Bug 151894 - SELinux prevents nscd from logging
Summary: SELinux prevents nscd from logging
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
(Show other bugs)
Version: 4.0
Hardware: All Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-03-23 10:40 UTC by Peter Bieringer
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: 1.25.4-10.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-15 15:56:10 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Peter Bieringer 2005-03-23 10:40:49 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1

Description of problem:
If logging of nscd is enabled, SELinux prohibits

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.52.1

How reproducible:
Always

Steps to Reproduce:
1. enable logging of nscd (by editing /etc/nscd.conf)
2. service nscd restart
3. SELinux deny messages in kernel log
  

Actual Results:  Won't start anymore, kernel log:

Mar 23 11:24:41 host audit(1111573481.690:0): avc:  denied  { search } for  pid=9334 exe=/usr/sbin/nscd name=/ dev=md2 ino=2 scontext=root:system_r:nscd_t tcontext=system_u:object_r:var_log_t tclass=dir

Mar 23 11:26:34 host audit(1111573594.476:0): avc:  denied  { write } for  pid=9419 exe=/usr/sbin/nscd name=/ dev=md2 ino=2 scontext=root:system_r:nscd_t tcontext=system_u:object_r:var_log_t tclass=dir

Mar 23 11:28:06 host audit(1111573686.537:0): avc:  denied  { add_name } for  pid=9495 exe=/usr/sbin/nscd name=nscd.log scontext=root:system_r:nscd_t tcontext=system_u:object_r:var_log_t tclass=dir

Mar 23 11:29:39 host audit(1111573779.211:0): avc:  denied  { create } for  pid=9579 exe=/usr/sbin/nscd name=nscd.log scontext=root:system_r:nscd_t tcontext=root:object_r:var_log_t tclass=file

Mar 23 11:30:39 host audit(1111573839.665:0): avc:  denied  { append } for  pid=9692 exe=/usr/sbin/nscd path=/var/log/nscd.log dev=md2 ino=35 scontext=root:system_r:nscd_t tcontext=root:object_r:var_log_t tclass=file

Mar 23 11:30:39 host audit(1111573839.663:0): avc:  denied  { getattr } for  pid=9692 exe=/usr/sbin/nscd path=/var/log/nscd.log dev=md2 ino=35 scontext=root:system_r:nscd_t tcontext=root:object_r:var_log_t tclass=file



Expected Results:  Starting

Additional info:

Following SELinux extension was successfully tested (rules add step-by-step)

## nscd logging
allow nscd_t var_log_t:dir search;
allow nscd_t var_log_t:dir write;
allow nscd_t var_log_t:dir add_name;
allow nscd_t var_log_t:file create;
allow nscd_t var_log_t:file append;
allow nscd_t var_log_t:file getattr;

Comment 1 Daniel Walsh 2005-03-23 13:51:18 UTC
Please update to the U1 policy.  Currently available on 
ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{selinux-policy-targeted,
policycoreutils}

Does that solve your problem?

Dan

Comment 2 Peter Bieringer 2005-03-23 15:14:31 UTC
No, didn't believe it after reading the change log. The upper shown extensions
are still needed (readd rules step-by-step).

Comment 3 Peter Bieringer 2005-03-23 15:15:32 UTC
Forgot following note: I've updated the policy and relabled the system before
retry and readd.

Comment 4 Daniel Walsh 2005-03-23 15:32:05 UTC
I didn't know nscd could log.

I will add log_domain(nscd) to policy.

Dan

Comment 5 Peter Bieringer 2005-03-23 15:58:05 UTC
Logging is not enabled by default, but easily to switch on (mostly during
debugging problems):

--- etc/nscd.conf       9 Mar 2005 16:53:04 -0000       1.1
+++ etc/nscd.conf       23 Mar 2005 15:56:43 -0000
@@ -28,12 +28,12 @@
 #


-#      logfile                 /var/log/nscd.log
+       logfile                 /var/log/nscd.log
 #      threads                 6
 #      max-threads             128
        server-user             nscd
 #      stat-user               nocpulse
-       debug-level             0
+       debug-level             1
 #      reload-count            5
        paranoia                no
 #      restart-interval        3600


Comment 6 Daniel Walsh 2005-03-24 21:47:42 UTC
Could you try out selinux-policy-targeted-1.17.30-2.93
on 

ftp://people.redhat.com/dwalsh/SELinux/FC3

If this works for you I will role it into the U2 release for RHEL4.

Comment 7 Peter Bieringer 2005-03-31 11:48:23 UTC
Ok, installed on RHEL4, previous log file removed, logging enabled, nscd
restart, log file was created.

So the issue is solved now.


Note You need to log in before you can comment on or make changes to this bug.