Bug 375381

Summary: Strange AVCs related to nscd from various services
Product: [Fedora] Fedora Reporter: Kostas Georgiou <k.georgiou>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 8CC: drepper, eparis, sdsmall
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.0.8-58.fc8.noarch Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-08 15:58:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kostas Georgiou 2007-11-11 02:59:52 UTC 
In three of the machines that I upgraded f7->f8 I get AVCs similar to
the following:

type=USER_AVC msg=audit(1194749294.593:183): user pid=16004 uid=28 auid=1000
subj=system_u:system_r:nscd_t:s0 msg='avc:  denied  { 0x200 } for
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:nscd_t:s0
tclass=nscd : exe="?" (sauid=28, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1194749294.594:184): user pid=16004 uid=28 auid=1000
subj=system_u:system_r:nscd_t:s0 msg='avc:  denied  { 0x100 } for
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:nscd_t:s0
tclass=nscd : exe="?" (sauid=28, hostname=?, addr=?, terminal=?)'

It's not just httpd that generates them, sendmail, procmail, spamd, etc. also
give the same errors. The errors don't show up when running in non enforcing
mode for some strange reason.
Comment 1 Daniel Walsh 2007-11-12 15:38:35 UTC 
Have you updated the policy?

This looks like you have a policy mismatch?

rpm -q selinux-policy kernel
Comment 2 Kostas Georgiou 2007-11-14 19:15:51 UTC 
Everything is at the latest versions, all three machines are running with the
xen kernel though (both dom0 and domU show the denials btw).

$ rpm -q kernel-xen selinux-policy
kernel-xen-2.6.21-2950.fc8.x86_64
selinux-policy-3.0.8-47.fc8.noarch
Comment 3 Daniel Walsh 2007-11-14 19:59:57 UTC 
Are you continuing to see the messages or was it just during upgrade.  If it was
just during upgrade, it could have been nscd being updated before selinux policy
so nscd started generating the messages before selinux-policy has been installed
to define them.

I think you 
yum upgrade selinux-policy
Followed by 

yum upgrade

you would not see this.
Comment 4 Kostas Georgiou 2007-11-15 16:01:04 UTC 
I see the errors after the update, I didn't check for errors during the update.
Is there any way to find out what 0x100 and 0x200 mean? As it is I can not even
guess what might be the cause.
Comment 5 Eric Paris 2007-11-15 16:38:37 UTC 
note to self: tclass=nscd ???
Comment 6 Daniel Walsh 2007-11-15 16:44:49 UTC 
I would guess these are getserv and shmemserv
Comment 7 Stephen Smalley 2007-11-15 18:29:35 UTC 
Bug in libselinux:  lacks updated string table definitions for new nscd permissions.
nscd though would benefit by migrating over to the new interfaces for dynamic
discovery of class and permission values.
Comment 8 Ulrich Drepper 2007-11-15 18:41:51 UTC 
(In reply to comment #7)
> nscd though would benefit by migrating over to the new interfaces for dynamic
> discovery of class and permission values.

Reference?
Comment 9 Stephen Smalley 2007-11-15 18:54:26 UTC 
http://marc.info/?l=selinux&m=118115491908422&w=2
http://marc.info/?l=selinux&m=118114723416269&w=2

Worked example in the X server:
http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=blob;h=cefde9d37adbc40882107b20663c591d5803b12d;hb=XACE-SELINUX;f=Xext/xselinux.c
http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=blob;h=ea8d9e44020032f694c68c594ab748637fd07d1f;hb=XACE-SELINUX;f=Xext/xselinux.h

Feel free to send a note to selinux list or to Eamon Walsh
<ewalsh.gov> about the specifics.  Man pages are still to come, sadly.
Comment 10 Kostas Georgiou 2007-11-16 00:58:47 UTC 
Do you want me to open a separate bug for the services that are prevented from
using nscd?

With a quick look I see denials from cupsd_t, cyrus_t, gssd_t, httpd_t,
mysqld_t, nfsd_t, ntpd_t, saslauthd_t, sendmail_t, exim_t, squid_t, system_mail_t.
Not all of them need to be able to access nscd I guess but then they should be
in don't audit right?
Comment 11 Daniel Walsh 2007-11-19 15:48:16 UTC 
No but I would like to know why you are the only one reporting this bugzilla.  I
have not seen this from any other Fedora 8 users.  It is almost like you have
nscd set up differently.
Comment 12 Kostas Georgiou 2007-11-19 20:53:38 UTC 
I suspect that I am one of the very few people that enable nscd (it's not
enabled by default). I also thought that might have to do something with my
config I've noticed the denials on machines that where update from f7 but a
clean install on a laptop gives me the same errors (after I enabled nscd of course).
Comment 13 Daniel Walsh 2007-11-19 21:34:41 UTC 
selinux-policy-3.0.8-58.fc8.noarch