Bug 1584632 - Add nss_systemd support to auth_use_nsswitch()
Summary: Add nss_systemd support to auth_use_nsswitch()
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-31 10:47 UTC by Dridi Boukelmoune
Modified: 2019-03-13 09:47 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.14.2-22.fc29 selinux-policy-3.14.1-32.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-09 20:42:31 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Dridi Boukelmoune 2018-05-31 10:47:20 UTC 
Description of problem:

I observed it with varnish: by default it stalls in enforcing mode when the service is started. Depending on your nsswitch configuration calling getpwnam(3) may result in a systemd dynamic user lookup that gets denied.

Adding this support entails chatting with systemd --system over the dbus --system bus and getting attributes of /etc/systemd/dont-synthesize-nobody if the user configured nsswitch.conf as such.

Version-Release number of selected component (if applicable):

$ rpm -qa selinux-policy
selinux-policy-3.14.1-29.fc28.noarch

How reproducible: always

Steps to Reproduce:

# grep systemd /etc/nsswitch.conf
passwd:     systemd files
shadow:     systemd files
group:      systemd files

# setenforce 1

# time systemctl start varnish

real	1m0.325s
user	0m0.008s
sys	0m0.012s

# ausearch -m avc,user_avc,selinux_err -ts recent
----
time->Thu May 31 12:35:38 2018
type=USER_AVC msg=audit(1527762938.621:422): pid=1129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=18001 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Thu May 31 12:36:08 2018
type=USER_AVC msg=audit(1527762968.625:423): pid=1129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=18001 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Actual results:

A denial leaving the process calling getpwnam or getgrnam hanging.

Expected results:

No denial as the process is not explicitly sending the DBus messages.

Additional info:

Diagnosed with the help of Dominick Grift. I initially thought I was doing something wrong months ago and had removed "systemd" and "nss" entries in my nsswitch.conf file since I don't need them on my workstation.
Comment 1 dac.override 2018-05-31 11:29:26 UTC 
Those avc denials are incomplete. This is the other half:

----
time->Thu May 31 12:11:29 2018
type=USER_AVC msg=audit(1527761489.202:408): pid=1129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=17093 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Thu May 31 12:11:29 2018
type=USER_AVC msg=audit(1527761489.203:409): pid=1129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=17093 tpid=1 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Thu May 31 12:11:29 2018
type=USER_AVC msg=audit(1527761489.203:410): pid=1129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.94 spid=1 tpid=17093 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Comment 2 Fedora Update System 2018-06-06 13:36:52 UTC 
selinux-policy-3.14.1-32.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-743a9247de
Comment 3 Fedora Update System 2018-06-07 13:17:21 UTC 
selinux-policy-3.14.1-32.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-743a9247de
Comment 4 Fedora Update System 2018-06-09 20:42:31 UTC 
selinux-policy-3.14.1-32.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.