151894 – SELinux prevents nscd from logging

Bug 151894 - SELinux prevents nscd from logging

Summary: SELinux prevents nscd from logging

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	selinux-policy-targeted
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-03-23 10:40 UTC by Peter Bieringer
Modified:	2007-11-30 22:07 UTC (History)
CC List:	1 user (show)
Fixed In Version:	1.25.4-10.1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-09-15 15:56:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Peter Bieringer 2005-03-23 10:40:49 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1

Description of problem:
If logging of nscd is enabled, SELinux prohibits

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.52.1

How reproducible:
Always

Steps to Reproduce:
1. enable logging of nscd (by editing /etc/nscd.conf)
2. service nscd restart
3. SELinux deny messages in kernel log
  

Actual Results:  Won't start anymore, kernel log:

Mar 23 11:24:41 host audit(1111573481.690:0): avc:  denied  { search } for  pid=9334 exe=/usr/sbin/nscd name=/ dev=md2 ino=2 scontext=root:system_r:nscd_t tcontext=system_u:object_r:var_log_t tclass=dir

Mar 23 11:26:34 host audit(1111573594.476:0): avc:  denied  { write } for  pid=9419 exe=/usr/sbin/nscd name=/ dev=md2 ino=2 scontext=root:system_r:nscd_t tcontext=system_u:object_r:var_log_t tclass=dir

Mar 23 11:28:06 host audit(1111573686.537:0): avc:  denied  { add_name } for  pid=9495 exe=/usr/sbin/nscd name=nscd.log scontext=root:system_r:nscd_t tcontext=system_u:object_r:var_log_t tclass=dir

Mar 23 11:29:39 host audit(1111573779.211:0): avc:  denied  { create } for  pid=9579 exe=/usr/sbin/nscd name=nscd.log scontext=root:system_r:nscd_t tcontext=root:object_r:var_log_t tclass=file

Mar 23 11:30:39 host audit(1111573839.665:0): avc:  denied  { append } for  pid=9692 exe=/usr/sbin/nscd path=/var/log/nscd.log dev=md2 ino=35 scontext=root:system_r:nscd_t tcontext=root:object_r:var_log_t tclass=file

Mar 23 11:30:39 host audit(1111573839.663:0): avc:  denied  { getattr } for  pid=9692 exe=/usr/sbin/nscd path=/var/log/nscd.log dev=md2 ino=35 scontext=root:system_r:nscd_t tcontext=root:object_r:var_log_t tclass=file



Expected Results:  Starting

Additional info:

Following SELinux extension was successfully tested (rules add step-by-step)

## nscd logging
allow nscd_t var_log_t:dir search;
allow nscd_t var_log_t:dir write;
allow nscd_t var_log_t:dir add_name;
allow nscd_t var_log_t:file create;
allow nscd_t var_log_t:file append;
allow nscd_t var_log_t:file getattr;

Comment 1 Daniel Walsh 2005-03-23 13:51:18 UTC

Please update to the U1 policy.  Currently available on 
ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{selinux-policy-targeted,
policycoreutils}

Does that solve your problem?

Dan

Comment 2 Peter Bieringer 2005-03-23 15:14:31 UTC

No, didn't believe it after reading the change log. The upper shown extensions
are still needed (readd rules step-by-step).

Comment 3 Peter Bieringer 2005-03-23 15:15:32 UTC

Forgot following note: I've updated the policy and relabled the system before
retry and readd.

Comment 4 Daniel Walsh 2005-03-23 15:32:05 UTC

I didn't know nscd could log.

I will add log_domain(nscd) to policy.

Dan

Comment 5 Peter Bieringer 2005-03-23 15:58:05 UTC

Logging is not enabled by default, but easily to switch on (mostly during
debugging problems):

--- etc/nscd.conf       9 Mar 2005 16:53:04 -0000       1.1
+++ etc/nscd.conf       23 Mar 2005 15:56:43 -0000
@@ -28,12 +28,12 @@
 #


-#      logfile                 /var/log/nscd.log
+       logfile                 /var/log/nscd.log
 #      threads                 6
 #      max-threads             128
        server-user             nscd
 #      stat-user               nocpulse
-       debug-level             0
+       debug-level             1
 #      reload-count            5
        paranoia                no
 #      restart-interval        3600

Comment 6 Daniel Walsh 2005-03-24 21:47:42 UTC

Could you try out selinux-policy-targeted-1.17.30-2.93
on 

ftp://people.redhat.com/dwalsh/SELinux/FC3

If this works for you I will role it into the U2 release for RHEL4.

Comment 7 Peter Bieringer 2005-03-31 11:48:23 UTC

Ok, installed on RHEL4, previous log file removed, logging enabled, nscd
restart, log file was created.

So the issue is solved now.

Note You need to log in before you can comment on or make changes to this bug.