Bug 151894 - SELinux prevents nscd from logging
SELinux prevents nscd from logging
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-23 05:40 EST by Peter Bieringer
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: 1.25.4-10.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-15 11:56:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Peter Bieringer 2005-03-23 05:40:49 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1

Description of problem:
If logging of nscd is enabled, SELinux prohibits

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.52.1

How reproducible:
Always

Steps to Reproduce:
1. enable logging of nscd (by editing /etc/nscd.conf)
2. service nscd restart
3. SELinux deny messages in kernel log
  

Actual Results:  Won't start anymore, kernel log:

Mar 23 11:24:41 host audit(1111573481.690:0): avc:  denied  { search } for  pid=9334 exe=/usr/sbin/nscd name=/ dev=md2 ino=2 scontext=root:system_r:nscd_t tcontext=system_u:object_r:var_log_t tclass=dir

Mar 23 11:26:34 host audit(1111573594.476:0): avc:  denied  { write } for  pid=9419 exe=/usr/sbin/nscd name=/ dev=md2 ino=2 scontext=root:system_r:nscd_t tcontext=system_u:object_r:var_log_t tclass=dir

Mar 23 11:28:06 host audit(1111573686.537:0): avc:  denied  { add_name } for  pid=9495 exe=/usr/sbin/nscd name=nscd.log scontext=root:system_r:nscd_t tcontext=system_u:object_r:var_log_t tclass=dir

Mar 23 11:29:39 host audit(1111573779.211:0): avc:  denied  { create } for  pid=9579 exe=/usr/sbin/nscd name=nscd.log scontext=root:system_r:nscd_t tcontext=root:object_r:var_log_t tclass=file

Mar 23 11:30:39 host audit(1111573839.665:0): avc:  denied  { append } for  pid=9692 exe=/usr/sbin/nscd path=/var/log/nscd.log dev=md2 ino=35 scontext=root:system_r:nscd_t tcontext=root:object_r:var_log_t tclass=file

Mar 23 11:30:39 host audit(1111573839.663:0): avc:  denied  { getattr } for  pid=9692 exe=/usr/sbin/nscd path=/var/log/nscd.log dev=md2 ino=35 scontext=root:system_r:nscd_t tcontext=root:object_r:var_log_t tclass=file



Expected Results:  Starting

Additional info:

Following SELinux extension was successfully tested (rules add step-by-step)

## nscd logging
allow nscd_t var_log_t:dir search;
allow nscd_t var_log_t:dir write;
allow nscd_t var_log_t:dir add_name;
allow nscd_t var_log_t:file create;
allow nscd_t var_log_t:file append;
allow nscd_t var_log_t:file getattr;
Comment 1 Daniel Walsh 2005-03-23 08:51:18 EST
Please update to the U1 policy.  Currently available on 
ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{selinux-policy-targeted,
policycoreutils}

Does that solve your problem?

Dan
Comment 2 Peter Bieringer 2005-03-23 10:14:31 EST
No, didn't believe it after reading the change log. The upper shown extensions
are still needed (readd rules step-by-step).
Comment 3 Peter Bieringer 2005-03-23 10:15:32 EST
Forgot following note: I've updated the policy and relabled the system before
retry and readd.
Comment 4 Daniel Walsh 2005-03-23 10:32:05 EST
I didn't know nscd could log.

I will add log_domain(nscd) to policy.

Dan
Comment 5 Peter Bieringer 2005-03-23 10:58:05 EST
Logging is not enabled by default, but easily to switch on (mostly during
debugging problems):

--- etc/nscd.conf       9 Mar 2005 16:53:04 -0000       1.1
+++ etc/nscd.conf       23 Mar 2005 15:56:43 -0000
@@ -28,12 +28,12 @@
 #


-#      logfile                 /var/log/nscd.log
+       logfile                 /var/log/nscd.log
 #      threads                 6
 #      max-threads             128
        server-user             nscd
 #      stat-user               nocpulse
-       debug-level             0
+       debug-level             1
 #      reload-count            5
        paranoia                no
 #      restart-interval        3600
Comment 6 Daniel Walsh 2005-03-24 16:47:42 EST
Could you try out selinux-policy-targeted-1.17.30-2.93
on 

ftp://people.redhat.com/dwalsh/SELinux/FC3

If this works for you I will role it into the U2 release for RHEL4.
Comment 7 Peter Bieringer 2005-03-31 06:48:23 EST
Ok, installed on RHEL4, previous log file removed, logging enabled, nscd
restart, log file was created.

So the issue is solved now.

Note You need to log in before you can comment on or make changes to this bug.