Bug 1025126 - glibc nscd permission support for netgroup caching is missing.
glibc nscd permission support for netgroup caching is missing.
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: glibc (Show other bugs)
rawhide
Unspecified Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Carlos O'Donell
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 1025507 1025758 1025931 1025932 1025933 1025934
  Show dependency treegraph
 
Reported: 2013-10-31 00:50 EDT by Carlos O'Donell
Modified: 2016-11-24 07:14 EST (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1025507 1025933 (view as bug list)
Environment:
Last Closed: 2015-12-08 10:19:54 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Add 2 new NSCD__* permissions to selinux for netgroup caching support. (1.54 KB, patch)
2013-10-31 01:01 EDT, Carlos O'Donell
no flags Details | Diff

  None (edit)
Description Carlos O'Donell 2013-10-31 00:50:09 EDT
In glibc's nscd we use selinux perms to check if a connecting user is allowed to query the cache.

We use the following list of permissions:
...
/* Define mappings of access vector permissions to request types.  */
static const access_vector_t perms[LASTREQ] =
{
  [GETPWBYNAME] = NSCD__GETPWD,
  [GETPWBYUID] = NSCD__GETPWD,
  [GETGRBYNAME] = NSCD__GETGRP,
  [GETGRBYGID] = NSCD__GETGRP,
  [GETHOSTBYNAME] = NSCD__GETHOST,
  [GETHOSTBYNAMEv6] = NSCD__GETHOST,
  [GETHOSTBYADDR] = NSCD__GETHOST,
  [GETHOSTBYADDRv6] = NSCD__GETHOST,
  [GETSTAT] = NSCD__GETSTAT,
  [SHUTDOWN] = NSCD__ADMIN,
  [INVALIDATE] = NSCD__ADMIN,
  [GETFDPW] = NSCD__SHMEMPWD,
  [GETFDGR] = NSCD__SHMEMGRP,
  [GETFDHST] = NSCD__SHMEMHOST,
  [GETAI] = NSCD__GETHOST,
  [INITGROUPS] = NSCD__GETGRP,
#ifdef NSCD__GETSERV
  [GETSERVBYNAME] = NSCD__GETSERV,
  [GETSERVBYPORT] = NSCD__GETSERV,
  [GETFDSERV] = NSCD__SHMEMSERV,
#endif
#ifdef NSCD__GETNETGRP
  [GETNETGRENT] = NSCD__GETNETGRP,
  [INNETGR] = NSCD__GETNETGRP,
  [GETFDNETGR] = NSCD__SHMEMNETGRP,
#endif
};
...
rc = avc_has_perm (ssid, tsid, SECCLASS_NSCD, perms[req], &aeref, NULL) < 0;
...

These permissions map onto values in selinux/av_permissions.h.

Except that NSCD__GETNETGRP, and NSCD__SHMEMNETGRP were never added to SELinux! :-(

It appears that there was some lack of coordination on the part of the glibc team to get the required changes into selinux.

Without NSCD__GETNETGRP and NSCD__SHMEMNETGRP the netgroup caching only works if selinux is disabled, and disabling selinux is not what we want to recommend or require for a basic feature.

In order to correclty support netgroup caching we need to add it to the NSCD__* permissions in selinux.
Comment 1 Carlos O'Donell 2013-10-31 01:01:09 EDT
Created attachment 817713 [details]
Add 2 new NSCD__* permissions to selinux for netgroup caching support.

The following patch adds 2 new NSCD__* permissions to selinux. Tested on f19 with a rebuilt glibc, but it still doesn't work. That is to say that avc_has_perm still returns -1.

What else do we need to do to enable two new permissions for nscd?
Comment 3 Carlos O'Donell 2013-10-31 12:38:55 EDT
(In reply to Carlos O'Donell from comment #0)
> Without NSCD__GETNETGRP and NSCD__SHMEMNETGRP the netgroup caching only
> works if selinux is disabled, and disabling selinux is not what we want to
> recommend or require for a basic feature.

Let me be clearer here "works if selinux is in permissive mode, and requiring permissive mode is not what we want to recommend..."
Comment 5 Carlos O'Donell 2013-10-31 13:29:55 EDT
After applying my fix I noticed the two AVC's related to this which mean it has to go into policy (as Daniel Walsh mentioned to me on IRC):

type=USER_AVC msg=audit(1383195529.370:3438): pid=3569 uid=28 auid=1000 ses=12  subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='avc:  denied  { shmemnetgrp } for  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=nscd  exe="/home/carlos/build/glibc/nscd/nscd" sauid=28 hostname=? addr=? terminal=pts/7'

type=USER_AVC msg=audit(1383195425.569:3436): pid=3528 uid=28 auid=1000 ses=12  subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='avc:  denied  { getnetgrp } for  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=nscd  exe="/home/carlos/build/glibc/nscd/nscd" sauid=28 hostname=? addr=? terminal=pts/7'

That's one AVC per permission we just added.
Comment 9 Daniel Walsh 2013-11-01 11:09:32 EDT
75cd097a313ff6b212bf7bf418f1cf5c4839cdc1 has the fix for this for selinux-policy.

glibc needs to use string_to_security_class() to find SECCLASS_NSCD
and string_to_av_perm() to fill in the perms array at run time...

We do not ship these hard coded in libselinux any longer.
Comment 10 Carlos O'Donell 2013-11-01 11:26:13 EDT
(In reply to Daniel Walsh from comment #9)
> 75cd097a313ff6b212bf7bf418f1cf5c4839cdc1 has the fix for this for
> selinux-policy.
> 
> glibc needs to use string_to_security_class() to find SECCLASS_NSCD
> and string_to_av_perm() to fill in the perms array at run time...
> 
> We do not ship these hard coded in libselinux any longer.

So I've fixed glibc to use string_to_security_class and string_to_av_perm, and at nscd startup you now get:
...
Fri 01 Nov 2013 09:58:25 AM EDT - 14156: Access Vector Cache (AVC) started
Fri 01 Nov 2013 09:58:25 AM EDT - 14156: Error translating permission name "getnetgrp" to access vector bit.
Fri 01 Nov 2013 09:58:25 AM EDT - 14156: Error translating permission name "getnetgrp" to access vector bit.
Fri 01 Nov 2013 09:58:25 AM EDT - 14156: Error translating permission name "shmemnetgrp" to access vector bit.
...

Does this mean I need to have a runtime dependency on the new selinux-policy if I want to ensure that netgroup caching support works?
Comment 11 Daniel Walsh 2013-11-01 13:03:42 EDT
No, use security_deny_unknown()

       security_deny_unknown() returns 0 if SELinux treats policy queries on undefined object classes or permissions as being allowed, 1  if  such
       queries are denied, and -1 on error.
Comment 12 Carlos O'Donell 2013-11-01 13:16:08 EDT
(In reply to Daniel Walsh from comment #11)
> No, use security_deny_unknown()
> 
>        security_deny_unknown() returns 0 if SELinux treats policy queries on
> undefined object classes or permissions as being allowed, 1  if  such
>        queries are denied, and -1 on error.

Perfect, I'll do that, and switching to symbolic permissions means I don't have to wait for selinux headers to come out or provide any such hacks.

Thanks.
Comment 13 Carlos O'Donell 2013-11-02 00:21:23 EDT
Is selinux-policy also fixed in rawhide?
Comment 21 Jaroslav Reznik 2015-03-03 12:10:30 EST
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22

Note You need to log in before you can comment on or make changes to this bug.