2018-01-21 01:09 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0012991CentOS-7selinux-policypublic2017-11-17 17:30
PrioritynormalSeverityminorReproducibilityhave not tried
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0012991: SELinux is preventing certwatch from using the 'dac_read_search' capabilities.
DescriptionDescription of problem:
SELinux is preventing certwatch from using the 'dac_read_search' capabilities.

***** Plugin dac_override (91.4 confidence) suggests **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

***** Plugin catchall (9.59 confidence) suggests **************************

If you believe that certwatch should have the dac_read_search capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'certwatch' --raw | audit2allow -M my-certwatch
# semodule -i my-certwatch.pp

Additional Information:
Source Context system_u:system_r:certwatch_t:s0-s0:c0.c1023
Target Context system_u:system_r:certwatch_t:s0-s0:c0.c1023
Target Objects Unknown [ capability ]
Source certwatch
Source Path certwatch
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.15.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-514.10.2.el7.x86_64 #1 SMP
                              Fri Mar 3 00:04:05 UTC 2017 x86_64 x86_64
Alert Count 3
First Seen 2017-03-19 17:08:02 IST
Last Seen 2017-03-20 07:37:01 IST
Local ID f7dac78f-a4b9-4193-99e4-4a902b1e0732

Raw Audit Messages
type=AVC msg=audit(1489975621.892:220): avc: denied { dac_read_search } for pid=5433 comm="certwatch" capability=2 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability

Hash: certwatch,certwatch_t,certwatch_t,capability,dac_read_search

Version-Release number of selected component:
Additional Informationreporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-514.10.2.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
Attached Files




dominicusin (reporter)

Another user experienced a similar problem:

What's up with certwatch?

reporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-514.16.1.el7.x86_64
package: selinux-policy-3.13.1-102.el7_3.16.noarch
reason: SELinux is preventing certwatch from using the 'dac_read_search' capabilities.
reproducible: Not sure how to reproduce the problem
type: libreport


alvins (reporter)

One more user, similar problem.

About once/day, SELinux pops up an alert about preventing certwatch from accessing dac_read_search. My question is simple, but two-fold:
1. if this is truly a Security issue, why is certwatch even active?
2. if this is not a Security issue, why is SELinux preventing access?

I want to either cancel certwatch, or re-configure SELinux. Which should I do?


TrevorH (developer)

If you need certwatch depends on whether you have any SSL certificates that want watching for their imminent expiry. If you don't then you can safely uninstall it.

-Issue History
Date Modified Username Field Change
2017-03-20 02:17 kiranhegde75@gmail.com New Issue
2017-05-09 06:42 dominicusin Note Added: 0029248
2017-11-17 17:26 alvins Note Added: 0030599
2017-11-17 17:30 TrevorH Note Added: 0030600
+Issue History