Bug 151894

Summary: SELinux prevents nscd from logging
Product: Red Hat Enterprise Linux 4 Reporter: Peter Bieringer <pb>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: jturner
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.25.4-10.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-15 15:56:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Bieringer 2005-03-23 10:40:49 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1

Description of problem:
If logging of nscd is enabled, SELinux prohibits

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.52.1

How reproducible:
Always

Steps to Reproduce:
1. enable logging of nscd (by editing /etc/nscd.conf)
2. service nscd restart
3. SELinux deny messages in kernel log
  

Actual Results:  Won't start anymore, kernel log:

Mar 23 11:24:41 host audit(1111573481.690:0): avc:  denied  { search } for  pid=9334 exe=/usr/sbin/nscd name=/ dev=md2 ino=2 scontext=root:system_r:nscd_t tcontext=system_u:object_r:var_log_t tclass=dir

Mar 23 11:26:34 host audit(1111573594.476:0): avc:  denied  { write } for  pid=9419 exe=/usr/sbin/nscd name=/ dev=md2 ino=2 scontext=root:system_r:nscd_t tcontext=system_u:object_r:var_log_t tclass=dir

Mar 23 11:28:06 host audit(1111573686.537:0): avc:  denied  { add_name } for  pid=9495 exe=/usr/sbin/nscd name=nscd.log scontext=root:system_r:nscd_t tcontext=system_u:object_r:var_log_t tclass=dir

Mar 23 11:29:39 host audit(1111573779.211:0): avc:  denied  { create } for  pid=9579 exe=/usr/sbin/nscd name=nscd.log scontext=root:system_r:nscd_t tcontext=root:object_r:var_log_t tclass=file

Mar 23 11:30:39 host audit(1111573839.665:0): avc:  denied  { append } for  pid=9692 exe=/usr/sbin/nscd path=/var/log/nscd.log dev=md2 ino=35 scontext=root:system_r:nscd_t tcontext=root:object_r:var_log_t tclass=file

Mar 23 11:30:39 host audit(1111573839.663:0): avc:  denied  { getattr } for  pid=9692 exe=/usr/sbin/nscd path=/var/log/nscd.log dev=md2 ino=35 scontext=root:system_r:nscd_t tcontext=root:object_r:var_log_t tclass=file



Expected Results:  Starting

Additional info:

Following SELinux extension was successfully tested (rules add step-by-step)

## nscd logging
allow nscd_t var_log_t:dir search;
allow nscd_t var_log_t:dir write;
allow nscd_t var_log_t:dir add_name;
allow nscd_t var_log_t:file create;
allow nscd_t var_log_t:file append;
allow nscd_t var_log_t:file getattr;
Comment 1 Daniel Walsh 2005-03-23 13:51:18 UTC 
Please update to the U1 policy.  Currently available on 
ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{selinux-policy-targeted,
policycoreutils}

Does that solve your problem?

Dan
Comment 2 Peter Bieringer 2005-03-23 15:14:31 UTC 
No, didn't believe it after reading the change log. The upper shown extensions
are still needed (readd rules step-by-step).
Comment 3 Peter Bieringer 2005-03-23 15:15:32 UTC 
Forgot following note: I've updated the policy and relabled the system before
retry and readd.
Comment 4 Daniel Walsh 2005-03-23 15:32:05 UTC 
I didn't know nscd could log.

I will add log_domain(nscd) to policy.

Dan
Comment 5 Peter Bieringer 2005-03-23 15:58:05 UTC 
Logging is not enabled by default, but easily to switch on (mostly during
debugging problems):

--- etc/nscd.conf       9 Mar 2005 16:53:04 -0000       1.1
+++ etc/nscd.conf       23 Mar 2005 15:56:43 -0000
@@ -28,12 +28,12 @@
 #


-#      logfile                 /var/log/nscd.log
+       logfile                 /var/log/nscd.log
 #      threads                 6
 #      max-threads             128
        server-user             nscd
 #      stat-user               nocpulse
-       debug-level             0
+       debug-level             1
 #      reload-count            5
        paranoia                no
 #      restart-interval        3600
Comment 6 Daniel Walsh 2005-03-24 21:47:42 UTC 
Could you try out selinux-policy-targeted-1.17.30-2.93
on 

ftp://people.redhat.com/dwalsh/SELinux/FC3

If this works for you I will role it into the U2 release for RHEL4.
Comment 7 Peter Bieringer 2005-03-31 11:48:23 UTC 
Ok, installed on RHEL4, previous log file removed, logging enabled, nscd
restart, log file was created.

So the issue is solved now.