Bug 1025126

Summary: glibc nscd permission support for netgroup caching is missing.
Product: [Fedora] Fedora Reporter: Carlos O'Donell <codonell>
Component: glibcAssignee: Carlos O'Donell <codonell>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: codonell, dwalsh, eparis, fweimer, jakub, ksrot, law, mcermak, mfranc, mgrepl, mmalik, mnewsome, pfrankli, schwab
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1025507 1025933 (view as bug list) Environment:
Last Closed: 2015-12-08 15:19:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1025507, 1025758, 1025931, 1025932, 1025933, 1025934    
Attachments:
Description Flags
Add 2 new NSCD__* permissions to selinux for netgroup caching support. none

Description Carlos O'Donell 2013-10-31 04:50:09 UTC 
In glibc's nscd we use selinux perms to check if a connecting user is allowed to query the cache.

We use the following list of permissions:
...
/* Define mappings of access vector permissions to request types.  */
static const access_vector_t perms[LASTREQ] =
{
  [GETPWBYNAME] = NSCD__GETPWD,
  [GETPWBYUID] = NSCD__GETPWD,
  [GETGRBYNAME] = NSCD__GETGRP,
  [GETGRBYGID] = NSCD__GETGRP,
  [GETHOSTBYNAME] = NSCD__GETHOST,
  [GETHOSTBYNAMEv6] = NSCD__GETHOST,
  [GETHOSTBYADDR] = NSCD__GETHOST,
  [GETHOSTBYADDRv6] = NSCD__GETHOST,
  [GETSTAT] = NSCD__GETSTAT,
  [SHUTDOWN] = NSCD__ADMIN,
  [INVALIDATE] = NSCD__ADMIN,
  [GETFDPW] = NSCD__SHMEMPWD,
  [GETFDGR] = NSCD__SHMEMGRP,
  [GETFDHST] = NSCD__SHMEMHOST,
  [GETAI] = NSCD__GETHOST,
  [INITGROUPS] = NSCD__GETGRP,
#ifdef NSCD__GETSERV
  [GETSERVBYNAME] = NSCD__GETSERV,
  [GETSERVBYPORT] = NSCD__GETSERV,
  [GETFDSERV] = NSCD__SHMEMSERV,
#endif
#ifdef NSCD__GETNETGRP
  [GETNETGRENT] = NSCD__GETNETGRP,
  [INNETGR] = NSCD__GETNETGRP,
  [GETFDNETGR] = NSCD__SHMEMNETGRP,
#endif
};
...
rc = avc_has_perm (ssid, tsid, SECCLASS_NSCD, perms[req], &aeref, NULL) < 0;
...

These permissions map onto values in selinux/av_permissions.h.

Except that NSCD__GETNETGRP, and NSCD__SHMEMNETGRP were never added to SELinux! :-(

It appears that there was some lack of coordination on the part of the glibc team to get the required changes into selinux.

Without NSCD__GETNETGRP and NSCD__SHMEMNETGRP the netgroup caching only works if selinux is disabled, and disabling selinux is not what we want to recommend or require for a basic feature.

In order to correclty support netgroup caching we need to add it to the NSCD__* permissions in selinux.
Comment 1 Carlos O'Donell 2013-10-31 05:01:09 UTC 
Created attachment 817713 [details]
Add 2 new NSCD__* permissions to selinux for netgroup caching support.

The following patch adds 2 new NSCD__* permissions to selinux. Tested on f19 with a rebuilt glibc, but it still doesn't work. That is to say that avc_has_perm still returns -1.

What else do we need to do to enable two new permissions for nscd?
Comment 3 Carlos O'Donell 2013-10-31 16:38:55 UTC 
(In reply to Carlos O'Donell from comment #0)
> Without NSCD__GETNETGRP and NSCD__SHMEMNETGRP the netgroup caching only
> works if selinux is disabled, and disabling selinux is not what we want to
> recommend or require for a basic feature.

Let me be clearer here "works if selinux is in permissive mode, and requiring permissive mode is not what we want to recommend..."
Comment 5 Carlos O'Donell 2013-10-31 17:29:55 UTC 
After applying my fix I noticed the two AVC's related to this which mean it has to go into policy (as Daniel Walsh mentioned to me on IRC):

type=USER_AVC msg=audit(1383195529.370:3438): pid=3569 uid=28 auid=1000 ses=12  subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='avc:  denied  { shmemnetgrp } for  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=nscd  exe="/home/carlos/build/glibc/nscd/nscd" sauid=28 hostname=? addr=? terminal=pts/7'

type=USER_AVC msg=audit(1383195425.569:3436): pid=3528 uid=28 auid=1000 ses=12  subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='avc:  denied  { getnetgrp } for  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=nscd  exe="/home/carlos/build/glibc/nscd/nscd" sauid=28 hostname=? addr=? terminal=pts/7'

That's one AVC per permission we just added.
Comment 9 Daniel Walsh 2013-11-01 15:09:32 UTC 
75cd097a313ff6b212bf7bf418f1cf5c4839cdc1 has the fix for this for selinux-policy.

glibc needs to use string_to_security_class() to find SECCLASS_NSCD
and string_to_av_perm() to fill in the perms array at run time...

We do not ship these hard coded in libselinux any longer.
Comment 10 Carlos O'Donell 2013-11-01 15:26:13 UTC 
(In reply to Daniel Walsh from comment #9)
> 75cd097a313ff6b212bf7bf418f1cf5c4839cdc1 has the fix for this for
> selinux-policy.
> 
> glibc needs to use string_to_security_class() to find SECCLASS_NSCD
> and string_to_av_perm() to fill in the perms array at run time...
> 
> We do not ship these hard coded in libselinux any longer.

So I've fixed glibc to use string_to_security_class and string_to_av_perm, and at nscd startup you now get:
...
Fri 01 Nov 2013 09:58:25 AM EDT - 14156: Access Vector Cache (AVC) started
Fri 01 Nov 2013 09:58:25 AM EDT - 14156: Error translating permission name "getnetgrp" to access vector bit.
Fri 01 Nov 2013 09:58:25 AM EDT - 14156: Error translating permission name "getnetgrp" to access vector bit.
Fri 01 Nov 2013 09:58:25 AM EDT - 14156: Error translating permission name "shmemnetgrp" to access vector bit.
...

Does this mean I need to have a runtime dependency on the new selinux-policy if I want to ensure that netgroup caching support works?
Comment 11 Daniel Walsh 2013-11-01 17:03:42 UTC 
No, use security_deny_unknown()

       security_deny_unknown() returns 0 if SELinux treats policy queries on undefined object classes or permissions as being allowed, 1  if  such
       queries are denied, and -1 on error.
Comment 12 Carlos O'Donell 2013-11-01 17:16:08 UTC 
(In reply to Daniel Walsh from comment #11)
> No, use security_deny_unknown()
> 
>        security_deny_unknown() returns 0 if SELinux treats policy queries on
> undefined object classes or permissions as being allowed, 1  if  such
>        queries are denied, and -1 on error.

Perfect, I'll do that, and switching to symbolic permissions means I don't have to wait for selinux headers to come out or provide any such hacks.

Thanks.
Comment 13 Carlos O'Donell 2013-11-02 04:21:23 UTC 
Is selinux-policy also fixed in rawhide?
Comment 21 Jaroslav Reznik 2015-03-03 17:10:30 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22