Bug 174422

Summary: nscd update for new audit messages
Product: [Fedora] Fedora Reporter: Steve Grubb <sgrubb>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: drepper
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.3.90-25 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-01-03 07:55:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch updating to new audit functionality none

Description Steve Grubb 2005-11-28 21:42:49 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
The audit library is deprecating the function that is being used by nscd. This is because LSPP requires more information than is currently being logged.

Version-Release number of selected component (if applicable):
glibc-2.3.90-18

How reproducible:
Always

Steps to Reproduce:
1. Found by inspection
  

Additional info:
Comment 1 Steve Grubb 2005-11-28 21:44:13 UTC 
Created attachment 121562 [details]
patch updating to new audit functionality

Please review and apply.
Comment 2 Ulrich Drepper 2005-12-29 00:42:06 UTC 
I've added a slightly improved version of the patch.

But what is the FIXME about?  When will this be corrected?
Comment 3 Steve Grubb 2005-12-30 14:36:33 UTC 
Thanks for looking at this. I was hoping to bump the so number early in Jan with
the old functions removed. nscd is the only app that is holding that up.

In any event, the FIXME is that the user field in the audit message is being
filled in with getuid() which is the user id of nscd...rather than the user that
requested the action that violated the SE Linux policy.

I don't know the data structures being passed around in nscd (or se linux) to
correctly attribute the caller for the violation of the policy. My main
objective at this moment was simply to change the called function so that I can
bump the so number.

There is another fix needed for nscd. When it changes from root to the nscd
user, it needs to keep CAP_AUDIT_WRITE. I haven't added that patch yet since I'm
still refining the technique with dbus and newrole. If you would like to go
ahead and add it, I'd really appreciate it.
Comment 4 Ulrich Drepper 2005-12-30 16:20:59 UTC 
> I was hoping to bump the so number early in Jan with
> the old functions removed.

Why?  It is always bad to bump SONAMEs.


> I don't know the data structures being passed around in nscd (or se linux) to
> correctly attribute the caller for the violation of the policy.

The nscd side is trivial.  nscd_request_avc_has_perm can easily be passed the
UID of the other side.  We already compute it (sometimes) at the call side.  The
question is: how to pass it to the printing routine.  I guess it is called
through avc_has_perm.  If you figure this out it's easy enough to add.
Comment 5 Jakub Jelinek 2006-01-03 07:55:37 UTC 
glibc-2.3.90-25 should show up in rawhide today.