View Issue Details

IDProjectCategoryView StatusLast Update
0012991CentOS-7selinux-policypublic2017-11-17 17:30 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0012991: SELinux is preventing certwatch from using the 'dac_read_search' capabilities.
DescriptionDescription of problem:
SELinux is preventing certwatch from using the 'dac_read_search' capabilities.

***** Plugin dac_override (91.4 confidence) suggests **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

***** Plugin catchall (9.59 confidence) suggests **************************

If you believe that certwatch should have the dac_read_search capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'certwatch' --raw | audit2allow -M my-certwatch
# semodule -i my-certwatch.pp

Additional Information:
Source Context system_u:system_r:certwatch_t:s0-s0:c0.c1023
Target Context system_u:system_r:certwatch_t:s0-s0:c0.c1023
Target Objects Unknown [ capability ]
Source certwatch
Source Path certwatch
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.15.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-514.10.2.el7.x86_64 #1 SMP
                              Fri Mar 3 00:04:05 UTC 2017 x86_64 x86_64
Alert Count 3
First Seen 2017-03-19 17:08:02 IST
Last Seen 2017-03-20 07:37:01 IST
Local ID f7dac78f-a4b9-4193-99e4-4a902b1e0732

Raw Audit Messages
type=AVC msg=audit(1489975621.892:220): avc: denied { dac_read_search } for pid=5433 comm="certwatch" capability=2 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability

Hash: certwatch,certwatch_t,certwatch_t,capability,dac_read_search

Version-Release number of selected component:
Additional Informationreporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-514.10.2.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.




2017-05-09 06:42

reporter   ~0029248

Another user experienced a similar problem:

What's up with certwatch?

reporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-514.16.1.el7.x86_64
package: selinux-policy-3.13.1-102.el7_3.16.noarch
reason: SELinux is preventing certwatch from using the 'dac_read_search' capabilities.
reproducible: Not sure how to reproduce the problem
type: libreport


2017-11-17 17:26

reporter   ~0030599

One more user, similar problem.

About once/day, SELinux pops up an alert about preventing certwatch from accessing dac_read_search. My question is simple, but two-fold:
1. if this is truly a Security issue, why is certwatch even active?
2. if this is not a Security issue, why is SELinux preventing access?

I want to either cancel certwatch, or re-configure SELinux. Which should I do?


2017-11-17 17:30

manager   ~0030600

If you need certwatch depends on whether you have any SSL certificates that want watching for their imminent expiry. If you don't then you can safely uninstall it.

Issue History

Date Modified Username Field Change
2017-03-20 02:17 New Issue
2017-05-09 06:42 dominicusin Note Added: 0029248
2017-11-17 17:26 alvins Note Added: 0030599
2017-11-17 17:30 TrevorH Note Added: 0030600