Bug 138248 - nscd breaks when using shared cache under selinux-policy-targeted (probably strict, too)
nscd breaks when using shared cache under selinux-policy-targeted (probably s...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-06 00:12 EST by Nicholas Miell
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-02 11:48:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nicholas Miell 2004-11-06 00:12:47 EST
Recent versions of glibc/nscd share nscd's cache between all clients
and the nscd server. This is enabled by default.

The contents of the cache are stored in /var/db/nscd, which are all
labeled as system_u:object_r:var_t.

The targeted policy prevents nscd from accessing var_t, so it either
fails to create the cache files (if they don't exist), or it dies
after failing to open them.

If none of the cache files exist:
Nov  5 21:10:34 entropy nscd: 7005 Access Vector Cache (AVC) started
Nov  5 21:10:34 entropy nscd: 7005 cannot create /var/db/nscd/passwd;
no persistent database used
Nov  5 21:10:34 entropy kernel: audit(1099717834.425:0): avc:  denied
 { write } for  pid=7005 exe=/usr/sbin/nscd name=nscd dev=hda3
ino=2098153 scontext=root:system_r:nscd_t
tcontext=system_u:object_r:var_t tclass=dir
Nov  5 21:10:34 entropy kernel: audit(1099717834.425:0): avc:  denied
 { write } for  pid=7005 exe=/usr/sbin/nscd name=nscd dev=hda3
ino=2098153 scontext=root:system_r:nscd_t
tcontext=system_u:object_r:var_t tclass=dir
Nov  5 21:10:34 entropy nscd: 7005 cannot create /var/db/nscd/group;
no persistent database used
Nov  5 21:10:34 entropy kernel: audit(1099717834.425:0): avc:  denied
 { write } for  pid=7005 exe=/usr/sbin/nscd name=nscd dev=hda3
ino=2098153 scontext=root:system_r:nscd_t
tcontext=system_u:object_r:var_t tclass=dir
Nov  5 21:10:34 entropy nscd: 7005 cannot create /var/db/nscd/hosts;
no persistent database used

If the cache files exist:
Nov  5 21:08:56 entropy nscd: 6970 Access Vector Cache (AVC) started
Nov  5 21:08:56 entropy kernel: audit(1099717736.831:0): avc:  denied
 { read write } for  pid=6970 exe=/usr/sbin/nscd name=passwd dev=hda3
ino=2097196 scontext=root:system_r:nscd_t
tcontext=system_u:object_r:var_t tclass=file
Nov  5 21:08:56 entropy nscd: 6970 database for passwd corrupted or
simultaneously used; remove /var/db/nscd/passwd manually if necessary
and restart
... and nscd exits.

Relabeling /var/db/nscd as var_run_t and /var/db/nscd/* as
nscd_var_run_t makes nscd work, and unconfined processes can snoop the
cache like normal. If I understand it correctly, confined processes
will have to use the standard socket-based method to talk to nscd.
This is probably better from a security standpoint, anyway.

The real fix will probably want to create a nscd_var_db_t (and
probably a var_db_t, too, while you're at it) and apply that
specifically to /var/db/nscd
Comment 1 Daniel Walsh 2004-11-06 00:51:59 EST
Check out the latest rawhide policy, it labels /var/db/nscd as 
/var/db/nscd(/.*)?		system_u:object_r:nscd_var_run_t
Which I believe fixes this problem.

Thanks Dan
Comment 2 James Laska 2004-12-02 11:48:13 EST
Appears to be resolved in selinux-policy-targeted-1.17.30-2.35

-rw-------  root     root     root:object_r:nscd_var_run_t     /var/db/nscd/group
-rw-------  root     root     root:object_r:nscd_var_run_t     /var/db/nscd/hosts
-rw-------  root     root     root:object_r:nscd_var_run_t     /var/db/nscd/passwd

Please reopen this issue if the problem resurfaces.

Note You need to log in before you can comment on or make changes to this bug.