Bug 178934

Summary: [RHEL4] Log messages: nscd: Can't send to audit system...
Product: Red Hat Enterprise Linux 4 Reporter: Peter Bieringer <pb>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2007-0210 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-01 22:59:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Bieringer 2006-01-25 16:31:04 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.8) Gecko/20051111 Firefox/1.5

Description of problem:
Strange log messages appear in kernel log


Version-Release number of selected component (if applicable):
nscd-2.3.4-2.13 selinux-policy-targeted-1.17.30-2.123

How reproducible:
Always

Steps to Reproduce:
1. install policy
2. reboot system
  

Actual Results:  kernel log:

Jan 23 16:02:28 * nscd: Can't send to audit system: USER_AVC pid=8593 uid=28
loginuid=-1 message=avc:  received policyload notice (seqno=1)
Jan 23 16:02:28 * nscd: Can't send to audit system: USER_AVC pid=8593 uid=28
loginuid=-1 message=avc:  8 AV entries and 8/512 buckets used, longest chain
length 1
Jan 23 16:54:10 * nscd: Can't send to audit system: USER_AVC pid=8593 uid=28
loginuid=-1 message=avc:  received policyload notice (seqno=2)
Jan 23 16:54:10 * nscd: Can't send to audit system: USER_AVC pid=8593 uid=28
loginuid=-1 message=avc:  6 AV entries and 6/512 buckets used, longest chain
length 1
Jan 23 16:56:16 * nscd: Can't send to audit system: USER_AVC pid=8593 uid=28
loginuid=-1 message=avc:  received setenforce notice (enforcing=1)

Expected Results:  no such messages

Additional info:

See also comment #7 in 

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169148

Comment 3 RHEL Program Management 2006-10-16 12:16:48 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 7 Jan Lieskovsky 2007-03-22 16:56:12 UTC
For BZ#178934 and (possibly for BZ#169148 too) - dont' know if I have correctly
understand the issue, but by my attempt to reproduce the bug and verify the 
fix I found out the following:

Old glibc(*-25.*):

1, install nscd-2.3.4-2.13 selinux-policy-targeted-1.17.30-2.123
2, sudo /sbin/service nscd stop
3, sudo /sbin/service auditd stop
4, sudo /sbin/service auditd start
5, sudo /sbin/service nscd start
6, sudo tail -3 /var/log/messages -> 
Mar 22 15:58:40 vepro auditd: auditd startup succeeded
Mar 22 15:58:47 vepro nscd: 4716 Access Vector Cache (AVC) started
Mar 22 15:58:47 vepro nscd: nscd startup succeeded

This is correct and expected, but:

7, setenforce 0 => No messages are added to /var/log/messages
8, setenforce 1 => messages like 

Mar 22 15:48:12 vepro dbus: Can't send to audit system: USER_AVC pid=3407 uid=81
loginuid=-1 message=avc:  received setenforce notice (enforcing=1)
Mar 22 15:48:12 vepro nscd: Can't send to audit system: USER_AVC pid=4549 uid=28
loginuid=-1 message=avc:  received setenforce notice (enforcing=1)

are added to /var/log/messages file.

New glibc(*-36.*):

Repeating steps:

2, -> 8, returns following results:

9, setenforce 0 => 

Mar 22 16:08:18 vepro dbus: Can't send to audit system: USER_AVC pid=3407 uid=81
loginuid=-1 message=avc:  received setenforce notice (enforcing=0)
Mar 22 16:08:18 vepro nscd: Can't send to audit system: USER_AVC pid=4823 uid=28
loginuid=-1 message=avc:  received setenforce notice (enforcing=0)

10, setenforce 1 => 

Mar 22 16:08:51 vepro dbus: Can't send to audit system: USER_AVC pid=3407 uid=81
loginuid=-1 message=avc:  received setenforce notice (enforcing=1)
Mar 22 16:08:51 vepro nscd: Can't send to audit system: USER_AVC pid=4823 uid=28
loginuid=-1 message=avc:  received setenforce notice (enforcing=1)

11, rpm -q selinux-policy-targeted => 
selinux-policy-targeted-1.17.30-2.123

12, rpm -q glibc =>
glibc-2.3.4-2.36
glibc-2.3.4-2.36

13, rpm -q nscd => 
nscd-2.3.4-2.36

Comment 8 Peter Bieringer 2007-03-22 17:20:42 UTC
I played around and can now reproduce the message by at least toggling
setenforce. Note that auditd is not running at all on this system (not needed).

