Bug 1536689 - nscd cannot read its database in /var/db/nscd
Summary: nscd cannot read its database in /var/db/nscd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 28
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-19 23:04 UTC by Mathieu Chouquet-Stringer
Modified: 2018-12-14 02:01 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-09-11 16:54:50 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Mathieu Chouquet-Stringer 2018-01-19 23:04:34 UTC
Description of problem:
SELinux is blocking access to all files under /var/db/nscd

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.13.1-283.21.fc27.noarch
nscd-2.26-21.fc27.x86_64


How reproducible:
Install nscd, start it and you will get the following in:

Jan 19 23:59:38 foobar systemd[1]: Starting Name Service Cache Daemon...
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring file `/etc/passwd` (1)
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring directory `/etc` (2)
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring file `/etc/group` (3)
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring directory `/etc` (2)
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring file `/etc/hosts` (4)
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring directory `/etc` (2)
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring file `/etc/resolv.conf` (5)
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring directory `/etc` (2)
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring file `/etc/services` (6)
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring directory `/etc` (2)
Jan 19 23:59:38 foobar nscd[14613]: 14613 disabled inotify-based monitoring for file `/etc/netgroup': No such file or directory
Jan 19 23:59:38 foobar nscd[14613]: 14613 stat failed for file `/etc/netgroup'; will try again later: No such file or directory
Jan 19 23:59:38 foobar systemd[1]: Started Name Service Cache Daemon.
Jan 19 23:59:38 foobar nscd[14613]: 14613 cannot write to database file /var/db/nscd/passwd: Permission denied
Jan 19 23:59:38 foobar nscd[14613]: 14613 cannot write to database file /var/db/nscd/group: Permission denied
Jan 19 23:59:38 foobar nscd[14613]: 14613 cannot write to database file /var/db/nscd/hosts: Permission denied
Jan 19 23:59:38 foobar nscd[14613]: 14613 cannot write to database file /var/db/nscd/services: Permission denied
Jan 19 23:59:38 foobar nscd[14613]: 14613 cannot write to database file /var/db/nscd/netgroup: Permission denied
Jan 19 23:59:38 foobar nscd[14613]: 14613 Access Vector Cache (AVC) started
Jan 19 23:59:57 foobar nscd[14613]: 14613 checking for monitored file `/etc/netgroup': No such file or directory

At the same time, audit.log shows:
ype=AVC msg=audit(1516402778.936:1275): avc:  denied  { map } for  pid=14613 comm="nscd" path="/var/db/nscd/passwd" dev="dm-1" ino=12854056 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1516402778.936:1276): avc:  denied  { map } for  pid=14613 comm="nscd" path="/var/db/nscd/group" dev="dm-1" ino=12854057 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1516402778.937:1277): avc:  denied  { map } for  pid=14613 comm="nscd" path="/var/db/nscd/hosts" dev="dm-1" ino=12854058 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1516402778.937:1278): avc:  denied  { map } for  pid=14613 comm="nscd" path="/var/db/nscd/services" dev="dm-1" ino=12854059 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1516402778.937:1279): avc:  denied  { map } for  pid=14613 comm="nscd" path="/var/db/nscd/netgroup" dev="dm-1" ino=12854060 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

I've made sure the directory is properly labelled and it's all good.

Comment 1 Fedora Update System 2018-02-20 11:14:33 UTC
selinux-policy-3.13.1-283.26.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a9711c96b2

Comment 2 Fedora Update System 2018-02-20 18:19:07 UTC
selinux-policy-3.13.1-283.26.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a9711c96b2

Comment 3 Fedora Update System 2018-02-27 17:21:33 UTC
selinux-policy-3.13.1-283.26.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Mathieu Chouquet-Stringer 2018-04-19 20:49:23 UTC
Hello,

It seems to be fixed now, but fixing it added a new problem: clients of nscd (so basically anything using the glibc for host/user/group/more resolution) are denied access to the database.

Should this be a new bug or not?

type=AVC msg=audit(1524100503.021:20386): avc:  denied  { map } for  pid=18475 comm="logrotate" path="/var/db/nscd/passwd" dev="dm-0" ino=13347968 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524100503.023:20387): avc:  denied  { map } for  pid=18475 comm="logrotate" path="/var/db/nscd/group" dev="dm-0" ino=13347969 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524159812.542:20744): avc:  denied  { map } for  pid=27302 comm="kdump-dep-gener" path="/var/db/nscd/passwd" dev="dm-0" ino=13347968 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524159812.542:20745): avc:  denied  { map } for  pid=27307 comm="selinux-autorel" path="/var/db/nscd/passwd" dev="dm-0" ino=13347968 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524170248.248:148): avc:  denied  { map } for  pid=1082 comm="aliasesdb" path="/var/db/nscd/passwd" dev="dm-1" ino=13347968 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524170248.448:149): avc:  denied  { map } for  pid=1122 comm="(colord)" path="/var/db/nscd/passwd" dev="dm-1" ino=13347968 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524170248.448:150): avc:  denied  { map } for  pid=1122 comm="(colord)" path="/var/db/nscd/group" dev="dm-1" ino=13347969 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524170248.645:153): avc:  denied  { map } for  pid=1135 comm="chroot-update" path="/var/db/nscd/passwd" dev="dm-1" ino=13347968 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524170254.440:203): avc:  denied  { map } for  pid=1332 comm="(systemd)" path="/var/db/nscd/passwd" dev="dm-1" ino=13347968 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524170254.440:204): avc:  denied  { map } for  pid=1332 comm="(systemd)" path="/var/db/nscd/group" dev="dm-1" ino=13347969 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524170256.896:238): avc:  denied  { map } for  pid=1560 comm="dhclient" path="/var/db/nscd/services" dev="dm-1" ino=13347971 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0


type=AVC msg=audit(1524170662.840:340): avc:  denied  { map } for  pid=4465 comm="dbus-daemon-lau" path="/var/db/nscd/group" dev="dm-1" ino=13347969 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

