Hide Forgot
In glibc's nscd we use selinux perms to check if a connecting user is allowed to query the cache. We use the following list of permissions: ... /* Define mappings of access vector permissions to request types. */ static const access_vector_t perms[LASTREQ] = { [GETPWBYNAME] = NSCD__GETPWD, [GETPWBYUID] = NSCD__GETPWD, [GETGRBYNAME] = NSCD__GETGRP, [GETGRBYGID] = NSCD__GETGRP, [GETHOSTBYNAME] = NSCD__GETHOST, [GETHOSTBYNAMEv6] = NSCD__GETHOST, [GETHOSTBYADDR] = NSCD__GETHOST, [GETHOSTBYADDRv6] = NSCD__GETHOST, [GETSTAT] = NSCD__GETSTAT, [SHUTDOWN] = NSCD__ADMIN, [INVALIDATE] = NSCD__ADMIN, [GETFDPW] = NSCD__SHMEMPWD, [GETFDGR] = NSCD__SHMEMGRP, [GETFDHST] = NSCD__SHMEMHOST, [GETAI] = NSCD__GETHOST, [INITGROUPS] = NSCD__GETGRP, #ifdef NSCD__GETSERV [GETSERVBYNAME] = NSCD__GETSERV, [GETSERVBYPORT] = NSCD__GETSERV, [GETFDSERV] = NSCD__SHMEMSERV, #endif #ifdef NSCD__GETNETGRP [GETNETGRENT] = NSCD__GETNETGRP, [INNETGR] = NSCD__GETNETGRP, [GETFDNETGR] = NSCD__SHMEMNETGRP, #endif }; ... rc = avc_has_perm (ssid, tsid, SECCLASS_NSCD, perms[req], &aeref, NULL) < 0; ... These permissions map onto values in selinux/av_permissions.h. Except that NSCD__GETNETGRP, and NSCD__SHMEMNETGRP were never added to SELinux! :-( It appears that there was some lack of coordination on the part of the glibc team to get the required changes into selinux. Without NSCD__GETNETGRP and NSCD__SHMEMNETGRP the netgroup caching only works if selinux is disabled, and disabling selinux is not what we want to recommend or require for a basic feature. In order to correclty support netgroup caching we need to add it to the NSCD__* permissions in selinux.
Created attachment 817713 [details] Add 2 new NSCD__* permissions to selinux for netgroup caching support. The following patch adds 2 new NSCD__* permissions to selinux. Tested on f19 with a rebuilt glibc, but it still doesn't work. That is to say that avc_has_perm still returns -1. What else do we need to do to enable two new permissions for nscd?
(In reply to Carlos O'Donell from comment #0) > Without NSCD__GETNETGRP and NSCD__SHMEMNETGRP the netgroup caching only > works if selinux is disabled, and disabling selinux is not what we want to > recommend or require for a basic feature. Let me be clearer here "works if selinux is in permissive mode, and requiring permissive mode is not what we want to recommend..."
After applying my fix I noticed the two AVC's related to this which mean it has to go into policy (as Daniel Walsh mentioned to me on IRC): type=USER_AVC msg=audit(1383195529.370:3438): pid=3569 uid=28 auid=1000 ses=12 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='avc: denied { shmemnetgrp } for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=nscd exe="/home/carlos/build/glibc/nscd/nscd" sauid=28 hostname=? addr=? terminal=pts/7' type=USER_AVC msg=audit(1383195425.569:3436): pid=3528 uid=28 auid=1000 ses=12 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='avc: denied { getnetgrp } for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=nscd exe="/home/carlos/build/glibc/nscd/nscd" sauid=28 hostname=? addr=? terminal=pts/7' That's one AVC per permission we just added.
75cd097a313ff6b212bf7bf418f1cf5c4839cdc1 has the fix for this for selinux-policy. glibc needs to use string_to_security_class() to find SECCLASS_NSCD and string_to_av_perm() to fill in the perms array at run time... We do not ship these hard coded in libselinux any longer.
(In reply to Daniel Walsh from comment #9) > 75cd097a313ff6b212bf7bf418f1cf5c4839cdc1 has the fix for this for > selinux-policy. > > glibc needs to use string_to_security_class() to find SECCLASS_NSCD > and string_to_av_perm() to fill in the perms array at run time... > > We do not ship these hard coded in libselinux any longer. So I've fixed glibc to use string_to_security_class and string_to_av_perm, and at nscd startup you now get: ... Fri 01 Nov 2013 09:58:25 AM EDT - 14156: Access Vector Cache (AVC) started Fri 01 Nov 2013 09:58:25 AM EDT - 14156: Error translating permission name "getnetgrp" to access vector bit. Fri 01 Nov 2013 09:58:25 AM EDT - 14156: Error translating permission name "getnetgrp" to access vector bit. Fri 01 Nov 2013 09:58:25 AM EDT - 14156: Error translating permission name "shmemnetgrp" to access vector bit. ... Does this mean I need to have a runtime dependency on the new selinux-policy if I want to ensure that netgroup caching support works?
No, use security_deny_unknown() security_deny_unknown() returns 0 if SELinux treats policy queries on undefined object classes or permissions as being allowed, 1 if such queries are denied, and -1 on error.
(In reply to Daniel Walsh from comment #11) > No, use security_deny_unknown() > > security_deny_unknown() returns 0 if SELinux treats policy queries on > undefined object classes or permissions as being allowed, 1 if such > queries are denied, and -1 on error. Perfect, I'll do that, and switching to symbolic permissions means I don't have to wait for selinux headers to come out or provide any such hacks. Thanks.
Is selinux-policy also fixed in rawhide?
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22