Mar 22 18:18:19 server audit(1174583899.916:4101): avc:  granted  { setenforce }
for  pid=15633 comm="setenforce" scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security

Mar 22 18:18:19 server nscd: Can't send to audit system: USER_AVC pid=15613
uid=28 loginuid=-1 message=avc:  received setenforce notice (enforcing=1) 

Mar 22 18:18:19 server audit(1174583899.916:4101): arch=40000003 syscall=4
success=yes exit=1 a0=3 a1=bff5e970 a2=1 a3=bff5e990 items=0 pid=15633
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="setenforce" exe="/usr/sbin/setenforce"

Mar 22 18:18:22 server audit(1174583902.874:4102): avc:  granted  { setenforce }
for  pid=15634 comm="setenforce" scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security

Mar 22 18:18:22 server audit(1174583902.874:4102): arch=40000003 syscall=4
success=yes exit=1 a0=3 a1=bff30b90 a2=1 a3=bff30bb0 items=0 pid=15634
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="setenforce" exe="/usr/sbin/setenforce"

Mar 22 18:18:22 server nscd: Can't send to audit system: USER_AVC pid=15613
uid=28 loginuid=-1 message=avc:  received setenforce notice (enforcing=0

Comment 9 Steve Grubb 2007-03-22 17:36:14 UTC
It sounds like the bug is not quite fixed since there should not be a message
saying "Can't send to audit system". The other data points is what version of
audit and what kernel is running. 

The audit event path is:

nscd->libselinux->libaudit->kernel netlink interface->auditd

The message will say "Can't send" if there is a problem with the netlink
interface. Generally, you'd want to see the netlink ack packet via strace to see
what the problem is, EPERM, EINVAL, etc.

Comment 11 Peter Bieringer 2007-04-12 09:16:45 UTC
Similar log lines occur on the system in enforcing mode after updating the
policy with local changes:

selinux "make load" results in:

Apr 12 11:06:56 s nscd: Can't send to audit system: USER_AVC pid=29731 uid=28
loginuid=-1 message=avc:  received policyload notice (seqno=6)
Apr 12 11:06:56 s nscd: Can't send to audit system: USER_AVC pid=29731 uid=28
loginuid=-1 message=avc:  1 AV entries and 1/512 buckets used, longest chain
length 1

Running: nscd-2.3.4-2.25

BTW: is version nscd-2.3.4-2.36 from RHEL4 beta channel the "RELEASE_PENDING"
one? Hopefully not, because it throws the same messages on "make load".

Apr 12 11:12:05 s audit(1176369125.305:21): avc:  denied  { read } for 
pid=30390 comm="nscd" name="[276131]" dev=pipefs ino=276131
scontext=user_u:system_r:nscd_t tcontext=user_u:system_r:unconfined_t
tclass=fifo_file
Apr 12 11:12:05 s nscd: nscd shutdown succeeded
Apr 12 11:12:05 s audit(1176369125.343:22): avc:  denied  { read } for 
pid=30396 comm="nscd" name="[276131]" dev=pipefs ino=276131
scontext=user_u:system_r:nscd_t tcontext=user_u:system_r:unconfined_t
tclass=fifo_file

^^^^ caused by rpm -Fhv ...

Apr 12 11:12:05 s nscd: 30398 Access Vector Cache (AVC) started
Apr 12 11:12:05 s nscd: nscd startup succeeded

^^^^ caused by restart

Apr 12 11:12:59 s nscd: Can't send to audit system: USER_AVC pid=30398 uid=28
loginuid=-1 message=avc:  received policyload notice (seqno=7)
Apr 12 11:12:59 s nscd: Can't send to audit system: USER_AVC pid=30398 uid=28
loginuid=-1 message=avc:  2 AV entries and 2/512 buckets used, longest chain
length 1

^^^^ caused by selinux "make load"

For the selinux messages, perhaps the selinux folks needs to be notified for
supplying additional rules.



Comment 12 Red Hat Bugzilla 2007-05-01 22:59:14 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0210.html