Bug 178934
Summary: | [RHEL4] Log messages: nscd: Can't send to audit system... | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Peter Bieringer <pb> |
Component: | glibc | Assignee: | Jakub Jelinek <jakub> |
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.0 | CC: | sgrubb |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHBA-2007-0210 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-05-01 22:59:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Peter Bieringer
2006-01-25 16:31:04 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. For BZ#178934 and (possibly for BZ#169148 too) - dont' know if I have correctly understand the issue, but by my attempt to reproduce the bug and verify the fix I found out the following: Old glibc(*-25.*): 1, install nscd-2.3.4-2.13 selinux-policy-targeted-1.17.30-2.123 2, sudo /sbin/service nscd stop 3, sudo /sbin/service auditd stop 4, sudo /sbin/service auditd start 5, sudo /sbin/service nscd start 6, sudo tail -3 /var/log/messages -> Mar 22 15:58:40 vepro auditd: auditd startup succeeded Mar 22 15:58:47 vepro nscd: 4716 Access Vector Cache (AVC) started Mar 22 15:58:47 vepro nscd: nscd startup succeeded This is correct and expected, but: 7, setenforce 0 => No messages are added to /var/log/messages 8, setenforce 1 => messages like Mar 22 15:48:12 vepro dbus: Can't send to audit system: USER_AVC pid=3407 uid=81 loginuid=-1 message=avc: received setenforce notice (enforcing=1) Mar 22 15:48:12 vepro nscd: Can't send to audit system: USER_AVC pid=4549 uid=28 loginuid=-1 message=avc: received setenforce notice (enforcing=1) are added to /var/log/messages file. New glibc(*-36.*): Repeating steps: 2, -> 8, returns following results: 9, setenforce 0 => Mar 22 16:08:18 vepro dbus: Can't send to audit system: USER_AVC pid=3407 uid=81 loginuid=-1 message=avc: received setenforce notice (enforcing=0) Mar 22 16:08:18 vepro nscd: Can't send to audit system: USER_AVC pid=4823 uid=28 loginuid=-1 message=avc: received setenforce notice (enforcing=0) 10, setenforce 1 => Mar 22 16:08:51 vepro dbus: Can't send to audit system: USER_AVC pid=3407 uid=81 loginuid=-1 message=avc: received setenforce notice (enforcing=1) Mar 22 16:08:51 vepro nscd: Can't send to audit system: USER_AVC pid=4823 uid=28 loginuid=-1 message=avc: received setenforce notice (enforcing=1) 11, rpm -q selinux-policy-targeted => selinux-policy-targeted-1.17.30-2.123 12, rpm -q glibc => glibc-2.3.4-2.36 glibc-2.3.4-2.36 13, rpm -q nscd => nscd-2.3.4-2.36 I played around and can now reproduce the message by at least toggling setenforce. Note that auditd is not running at all on this system (not needed). Mar 22 18:18:19 server audit(1174583899.916:4101): avc: granted { setenforce } for pid=15633 comm="setenforce" scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security Mar 22 18:18:19 server nscd: Can't send to audit system: USER_AVC pid=15613 uid=28 loginuid=-1 message=avc: received setenforce notice (enforcing=1) Mar 22 18:18:19 server audit(1174583899.916:4101): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bff5e970 a2=1 a3=bff5e990 items=0 pid=15633 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="setenforce" exe="/usr/sbin/setenforce" Mar 22 18:18:22 server audit(1174583902.874:4102): avc: granted { setenforce } for pid=15634 comm="setenforce" scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security Mar 22 18:18:22 server audit(1174583902.874:4102): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bff30b90 a2=1 a3=bff30bb0 items=0 pid=15634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="setenforce" exe="/usr/sbin/setenforce" Mar 22 18:18:22 server nscd: Can't send to audit system: USER_AVC pid=15613 uid=28 loginuid=-1 message=avc: received setenforce notice (enforcing=0 It sounds like the bug is not quite fixed since there should not be a message saying "Can't send to audit system". The other data points is what version of audit and what kernel is running. The audit event path is: nscd->libselinux->libaudit->kernel netlink interface->auditd The message will say "Can't send" if there is a problem with the netlink interface. Generally, you'd want to see the netlink ack packet via strace to see what the problem is, EPERM, EINVAL, etc. Similar log lines occur on the system in enforcing mode after updating the policy with local changes: selinux "make load" results in: Apr 12 11:06:56 s nscd: Can't send to audit system: USER_AVC pid=29731 uid=28 loginuid=-1 message=avc: received policyload notice (seqno=6) Apr 12 11:06:56 s nscd: Can't send to audit system: USER_AVC pid=29731 uid=28 loginuid=-1 message=avc: 1 AV entries and 1/512 buckets used, longest chain length 1 Running: nscd-2.3.4-2.25 BTW: is version nscd-2.3.4-2.36 from RHEL4 beta channel the "RELEASE_PENDING" one? Hopefully not, because it throws the same messages on "make load". Apr 12 11:12:05 s audit(1176369125.305:21): avc: denied { read } for pid=30390 comm="nscd" name="[276131]" dev=pipefs ino=276131 scontext=user_u:system_r:nscd_t tcontext=user_u:system_r:unconfined_t tclass=fifo_file Apr 12 11:12:05 s nscd: nscd shutdown succeeded Apr 12 11:12:05 s audit(1176369125.343:22): avc: denied { read } for pid=30396 comm="nscd" name="[276131]" dev=pipefs ino=276131 scontext=user_u:system_r:nscd_t tcontext=user_u:system_r:unconfined_t tclass=fifo_file ^^^^ caused by rpm -Fhv ... Apr 12 11:12:05 s nscd: 30398 Access Vector Cache (AVC) started Apr 12 11:12:05 s nscd: nscd startup succeeded ^^^^ caused by restart Apr 12 11:12:59 s nscd: Can't send to audit system: USER_AVC pid=30398 uid=28 loginuid=-1 message=avc: received policyload notice (seqno=7) Apr 12 11:12:59 s nscd: Can't send to audit system: USER_AVC pid=30398 uid=28 loginuid=-1 message=avc: 2 AV entries and 2/512 buckets used, longest chain length 1 ^^^^ caused by selinux "make load" For the selinux messages, perhaps the selinux folks needs to be notified for supplying additional rules. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0210.html |