Bug 866605

Summary: Fedora 18 avc denial for useradd transition to nscd
Product: [Fedora] Fedora Reporter: Scott Poore <spoore>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: dominick.grift, dwalsh, jmontleo, mgrepl, rcritten
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-20 15:15:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Poore 2012-10-15 17:38:12 UTC 
Description of problem:

With nscd installed, ipa-replica-install seems to fail because of an AVC denial for useradd.  Some digging makes it seem like it's an AVC denial problem?

Version-Release number of selected component (if applicable):
selinux-policy-3.11.1-36.fc18.noarch
nscd-2.16-20.fc18.x86_64

How reproducible:
unknown

Steps to Reproduce:
On F18 server (my case was a minimal install).
1.  yum -y install nscd
2.  yum -y install freeipa-server bind bind-dyndb-ldap
3.  on existing ipa server:  ipa-replica-prepare -p <PASSWD> --ip-address=<IP> <hostname>
4.  copy /var/lib/ipa/replica-info-<hostname>.gpg file to new server
5.  ipa-replica-install   -U --setup-dns --setup-ca --forwarder=<DNSFORWARD> -w <PASSWD> -p <PASSWD> replica-info-<HOSTNAME>.gpg

Actual results:

ipa-replica-install output:
...
Configuring directory server: Estimated time 1 minute
  [1/31]: creating directory server user
  [2/31]: creating directory server instance

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Unexpected error - see /var/log/ipareplica-install.log for details:
KeyError: 'getpwnam(): name not found: dirsrv'

I lost the /var/log/ipareplica-install.log errors but, it pointed to a problem with permissions for useradd accessing something nscd related.  So, I checked for AVC denials.

ausearch output:

time->Mon Oct 15 12:59:52 2012
type=SYSCALL msg=audit(1350320392.966:941): arch=c000003e syscall=59 success=no exit=-13 a0=7f76bf3e7f43 a1=7fffc29cc0a0 a2=7fffc29cc090 a3=7f76bf3c2a90 items=0 ppid=7852 pid=7853 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=6 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1350320392.966:941): avc:  denied  { transition } for  pid=7853 comm="useradd" path="/usr/sbin/nscd" dev="dm-1" ino=155180 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:nscd_t:s0-s0:c0.c1023 tclass=process
----
time->Mon Oct 15 12:59:52 2012
type=SYSCALL msg=audit(1350320392.967:942): arch=c000003e syscall=59 success=no exit=-13 a0=7f76bf3e7f43 a1=7fffc29cc0a0 a2=7fffc29cc090 a3=7f76bf3c2a90 items=0 ppid=7852 pid=7854 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=6 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1350320392.967:942): avc:  denied  { transition } for  pid=7854 comm="useradd" path="/usr/sbin/nscd" dev="dm-1" ino=155180 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:nscd_t:s0-s0:c0.c1023 tclass=process
----
time->Mon Oct 15 12:59:52 2012
type=SYSCALL msg=audit(1350320392.968:943): arch=c000003e syscall=59 success=no exit=-13 a0=7f76bf3e7f43 a1=7fffc29cc4d0 a2=7fffc29cc4c0 a3=7f76bf3c2a90 items=0 ppid=7852 pid=7855 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=6 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1350320392.968:943): avc:  denied  { transition } for  pid=7855 comm="useradd" path="/usr/sbin/nscd" dev="dm-1" ino=155180 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:nscd_t:s0-s0:c0.c1023 tclass=process
----
time->Mon Oct 15 12:59:52 2012
type=SYSCALL msg=audit(1350320392.971:944): arch=c000003e syscall=59 success=no exit=-13 a0=7f76bf3e7f43 a1=7fffc29cc4d0 a2=7fffc29cc4c0 a3=7f76bf3c2a90 items=0 ppid=7852 pid=7856 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=6 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1350320392.971:944): avc:  denied  { transition } for  pid=7856 comm="useradd" path="/usr/sbin/nscd" dev="dm-1" ino=155180 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:nscd_t:s0-s0:c0.c1023 tclass=process


Expected results:


Additional info:

One thing here confusing me is that there appears to be a rule for this:
[root@f18-3 ~]# sesearch -s useradd_t -t nscd_t -c process  --allow -C
Found 1 semantic av rules:
   allow useradd_t nscd_t : process transition ;
Comment 1 Scott Poore 2012-10-15 17:49:14 UTC 
FYI, I have confirmed that this is not consistently reproducing the ipa-replica-install problem.

Here's some /var/log/ipareplica-install.log output from an attempt to reproduce:

2012-10-15T17:45:43Z DEBUG adding ds user dirsrv
2012-10-15T17:45:43Z DEBUG args=/usr/sbin/useradd -g dirsrv -c DS System User -d /var/lib/dirsrv -s /sb
in/nologin -M -r dirsrv
2012-10-15T17:45:43Z DEBUG stdout=
2012-10-15T17:45:43Z DEBUG stderr=useradd: cannot execute /usr/sbin/nscd: Permission denied
useradd: nscd exited with status 126
useradd: Failed to flush the nscd cache.
useradd: cannot execute /usr/sbin/nscd: Permission denied
useradd: nscd exited with status 126
useradd: Failed to flush the nscd cache.
useradd: cannot execute /usr/sbin/nscd: Permission denied
useradd: nscd exited with status 126
useradd: Failed to flush the nscd cache.
useradd: cannot execute /usr/sbin/nscd: Permission denied
useradd: nscd exited with status 126
useradd: Failed to flush the nscd cache.

2012-10-15T17:45:43Z DEBUG done adding user

in the failed attempt earlier though, the user was not created.  And I saw no other AVC denials.
Comment 2 Miroslav Grepl 2012-10-16 12:01:15 UTC 
Fixed in selinux-policy-3.11.1-40.fc18.noarch
Comment 3 Fedora Update System 2012-10-23 20:35:05 UTC 
selinux-policy-3.11.1-43.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-43.fc18
Comment 4 Fedora Update System 2012-10-26 15:38:01 UTC 
selinux-policy-3.11.1-46.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-46.fc18
Comment 5 Fedora Update System 2012-10-26 19:27:33 UTC 
Package selinux-policy-3.11.1-46.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-46.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16862/selinux-policy-3.11.1-46.fc18
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2012-12-20 15:15:59 UTC 
selinux-policy-3.11.1-46.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.