Bug 1772852

Summary: AVCs seen when nscd service is enabled
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: medium    
Version: 8.1CC: fadamo, jafiala, lmanasko, lvrabec, mhradile, mmalik, plautrba, rduda, ssekidde, zpytela
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 8.3   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
.NSCD databases can now use different modes Domains in the `nsswitch_domain` attribute are allowed access to Name Service Cache Daemon (NSCD) services. Each NSCD database is configured in the `nscd.conf` file, and the `shared` property determines whether the database uses Shared memory or Socket mode. Previously, all NSCD databases had to use the same access mode, depending on the `nscd_use_shm` boolean value. Now, using Unix stream socket is always allowed, and therefore different NSCD databases can use different modes.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 01:55:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1825061    

Description Renaud Métrich 2019-11-15 10:25:32 UTC 
Description of problem:

By default, the "nscd_use_shm" boolean is enabled. When enabling "nscd.service" unit, a customer sees AVCs related to mapping the nscd files into memory:

Examples:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=MMAP msg=audit(1573121827.671:504): fd=9 flags=0x1
type=SYSCALL msg=audit(1573121827.671:504): arch=c000003e syscall=9 success=yes exit=139970810851328 a0=0 a1=34fc8 a2=1 a3=1 items=0 ppid=1458 pid=11370 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=system_u:system_r:postfix_cleanup_t:s0 key=(null)
type=AVC msg=audit(1573121827.671:504): avc:  denied  { map } for  pid=11370 comm="cleanup" path="/var/db/nscd/hosts" dev="dm-3" ino=2113217 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=1

type=MMAP msg=audit(1573127709.632:479): fd=5 flags=0x1
type=SYSCALL msg=audit(1573127709.632:479): arch=c000003e syscall=9 success=yes exit=140258057723904 a0=0 a1=34fc8 a2=1 a3=1 items=0 ppid=89285 pid=89286 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="chronyc" exe="/usr/bin/chronyc" subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1573127709.632:479): avc:  denied  { map } for  pid=89286 comm="chronyc" path="/var/db/nscd/hosts" dev="dm-3" ino=2113217 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=1
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

All nscd clients ("nsswitch_domain" domains) are affected, in particular postfix_*_t domains.
Additionally, "chronyc_t" domain is affected: this domain is not part of "nsswitch_domain" attribute and I believe it's missing.

Looking closely, I can see that a rule exists for "nsswitch_domain" on "nscd_var_run_t", but *only* if "nscd_use_shm" is disabled, which looks weird to me:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
allow nsswitch_domain nscd_var_run_t:file map; [ nscd_use_shm ]:False
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

I would expect "nscd_use_shm" boolean adds more rules, but not toggles rules, since a nscd client may use shm or not (this depends on the configuration in /etc/nscd.conf and is table dependent: you may have a "shared yes" for 1 table but not the other) and the socket seems always used anyway.

Policy shows it's a "If Else" definition "Either SHM, or SOCKET):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
interface(`nscd_use',`
        tunable_policy(`nscd_use_shm',`
                nscd_shm_use($1)
        ',` 
                nscd_socket_use($1)
        ')  
')
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Additionally, I would expect "chronyc_t" to be part of "nsswitch_domain".


Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-20.el8.noarch


How reproducible:

Always


Steps to Reproduce:
1. Install chrony and nscd

  # yum -y install chronyc nscd
  # systemctl start nscd
  # systemctl start chronyd

2. Execute chronyc

  # chronyc sources

Actual results:

type=MMAP msg=audit(1573813431.484:214): fd=5 flags=0x1
type=SYSCALL msg=audit(1573813431.484:214): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=34fc8 a2=1 a3=1 items=0 ppid=1715 pid=4860 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="chronyc" exe="/usr/bin/chronyc" subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1573813431.484:214): avc:  denied  { map } for  pid=4860 comm="chronyc" path="/var/db/nscd/hosts" dev="dm-0" ino=50333164 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0


Expected results:

No AVC. Also, if "nscd_use_shm" is disabled, no AVC (the same happens here because chronyc_t is not part of nsswitch_domain).
Comment 3 yuk 2020-03-26 08:33:32 UTC 
Any news?
Which is the target release now?

Thanks
Comment 4 Milos Malik 2020-03-26 09:46:53 UTC 
My guess is: RHEL-8.3
Comment 5 Zdenek Pytela 2020-03-26 10:07:55 UTC 
Target release set to 8.3.
Comment 7 Lukas Vrabec 2020-05-18 15:53:07 UTC 
Backported to Fedora: 

commit cafd50640ad014d92e9efdc9aef3dbde638f1816 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Mon May 18 17:36:08 2020 +0200

    Allow chronyc_t domain to use nsswitch

commit 5ac560626979e00693831bd570c2a4575e50d896
Author: Zdenek Pytela <zpytela>
Date:   Mon May 18 17:09:37 2020 +0200

    Allow nscd_socket_use() for domains in nscd_use() unconditionally
    
    The nscd_use() interface is used for nsswitch_domain or particular
    domains to allow access to nscd services.
    Each nscd database can be configured by the "shared" property in
    nscd.conf to use the Shared memory or Socket mode.
    Previously, either nscd_shm_use() or nscd_socket_use() were used,
    depending on the value of the nscd_use_shm boolean.
    Since this commit, nscd_socket_use() is always allowed so that in
    different nscd databases different modes can be used.
Comment 17 Zdenek Pytela 2020-09-10 09:34:14 UTC 
*** Bug 1872304 has been marked as a duplicate of this bug. ***
Comment 20 errata-xmlrpc 2020-11-04 01:55:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4528
Comment 21 Zdenek Pytela 2022-03-14 14:05:22 UTC 
*** Bug 2063181 has been marked as a duplicate of this bug. ***