Comment 5 Mathieu Chouquet-Stringer 2018-04-19 21:43:09 UTC
There's also:
type=AVC msg=audit(1524173771.997:285): avc:  denied  { connectto } for  pid=1049 comm="abrt-dump-journ" path="/run/nscd/socket" scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=unix_stream_socket permissive=0

Comment 6 Mathieu Chouquet-Stringer 2018-05-15 19:58:52 UTC
Same thing present in F28.

SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/group.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that dbus-daemon-lau should be allowed map access on the group file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dbus-daemon-lau' --raw | audit2allow -M my-dbusdaemonlau
# semodule -X 300 -i my-dbusdaemonlau.pp

And so on...

SELinux is preventing logrotate from map access on the file /var/db/nscd/group.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that logrotate should be allowed map access on the group file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'logrotate' --raw | audit2allow -M my-logrotate
# semodule -X 300 -i my-logrotate.pp

Comment 7 John Hein 2018-06-07 20:11:33 UTC
Still happening on F27...

Jun  7 09:20:23 myhostxxx setroubleshoot[12840]: SELinux is preventing nscd from write access on the sock_file system_bus_socket. For complete SELinux messages run: sealert -l 854c2b4b-b1e5-49bc-948f-5baa04773dec
Jun  7 09:20:23 myhostxxx python3[12840]: SELinux is preventing nscd from write access on the sock_file system_bus_socket.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that nscd should be allowed write access on the system_bus_socket sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'nscd' --raw | audit2allow -M my-nscd#012# semodule -X 300 -i my-nscd.pp#012
Jun  7 09:20:26 myhostxxx setroubleshoot[12840]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/passwd. For complete SELinux messages run: sealert -l 287ebeba-bbfe-4224-8101-bc3990bdf98e
Jun  7 09:20:26 myhostxxx python3[12840]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/passwd.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dbus-daemon-lau should be allowed map access on the passwd file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dbus-daemon-lau' --raw | audit2allow -M my-dbusdaemonlau#012# semodule -X 300 -i my-dbusdaemonlau.pp#012
Jun  7 09:20:28 myhostxxx audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jun  7 09:20:29 myhostxxx setroubleshoot[12840]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/group. For complete SELinux messages run: sealert -l 287ebeba-bbfe-4224-8101-bc3990bdf98e
Jun  7 09:20:29 myhostxxx python3[12840]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/group.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dbus-daemon-lau should be allowed map access on the group file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dbus-daemon-lau' --raw | audit2allow -M my-dbusdaemonlau#012# semodule -X 300 -i my-dbusdaemonlau.pp#012

Comment 8 Ken Snider 2018-08-20 20:49:29 UTC
This is still an issue, and has now migrated to the most recent updates of RHEL7 as well.

Comment 9 Fedora Update System 2018-09-06 21:56:11 UTC
selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217

Comment 10 Fedora Update System 2018-09-07 17:11:39 UTC
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217

Comment 11 Fedora Update System 2018-09-11 16:54:50 UTC
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Francesco Simula 2018-10-12 14:18:46 UTC
(In reply to Fedora Update System from comment #11)
> selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable
> repository. If problems still persist, please make note of it in this bug
> report.

selinux-policy is already at version 3.14.1-44 but the problem still persists (on Fedora 28), at least as spam in journalctl because everything seems to be working...

ott 12 16:15:30 grundig setroubleshoot[1932]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/passwd. For complete SELinux messages run: sealert -l 5e1fd7c8-dcca-4536-bbbe-017abfe58180
ott 12 16:15:30 grundig python3[1932]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/passwd.
                                       
                                       *****  Plugin catchall (100. confidence) suggests   **************************
                                       
                                       If you believe that dbus-daemon-lau should be allowed map access on the passwd file by default.
                                       Then you should report this as a bug.
                                       You can generate a local policy module to allow this access.
                                       Do
                                       allow this access for now by executing:
                                       # ausearch -c 'dbus-daemon-lau' --raw | audit2allow -M my-dbusdaemonlau
                                       # semodule -X 300 -i my-dbusdaemonlau.pp
                                       
ott 12 16:15:30 grundig setroubleshoot[1932]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/group. For complete SELinux messages run: sealert -l 5e1fd7c8-dcca-4536-bbbe-017abfe58180
ott 12 16:15:30 grundig python3[1932]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/group.
                                       
                                       *****  Plugin catchall (100. confidence) suggests   **************************
                                       
                                       If you believe that dbus-daemon-lau should be allowed map access on the group file by default.
                                       Then you should report this as a bug.
                                       You can generate a local policy module to allow this access.
                                       Do
                                       allow this access for now by executing:
                                       # ausearch -c 'dbus-daemon-lau' --raw | audit2allow -M my-dbusdaemonlau
                                       # semodule -X 300 -i my-dbusdaemonlau.pp


Note You need to log in before you can comment on or make changes to this bug.