[refpolicy] dac_override question

From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] dac_override question
Date: Thu, 29 Dec 2016 12:55:26 +0100	[thread overview]
Message-ID: <998a12a7-9622-69b8-4244-41c3db1218ac@gmail.com> (raw)
In-Reply-To: <CAJ2a_DfBZ9opOV8yWByd-n+oA81i4d2oNVnHLacDwkFsy9mPmQ@mail.gmail.com>

On 12/29/2016 12:49 PM, cgzones via refpolicy wrote:
> Hi,
> I am encountering a problem regarding the dac_override capability.

To quote:

"
It checks CAP_DAC_OVERRIDE first.  If that passes, it returns 0
(success).  If it fails and the mask did not request MAY_WRITE (i.e.
only read/search/execute access), then it checks CAP_DAC_READ_SEARCH.
If that passes, then it returns 0 (success).
"

This means that even though the dac_read_search is enough, you will
still see the dac_override because dac_override overlaps dac_read_search
and is checked first

In other words, the dac_override can be dontaudited on
read/search/execute, but is dac_override is required on write

hth

> 
> I am running monit (a process monitoring tool), which needs to monitor
> exim4 read its pidfile: /run/exim4/exim.pid.
> The directory /run/exim4 is owned by Debian-exim:Debian-exim with mode
> 0750 and due to monit running as root I granted: allow monit_t
> self:capability dac_read_search;
> But I am still getting dac_override denials, why?
> I do not want to dontaudit dac_override, cause maybe in the future
> monit might really need the capability and I would miss it.
> 
> type=PROCTITLE msg=audit(12/29/16 12:26:00.849:42386) :
> proctitle=/usr/bin/monit -c /etc/monit/monitrc
> type=PATH msg=audit(12/29/16 12:26:00.849:42386) : item=0
> name=/run/exim4/exim.pid inode=68815 dev=00:13 mode=file,644 ouid=root
> ogid=Debian-exim rdev=00:00 obj=system_u:object_r:exim_run_t:s0
> nametype=NORMAL
> type=CWD msg=audit(12/29/16 12:26:00.849:42386) : cwd=/
> type=SYSCALL msg=audit(12/29/16 12:26:00.849:42386) : arch=armeb
> syscall=stat64 per=PER_LINUX_32BIT success=yes exit=0 a0=0x207bcf8
> a1=0x7ef258e0 a2=0x7ef25950 a3=0x3 items=1 ppid=1 pid=393 auid=unset
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=(none) ses=unset comm=monit exe=/usr/bin/monit
> subj=system_u:system_r:monit_t:s0 key=(null)
> type=AVC msg=audit(12/29/16 12:26:00.849:42386) : avc:  denied  {
> dac_override } for  pid=393 comm=monit capability=dac_override
> scontext=system_u:system_r:monit_t:s0
> tcontext=system_u:system_r:monit_t:s0 tclass=capability permissive=0
> 
> Kernel version:
> Linux raspberrypi 4.9.0-v7+ #1 SMP Thu Dec 15 17:58:19 CET 2016 armv7l GNU/Linux
> https://github.com/raspberrypi/linux/tree/rpi-4.9.y
> 
> Kindly Regards,
>      Christian G?ttsche
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161229/29ea8cdf/attachment.bin 