Bug 557154
Summary: | Centos 5.3: not able to find groups for kerberos users when nscd is running with selinux enforcing mode | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Pramod Rao <pramod.h.rao> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | high | Docs Contact: | |
Priority: | low | ||
Version: | 5.3 | CC: | nalin, pramod.h.rao, ralph |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-08-19 10:40:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Pramod Rao
2010-01-20 15:40:26 UTC
Try # restorecon -v /etc/krb5.conf /tmp/krb* I did try that. /etc/krb5.conf got its selinux context fixed. But /tmp/krb5cc_00 context did not change. restorecon -v /etc/krb5.conf /tmp/krb* restorecon reset /etc/krb5.conf context system_u:object_r:etc_t:s0->system_u:object_r:krb5_conf_t:s0 After that in enforcing mode, groups lookup resulted in same error as before. AVC messages are as below. type=AVC msg=audit(1264024958.980:4220): avc: denied { read } for pid=4184 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264024958.980:4220): arch=c000003e syscall=2 success=no exit=-13 a0=2b5fc8464410 a1=0 a2=180 a3=2b5fae065a30 items=0 ppid=1 pid=4184 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1264024959.000:4221): avc: denied { read } for pid=4184 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264024959.000:4221): arch=c000003e syscall=2 success=no exit=-13 a0=2b5fc8492420 a1=0 a2=180 a3=2b5fae065a30 items=0 ppid=1 pid=4184 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1264024959.100:4222): avc: denied { read } for pid=4184 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264024959.100:4222): arch=c000003e syscall=2 success=no exit=-13 a0=2b5fc8492480 a1=0 a2=180 a3=2b5fae065a30 items=0 ppid=1 pid=4184 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1264024959.200:4223): avc: denied { read } for pid=4184 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264024959.200:4223): arch=c000003e syscall=2 success=no exit=-13 a0=2b5fc83c5c40 a1=0 a2=180 a3=2b5fae065a30 items=0 ppid=1 pid=4184 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) Setting selinux to permissive mode enabled groups lookup for kerberos user but resulted in below AVC messages type=AVC msg=audit(1264025107.290:4234): avc: denied { read } for pid=4183 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264025107.290:4234): arch=c000003e syscall=2 success=yes exit=16 a0=2b5fc83ad0f0 a1=0 a2=180 a3=2b5fae065a30 items=0 ppid=1 pid=4183 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1264025107.290:4235): avc: denied { lock } for pid=4183 comm="nscd" path="/tmp/krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264025107.290:4235): arch=c000003e syscall=72 success=yes exit=0 a0=10 a1=7 a2=4318ad20 a3=2b5fae065a30 items=0 ppid=1 pid=4183 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1264025107.330:4236): avc: denied { write } for pid=4183 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264025107.330:4236): arch=c000003e syscall=2 success=yes exit=16 a0=2b5fc83ad0f0 a1=2 a2=180 a3=2 items=0 ppid=1 pid=4183 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1264025107.460:4237): avc: denied { read } for pid=4180 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264025107.460:4237): arch=c000003e syscall=2 success=yes exit=17 a0=2b5fc8f848a0 a1=0 a2=180 a3=2b5fae065a30 items=0 ppid=1 pid=4180 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1264025107.460:4238): avc: denied { lock } for pid=4180 comm="nscd" path="/tmp/krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264025107.460:4238): arch=c000003e syscall=72 success=yes exit=0 a0=11 a1=7 a2=42b87830 a3=2b5fae065a30 items=0 ppid=1 pid=4180 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1264025107.560:4239): avc: denied { write } for pid=4184 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264025107.560:4239): arch=c000003e syscall=2 success=yes exit=17 a0=2b5fc8f88810 a1=2 a2=180 a3=2 items=0 ppid=1 pid=4184 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) Note: *nscd is running as user root* Why is nscd using a credential cache file? Why is a credential cache file owned by root? nscd is using kerberos tgt of the system which resides under /tmp. ldap user/group lookups use kerberos/gssapi. nscd is running as root user for the same reason that it can do ldap lookups using system tgt. nscd is using kerberos tgt of the system which resides under /tmp. ldap user/group lookups use kerberos/gssapi. nscd is running as root user for the same reason that it can do ldap lookups using system tgt. Is nscd is using a keytab file to create a tgt? Who created the /tmp/krbcc_0 file? nscd does not create tgt but is tryng to access the ticket cache obtained by the system. kinit run from a cron job obtains/renews tgt using principal SERVERNAME$@KERBEROS.REALM. If this tgt is just for ncsd why not create it in /var/run/nscd? Then nscd can read it and no users can attack it. This tgt is not specific to nscd. It is used by the system as well. Pramod you can add this access for now. Nalin do you have any suggestions? Thanks. I have put selinux policy changes below. Will this be a workaround for now? module nscd 1.0; require { type tmp_t; type etc_t; type nscd_t; class process ptrace; class file { read lock write }; } #============= nscd_t ============== allow nscd_t etc_t:file write; allow nscd_t self:process ptrace; allow nscd_t tmp_t:file { read lock write }; Remove the etc_t line, you do not need this. Not sure where the ptrace line came from. I think you actually need policy_module(mynscd, 1.0) gen_require(` type nscd_t, tmp_t; ') allow nscd_t tmp_t:file read_file_perms; dontaudit nscd_t tmp_t:file write; I got it from audit2allow output. The etc_t entry was caused by the /etc/krb5.conf file being mislabeled. You did not show the ptrace output from earlier. Adding that access is not a problem. I am getting the error below when I try to compile the module. I am using the command. checkmodule -M -m mynscd.te -o mynscd.pp checkmodule: loading policy configuration from mynscd.te (unknown source)::ERROR 'syntax error' at token 'policy_module' on line 1: I used audit2allow output to create the module before successfully. Use the make file make -f /usr/share/selinux/devel/Makefile |