search for: dac_overrid

...SELinux kicked in and in the logs there's? [warn] Directory /var/lib/tor/hidden_service/ cannot be read: Permission denied The permissions are drwx------.??2 toranon toranon????4096 Jan 28 23:39 hidden_service And SELinux gives the following SELinux is preventing /usr/bin/tor from using the dac_override capability. *****??Plugin dac_override (91.4 confidence) suggests???********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generat...

...confined_u:system_r:dkim_milter_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1399898848.286:2317): avc: denied { dac_override } for pid=15213 comm="opendkim" capability=1 scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow t...

Hi, I'm moving some old stuff from EL6 to EL8 and one setup has a cron job which uses "tmpwatch -umc $dir" to clean some directories (/etc/cron.daily/tmpwatch). It seems that this triggers this AVC (SElinux mode is enforcing): type=AVC msg=audit(1598576896.772:4267): avc: denied { dac_override } for pid=11013 comm="tmpwatch" capability=1 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tclass=capability permissive=0 The tmpwatch exec line had "--force" before and I was hopping that this "capability...

On Aug 28, 2020, at 17:53, Leon Fauster via CentOS <centos at centos.org> wrote: > > Is cron running in EL8 with stripped CAPs of? Does some one have an > idea to address this? In general, we no longer use tmpwatch at all. In CentOS 7 and 8, use systemd-tmpfiles. Here is a blog post that describes it pretty well:

...ome/aik/virtimg: -rwxrwxrwx. root root system_u:object_r:virt_content_t:s0 Fedora-18-ppc64-DVD.iso /var/lib/libvirt/images: -rwxrwxrwx. root root system_u:object_r:virt_image_t:s0 fc18guest However "virsh -c qemu:///system create libvirtguest-aik.xml" failes with "avc: denied { dac_override }" and "avc: denied { dac_read_search }". Also, there is "user system_u is not defined" in /var/log/messages what is confusing as "semanage user -l" says it is there. If I simply move Fedora-18-ppc64-DVD.iso to /var/lib/libvirt/images, the problem goes away...

On 01/29/2017 11:59 AM, Mark wrote: > As I don't know what dac_override is I don't know if it's a good idea > to give it to tor and the confidence seems quite low. dac_override indicates that you're running your process as root, and it's trying to do something on the filesystem which is not explicitly allowed by permissions. DAC is the standard...

...4 20:50:02 inet08 setroubleshoot: SELinux is preventing /usr/sbin/opendkim from using the signull access on a process. For complete SELinux messages. run sealert -l 442cb257-3db2-488c-a92e-bfc936e16a0c May 4 20:55:25 inet08 setroubleshoot: SELinux is preventing /usr/sbin/opendkim from using the dac_override capability. For complete SELinux messages. run sealert -l c7c1199d-008d-4ae5-b61f-71a11edb0aa3 May 5 04:03:57 inet08 setroubleshoot: SELinux is preventing /usr/sbin/opendkim from search access on the directory /sys. For complete SELinux messages. run sealert -l 800523d5-0420-4038-9c7d-c2ec47c3bb...

...m_r:tor_t:s0 key=(null) type=AVC msg=audit(1539540150.692:60570): avc: denied { dac_read_search } for pid=18283 comm="tor" capability=2 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability type=AVC msg=audit(1539540150.692:60570): avc: denied { dac_override } for pid=18283 comm="tor" capability=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability So I had a look at the permissions for /var/lib/tor/hidden_service/ and they were drwx------. toranon toranon system_u:object_r:tor_var_lib_t:s0 hidden_s...

On Sun, 2017-01-29 at 15:53 -0800, Gordon Messmer wrote: > On 01/29/2017 11:59 AM, Mark wrote: > > As I don't know what dac_override is I don't know if it's a good > > idea > > to give it to tor and the confidence seems quite low. > > > dac_override indicates that you're running your process as root, and? > it's trying to do something on the filesystem which is not > explicitly? >...

...first if apparmor is running you get the error access denied for /var/log/ulogd/ulogd.log type=AVC msg=audit(1300044955.917:57): apparmor="DENIED" operation="capable" parent=23608 profile="/usr/sbin/ulogd" pid=23609 comm="ulogd" capability=1 capname="dac_override" type=AVC msg=audit(1300045005.380:58): apparmor="DENIED" operation="capable" parent=23664 profile="/usr/sbin/ulogd" pid=23665 comm="ulogd" capability=1 capname="dac_override" once apparmor is stopped ulogd -c /etc/ulogd.conf --uid ulogd F...

...tclass=capability When i turn to permisive mode: audit(1149668677.105:12): avc: denied { setuid } for pid=29159 comm="sendmail" capability=7 scontext=root:system_r:ht tpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability audit(1149668677.157:13): avc: denied { dac_override } for pid=29159 comm="sendmail" capability=1 scontext=root:syste m_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability audit(1149668677.209:14): avc: denied { write } for pid=29159 comm="sendmail" name="input" dev=dm-3 ino=1335707 scont...

...AVC msg=audit(1539540150.692:60570): avc: denied { > dac_read_search } for pid=18283 comm="tor" > capability=2 scontext=system_u:system_r:tor_t:s0 > tcontext=system_u:system_r:tor_t:s0 tclass=capability > > type=AVC msg=audit(1539540150.692:60570): avc: denied { > dac_override > } for pid=18283 comm="tor" > capability=1 scontext=system_u:system_r:tor_t:s0 > tcontext=system_u:system_r:tor_t:s0 tclass=capability > > So I had a look at the permissions for /var/lib/tor/hidden_service/ > and > they were > > drwx------. toranon torano...

...0.692:60570): avc: denied { >> dac_read_search } for pid=18283 comm="tor" >> capability=2 scontext=system_u:system_r:tor_t:s0 >> tcontext=system_u:system_r:tor_t:s0 tclass=capability >> >> type=AVC msg=audit(1539540150.692:60570): avc: denied { >> dac_override >> } for pid=18283 comm="tor" >> capability=1 scontext=system_u:system_r:tor_t:s0 >> tcontext=system_u:system_r:tor_t:s0 tclass=capability >> >> So I had a look at the permissions for /var/lib/tor/hidden_service/ >> and >> they were >> &...