Bug 1536689
| Summary: | nscd cannot read its database in /var/db/nscd | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mathieu Chouquet-Stringer <mathieu-acct> |
| Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 28 | CC: | dwalsh, francesco.simula, idonaldson0, igeorgex, ksnider, mmalik, txn2tahx3v |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-09-11 16:54:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
selinux-policy-3.13.1-283.26.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a9711c96b2 selinux-policy-3.13.1-283.26.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a9711c96b2 selinux-policy-3.13.1-283.26.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. Hello,
It seems to be fixed now, but fixing it added a new problem: clients of nscd (so basically anything using the glibc for host/user/group/more resolution) are denied access to the database.
Should this be a new bug or not?
type=AVC msg=audit(1524100503.021:20386): avc: denied { map } for pid=18475 comm="logrotate" path="/var/db/nscd/passwd" dev="dm-0" ino=13347968 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1524100503.023:20387): avc: denied { map } for pid=18475 comm="logrotate" path="/var/db/nscd/group" dev="dm-0" ino=13347969 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1524159812.542:20744): avc: denied { map } for pid=27302 comm="kdump-dep-gener" path="/var/db/nscd/passwd" dev="dm-0" ino=13347968 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1524159812.542:20745): avc: denied { map } for pid=27307 comm="selinux-autorel" path="/var/db/nscd/passwd" dev="dm-0" ino=13347968 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1524170248.248:148): avc: denied { map } for pid=1082 comm="aliasesdb" path="/var/db/nscd/passwd" dev="dm-1" ino=13347968 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1524170248.448:149): avc: denied { map } for pid=1122 comm="(colord)" path="/var/db/nscd/passwd" dev="dm-1" ino=13347968 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1524170248.448:150): avc: denied { map } for pid=1122 comm="(colord)" path="/var/db/nscd/group" dev="dm-1" ino=13347969 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1524170248.645:153): avc: denied { map } for pid=1135 comm="chroot-update" path="/var/db/nscd/passwd" dev="dm-1" ino=13347968 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1524170254.440:203): avc: denied { map } for pid=1332 comm="(systemd)" path="/var/db/nscd/passwd" dev="dm-1" ino=13347968 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1524170254.440:204): avc: denied { map } for pid=1332 comm="(systemd)" path="/var/db/nscd/group" dev="dm-1" ino=13347969 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1524170256.896:238): avc: denied { map } for pid=1560 comm="dhclient" path="/var/db/nscd/services" dev="dm-1" ino=13347971 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1524170662.840:340): avc: denied { map } for pid=4465 comm="dbus-daemon-lau" path="/var/db/nscd/group" dev="dm-1" ino=13347969 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
There's also:
type=AVC msg=audit(1524173771.997:285): avc: denied { connectto } for pid=1049 comm="abrt-dump-journ" path="/run/nscd/socket" scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=unix_stream_socket permissive=0
Same thing present in F28. SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/group. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that dbus-daemon-lau should be allowed map access on the group file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'dbus-daemon-lau' --raw | audit2allow -M my-dbusdaemonlau # semodule -X 300 -i my-dbusdaemonlau.pp And so on... SELinux is preventing logrotate from map access on the file /var/db/nscd/group. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that logrotate should be allowed map access on the group file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'logrotate' --raw | audit2allow -M my-logrotate # semodule -X 300 -i my-logrotate.pp Still happening on F27... Jun 7 09:20:23 myhostxxx setroubleshoot[12840]: SELinux is preventing nscd from write access on the sock_file system_bus_socket. For complete SELinux messages run: sealert -l 854c2b4b-b1e5-49bc-948f-5baa04773dec Jun 7 09:20:23 myhostxxx python3[12840]: SELinux is preventing nscd from write access on the sock_file system_bus_socket.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that nscd should be allowed write access on the system_bus_socket sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'nscd' --raw | audit2allow -M my-nscd#012# semodule -X 300 -i my-nscd.pp#012 Jun 7 09:20:26 myhostxxx setroubleshoot[12840]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/passwd. For complete SELinux messages run: sealert -l 287ebeba-bbfe-4224-8101-bc3990bdf98e Jun 7 09:20:26 myhostxxx python3[12840]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/passwd.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that dbus-daemon-lau should be allowed map access on the passwd file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dbus-daemon-lau' --raw | audit2allow -M my-dbusdaemonlau#012# semodule -X 300 -i my-dbusdaemonlau.pp#012 Jun 7 09:20:28 myhostxxx audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 7 09:20:29 myhostxxx setroubleshoot[12840]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/group. For complete SELinux messages run: sealert -l 287ebeba-bbfe-4224-8101-bc3990bdf98e Jun 7 09:20:29 myhostxxx python3[12840]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/group.