dac_override because dac_override overlaps dac_read_search > and is checked first > > In other words, the dac_override can be dontaudited on > read/search/execute, but is dac_override is required on write > > hth > > >> >> I am running monit (a process monitoring tool), which needs to monitor >> exim4 read its pidfile: /run/exim4/exim.pid. >> The directory /run/exim4 is owned by Debian-exim:Debian-exim with mode >> 0750 and due to monit running as root I granted: allow monit_t >> self:capability dac_read_search; >> But I am still getting dac_override denials, why? >> I do not want to dontaudit dac_override, cause maybe in the future >> monit might really need the capability and I would miss it. >> >> type=PROCTITLE msg=audit(12/29/16 12:26:00.849:42386) : >> proctitle=/usr/bin/monit -c /etc/monit/monitrc >> type=PATH msg=audit(12/29/16 12:26:00.849:42386) : item=0 >> name=/run/exim4/exim.pid inode=68815 dev=00:13 mode=file,644 ouid=root >> ogid=Debian-exim rdev=00:00 obj=system_u:object_r:exim_run_t:s0 >> nametype=NORMAL >> type=CWD msg=audit(12/29/16 12:26:00.849:42386) : cwd=/ >> type=SYSCALL msg=audit(12/29/16 12:26:00.849:42386) : arch=armeb >> syscall=stat64 per=PER_LINUX_32BIT success=yes exit=0 a0=0x207bcf8 >> a1=0x7ef258e0 a2=0x7ef25950 a3=0x3 items=1 ppid=1 pid=393 auid=unset >> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root >> fsgid=root tty=(none) ses=unset comm=monit exe=/usr/bin/monit >> subj=system_u:system_r:monit_t:s0 key=(null) >> type=AVC msg=audit(12/29/16 12:26:00.849:42386) : avc: denied { >> dac_override } for pid=393 comm=monit capability=dac_override >> scontext=system_u:system_r:monit_t:s0 >> tcontext=system_u:system_r:monit_t:s0 tclass=capability permissive=0 >> >> Kernel version: >> Linux raspberrypi 4.9.0-v7+ #1 SMP Thu Dec 15 17:58:19 CET 2016 armv7l GNU/Linux >> https://github.com/raspberrypi/linux/tree/rpi-4.9.y >> >> Kindly Regards, >> Christian G?ttsche >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy >> > > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy >