Bug 160038 - selinux targeted update breaks nscd
selinux targeted update breaks nscd
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
: 160232 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-10 06:04 EDT by Michael Young
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version: 1.25.4-10.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-15 11:59:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to nscd.te which allows nscd to read files of type cert_t (528 bytes, patch)
2005-06-16 19:25 EDT, Jason Tibbitts
no flags Details | Diff

  None (edit)
Description Michael Young 2005-06-10 06:04:20 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.8) Gecko/20050512 Firefox/1.0.4

Description of problem:
After upgrading to selinux-policy-targeted-1.17.30-3.2 I get the following avc error messages after each boot
Jun 10 10:41:28 bigspen kernel: audit(1118396481.548:0): avc:  denied  { search } for  pid=3036 exe=/sbin/syslogd name=nscd dev=hda3 ino=98348 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 10 10:41:28 bigspen kernel: audit(1118396481.548:0): avc:  denied  { search } for  pid=3036 exe=/sbin/syslogd name=nscd dev=hda3 ino=98348 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 10 10:41:28 bigspen kernel: audit(1118396482.763:0): avc:  denied  { search } for  pid=3176 exe=/sbin/ypbind name=nscd dev=hda3 ino=98348 scontext=user_u:system_r:ypbind_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 10 10:41:28 bigspen kernel: audit(1118396482.763:0): avc:  denied  { search } for  pid=3176 exe=/sbin/ypbind name=nscd dev=hda3 ino=98348 scontext=user_u:system_r:ypbind_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir

and nscd won't shut down from the init script (giving the error
Jun 10 10:55:15 bigspen kernel: audit(1118397315.279:0): avc:  denied  { connectto } for  pid=4937 exe=/usr/sbin/nscd path=/var/run/nscd/socket scontext=root:system_r:nscd_t tcontext=user_u:system_r:nscd_t tclass=unix_stream_socket
), though it does appear to restart without errors if killed manually.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-3.2

How reproducible:
Always

Steps to Reproduce:
1. upgrade file and boot
  

Additional info:
Comment 1 Daniel Walsh 2005-06-10 07:01:34 EDT
Can you check out selinux-policy-targeted-1.23.18-3.8

You can get it at 

ftp://people.redhat.com/dwalsh/SELinux/FC3/
Comment 2 Michael Young 2005-06-10 10:32:22 EDT
1.23.18-3.8 gives a load of different errors
Jun 10 14:38:19 bigspen kernel: audit(1118410695.223:0): avc:  denied  { search
} for  pid=3659 exe=/usr/sbin/nscd name=yp dev=hda3 ino=98343
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:var_yp_t tclass=dir
Jun 10 14:38:19 bigspen kernel: audit(1118410695.223:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=867
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=tcp_socket
Jun 10 14:38:19 bigspen kernel: audit(1118410695.223:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=868
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=tcp_socket
Jun 10 14:38:19 bigspen kernel: audit(1118410695.241:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=869
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=udp_socket
Jun 10 14:38:19 bigspen kernel: audit(1118410695.241:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=870
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=tcp_socket
Jun 10 14:38:19 bigspen kernel: audit(1118410695.244:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=871
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=tcp_socket
Jun 10 14:38:19 bigspen kernel: audit(1118410695.320:0): avc:  denied  { search
} for  pid=3659 exe=/usr/sbin/nscd name=yp dev=hda3 ino=98343
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:var_yp_t tclass=dir
Jun 10 14:38:19 bigspen kernel: audit(1118410695.320:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=872
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=tcp_socket
Jun 10 14:38:19 bigspen kernel: audit(1118410695.320:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=873
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=tcp_socket
Jun 10 14:38:19 bigspen kernel: audit(1118410695.330:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=874
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=udp_socket
Jun 10 14:38:19 bigspen kernel: audit(1118410695.330:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=875
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=tcp_socket
Jun 10 14:38:19 bigspen kernel: audit(1118410695.332:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=876
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=tcp_socket
Comment 3 David Juran 2005-06-11 15:35:45 EDT
I also have an isssue with selinux-policy-targeted-1.17.30-3.2 which might be
related. Whenever I start httpd ( httpd-2.0.52-3.1 ) I get the following message:

Jun 11 21:19:49 emilia kernel: audit(1118517589.376:0): avc:  denied  { search }
for  pid=27931 exe=/usr/sbin/httpd name=nscd dev=dm-3 ino=245801
scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir

The file referred to in inode 245801 is /var/run/nscd/

Do note that I do _not_ run nscd... 
Comment 4 Daniel Walsh 2005-06-13 11:43:16 EDT
Are you running in permissive mode?  If yes, run in enforcing mode and see if
AVC message goes away.
Comment 5 Jason Tibbitts 2005-06-13 17:49:40 EDT
*** Bug 160232 has been marked as a duplicate of this bug. ***
Comment 6 Michael Young 2005-06-14 10:31:06 EDT
I get the errors in #2 with enforcing on. 1.17.30-3.9 gives similar errors.
Comment 7 Brad Wade 2005-06-14 14:34:28 EDT
I also get errors from httpd and mysqld with selinux-policy-targeted-1.17.30-3.2
with the same nscd directory (I'm not using nscd, though):

(httpd)
Jun 14 12:32:39 aslan kernel: audit(1118773959.736:0): avc:  denied  { search }
for  pid=5598 exe=/usr/sbin/httpd name=nscd dev=hda10 ino=139972 scontext=root:s
ystem_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 14 12:32:39 aslan kernel: audit(1118773959.737:0): avc:  denied  { search }
for  pid=5598 exe=/usr/sbin/httpd name=nscd dev=hda10 ino=139972 scontext=root:s
ystem_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 14 12:32:39 aslan kernel: audit(1118773959.738:0): avc:  denied  { search }
for  pid=5598 exe=/usr/sbin/httpd name=nscd dev=hda10 ino=139972 scontext=root:s
ystem_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 14 12:32:39 aslan kernel: audit(1118773959.739:0): avc:  denied  { search }
for  pid=5598 exe=/usr/sbin/httpd name=nscd dev=hda10 ino=139972 scontext=root:s
ystem_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir

(mysqld)
Jun 14 12:33:17 aslan kernel: audit(1118773997.379:0): avc:  denied  { search }
for  pid=5764 exe=/usr/libexec/mysqld name=nscd dev=hda10 ino=139972 scontext=ro
ot:system_r:mysqld_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 14 12:33:17 aslan kernel: audit(1118773997.379:0): avc:  denied  { search }
for  pid=5764 exe=/usr/libexec/mysqld name=nscd dev=hda10 ino=139972 scontext=ro
ot:system_r:mysqld_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 14 12:33:17 aslan kernel: audit(1118773997.380:0): avc:  denied  { search }
for  pid=5764 exe=/usr/libexec/mysqld name=nscd dev=hda10 ino=139972 scontext=ro
ot:system_r:mysqld_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 14 12:33:17 aslan kernel: audit(1118773997.380:0): avc:  denied  { search }
for  pid=5764 exe=/usr/libexec/mysqld name=nscd dev=hda10 ino=139972 scontext=ro
ot:system_r:mysqld_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Comment 8 Daniel Walsh 2005-06-15 10:50:55 EDT
If you are running ypbind, please execute 

setsebool -P allow_ypbind=1

Dan
Comment 9 Jason Tibbitts 2005-06-15 14:23:44 EDT
I updated to selinux-policy-targeted-1.17.30-3.9; it seemed to relabel the
entire filesystem.  In any case, the nscd control socket stuff (-g, -K, -i)
works fine, but it still traps access to /usr/share/ssl/cacert.pem:

audit(1118858107.560:0): avc:  denied  { read } for  pid=3205 exe=/usr/sbin/nscd
name=cacert.pem dev=dm-3 ino=786433 scontext=user_u:system_r:nscd_t
tcontext=user_u:object_r:usr_t tclass=file

I'm beginning to think that I've chosen a poor location for cacert.pem; I was
just following an example I saw somewhere and can move it somewhere else if it's
causing problems.