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that dbus-daemon-lau should be allowed map access on the group file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dbus-daemon-lau' --raw | audit2allow -M my-dbusdaemonlau#012# semodule -X 300 -i my-dbusdaemonlau.pp#012 This is still an issue, and has now migrated to the most recent updates of RHEL7 as well. selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217 selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217 selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. (In reply to Fedora Update System from comment #11) > selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable > repository. If problems still persist, please make note of it in this bug > report. selinux-policy is already at version 3.14.1-44 but the problem still persists (on Fedora 28), at least as spam in journalctl because everything seems to be working... ott 12 16:15:30 grundig setroubleshoot[1932]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/passwd. For complete SELinux messages run: sealert -l 5e1fd7c8-dcca-4536-bbbe-017abfe58180 ott 12 16:15:30 grundig python3[1932]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/passwd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that dbus-daemon-lau should be allowed map access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'dbus-daemon-lau' --raw | audit2allow -M my-dbusdaemonlau # semodule -X 300 -i my-dbusdaemonlau.pp ott 12 16:15:30 grundig setroubleshoot[1932]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/group. For complete SELinux messages run: sealert -l 5e1fd7c8-dcca-4536-bbbe-017abfe58180 ott 12 16:15:30 grundig python3[1932]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/group. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that dbus-daemon-lau should be allowed map access on the group file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'dbus-daemon-lau' --raw | audit2allow -M my-dbusdaemonlau # semodule -X 300 -i my-dbusdaemonlau.pp |
Description of problem: SELinux is blocking access to all files under /var/db/nscd Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-283.21.fc27.noarch nscd-2.26-21.fc27.x86_64 How reproducible: Install nscd, start it and you will get the following in: Jan 19 23:59:38 foobar systemd[1]: Starting Name Service Cache Daemon... Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring file `/etc/passwd` (1) Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring directory `/etc` (2) Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring file `/etc/group` (3) Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring directory `/etc` (2) Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring file `/etc/hosts` (4) Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring directory `/etc` (2) Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring file `/etc/resolv.conf` (5) Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring directory `/etc` (2) Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring file `/etc/services` (6) Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring directory `/etc` (2) Jan 19 23:59:38 foobar nscd[14613]: 14613 disabled inotify-based monitoring for file `/etc/netgroup': No such file or directory Jan 19 23:59:38 foobar nscd[14613]: 14613 stat failed for file `/etc/netgroup'; will try again later: No such file or directory Jan 19 23:59:38 foobar systemd[1]: Started Name Service Cache Daemon. Jan 19 23:59:38 foobar nscd[14613]: 14613 cannot write to database file /var/db/nscd/passwd: Permission denied Jan 19 23:59:38 foobar nscd[14613]: 14613 cannot write to database file /var/db/nscd/group: Permission denied Jan 19 23:59:38 foobar nscd[14613]: 14613 cannot write to database file /var/db/nscd/hosts: Permission denied Jan 19 23:59:38 foobar nscd[14613]: 14613 cannot write to database file /var/db/nscd/services: Permission denied Jan 19 23:59:38 foobar nscd[14613]: 14613 cannot write to database file /var/db/nscd/netgroup: Permission denied Jan 19 23:59:38 foobar nscd[14613]: 14613 Access Vector Cache (AVC) started Jan 19 23:59:57 foobar nscd[14613]: 14613 checking for monitored file `/etc/netgroup': No such file or directory At the same time, audit.log shows: ype=AVC msg=audit(1516402778.936:1275): avc: denied { map } for pid=14613 comm="nscd" path="/var/db/nscd/passwd" dev="dm-1" ino=12854056 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1516402778.936:1276): avc: denied { map } for pid=14613 comm="nscd" path="/var/db/nscd/group" dev="dm-1" ino=12854057 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1516402778.937:1277): avc: denied { map } for pid=14613 comm="nscd" path="/var/db/nscd/hosts" dev="dm-1" ino=12854058 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1516402778.937:1278): avc: denied { map } for pid=14613 comm="nscd" path="/var/db/nscd/services" dev="dm-1" ino=12854059 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1516402778.937:1279): avc: denied { map } for pid=14613 comm="nscd" path="/var/db/nscd/netgroup" dev="dm-1" ino=12854060 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0 I've made sure the directory is properly labelled and it's all good.