Is there some official location that would be better?  /usr/share/ssl/certs?  I
recall that FC4 is using /etc/certs; will that work in FC3?
Comment 10 Jason Tibbitts 2005-06-16 19:24:12 EDT
I read up enough to gain enough understanding of Selinux to be dangerous.  I
don't think that nscd.te includes anything that would allow nscd to access files
of type cert_t.  I hacked a patch (attached) into the RPM and rebuilt; nscd
seems to work now although starting it logs a single line:

audit(1118963275.487:0): avc:  denied  { read } for  pid=2815 exe=/usr/sbin/nscd
name=cert.pem dev=dm-3 ino=49451 scontext=root:system_r:nscd_t
tcontext=system_u:object_r:usr_t tclass=lnk_file

cert.pem is placed by the openssl package in /usr/share/ssl; it is just a link
to /usr/share/ssl/certs/ca-bundle.crt.  ca-bundle.crt has the appropriate
context.  I do not know if I can configure anything to force it to look
elsewhere.  In any case, this doesn't seem to bother nscd.
Comment 11 Jason Tibbitts 2005-06-16 19:25:23 EDT
Created attachment 115584 [details]
Patch to nscd.te which allows nscd to read files of type cert_t
Comment 12 Jason Tibbitts 2005-06-27 01:59:09 EDT
The latest targeted policy update (1.17.30-3.13) triggers a different error upon
nscd invocation:

nscd: error while loading shared libraries: librt.so.1: failed to map segment
from shared object: Permission denied

audit(1119851000.894:0): avc:  denied  { execute } for  pid=14464 comm=nscd
path=/lib/tls/librt-2.3.5.so dev=dm-0 ino=49183 scontext=root:system_r:nscd_t
tcontext=system_u:object_r:lib_t tclass=file

[root@ld83 ~]# ls -lZ /lib/tls/librt*
-rwxr-xr-x  root     root     system_u:object_r:shlib_t       
/lib/tls/librt-2.3.5.so
lrwxrwxrwx  root     root     system_u:object_r:lib_t         
/lib/tls/librt.so.1 -> librt-2.3.5.so

The machine has not survived a reboot.  I'll be happy to provide more
information once I'm in the office with the machine.
Comment 13 Jason Tibbitts 2005-06-27 12:58:08 EDT
The machine was hung at shutdown; this is the last thing that was logged:

Jun 27 00:51:33 ld83 nifd: nifd shutdown succeeded
Jun 27 00:51:34 ld83 autofs: automount shutdown succeeded
Jun 27 00:51:34 ld83 kernel: audit(1119851494.786:0): avc:  denied  { execute }
for  pid=15241 comm=nscd path=/lib/tls/librt
-2.3.5.so dev=dm-0 ino=49183 scontext=user_u:system_r:nscd_t
tcontext=system_u:object_r:lib_t tclass=file
Jun 27 00:51:34 ld83 nscd: nscd shutdown failed
Jun 27 00:51:34 ld83 ntpd[3447]: ntpd exiting on signal 15
Jun 27 00:51:34 ld83 ntpd: ntpd shutdown succeeded
Jun 27 00:51:34 ld83 nfslock: lockd shutdown failed
Jun 27 00:51:34 ld83 rpc.statd[2880]: Caught signal 15, un-registering and exiting.
Jun 27 00:51:35 ld83 nfslock: rpc.statd shutdown succeeded
Jun 27 00:51:35 ld83 portmap: portmap shutdown succeeded
Jun 27 00:51:35 ld83 kernel: Kernel logging (proc) stopped.
Jun 27 00:51:35 ld83 kernel: Kernel log daemon terminating.
Jun 27 00:51:36 ld83 syslog: klogd shutdown succeeded
Jun 27 00:51:36 ld83 exiting on signal 15

It is headless so I have no further information.

When I rebooted the machine today it came up fine.  The following errors are
logged at nscd startup:

audit(1119891121.027:0): avc:  denied  { read } for  pid=3202 exe=/usr/sbin/nscd
name=cert.pem dev=dm-3 ino=49451 scontext=user_u:system_r:nscd_t
tcontext=system_u:object_r:usr_t tclass=lnk_file

(that's the same as before)

audit(1119891124.568:0): avc:  denied  { search } for  pid=3429
exe=/usr/sbin/ntpd name=pki dev=dm-0 ino=33637 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:cert_t tclass=dir
audit(1119891124.571:0): avc:  denied  { search } for  pid=3429
exe=/usr/sbin/ntpd name=pki dev=dm-0 ino=33637 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:cert_t tclass=dir

(these two are new)

but nscd still seems to work OK.

I have no idea why the machine would have hung at shutdown.  I will try to make
sure that I'm present when rebooting all of my other machines to make sure they
don't hang as well.  If I get any further information I'll report it here.

Note You need to log in before you can comment on or make changes to this bug.