Bug 1657270 - selinux prevents 'map' access of /var/db/nscd/passwd
Summary: selinux prevents 'map' access of /var/db/nscd/passwd
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.0
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-07 14:43 UTC by Patrik Kis
Modified: 2019-06-14 01:42 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.14.1-49.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-14 01:42:31 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description Patrik Kis 2018-12-07 14:43:18 UTC
Description of problem:
The following AVC denials appears when installing oddjob-mkhomedir on a system when nscd is running.

Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-48.el8
oddjob-0.34.4-4.el8
nscd-2.28-38.el8

How reproducible:


Steps to Reproduce:
1. Install and start nscd

# dnf install nscd
... snip ...

# service nscd restart
# ausearch -i -m avc -ts 09:35:06
<no matches>

2. Install oddjob-mkhomedir
# dnf install oddjob-mkhomedir
... snip ...
=====================================================================================================================
 Package                        Arch                 Version                      Repository                    Size
=====================================================================================================================
Installing:
 oddjob-mkhomedir               x86_64               0.34.4-4.el8                 rhel-AppStream                51 k
Installing dependencies:
 psmisc                         x86_64               23.1-3.el8                   rhel                         150 k
 oddjob                         x86_64               0.34.4-4.el8                 rhel-AppStream                82 k

Transaction Summary
=====================================================================================================================
Install  3 Packages
... snip ...

# ausearch -i -m avc -ts 09:35:06
----
type=PROCTITLE msg=audit(12/07/2018 09:36:39.949:343) : proctitle=/bin/sh /usr/lib/systemd/system-generators/kdump-dep-generator.sh /run/systemd/generator /run/systemd/generator.early /run/syste 
type=SYSCALL msg=audit(12/07/2018 09:36:39.949:343) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x34fc8 a2=PROT_READ a3=MAP_SHARED items=0 ppid=6506 pid=6507 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kdump-dep-gener exe=/usr/bin/bash subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(12/07/2018 09:36:39.949:343) : avc:  denied  { map } for  pid=6507 comm=kdump-dep-gener path=/var/db/nscd/passwd dev="vda1" ino=5027991 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(12/07/2018 09:36:39.982:344) : proctitle=/bin/sh /usr/lib/systemd/system-generators/selinux-autorelabel-generator.sh /run/systemd/generator /run/systemd/generator.early 
type=SYSCALL msg=audit(12/07/2018 09:36:39.982:344) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x34fc8 a2=PROT_READ a3=MAP_SHARED items=0 ppid=6506 pid=6510 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=selinux-autorel exe=/usr/bin/bash subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(12/07/2018 09:36:39.982:344) : avc:  denied  { map } for  pid=6510 comm=selinux-autorel path=/var/db/nscd/passwd dev="vda1" ino=5027991 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0 


Actual results:


Expected results:


Additional info:

Comment 1 Lukas Vrabec 2018-12-07 15:47:27 UTC
Petr, 

Do you know what is this? 
/usr/lib/systemd/system-generators/selinux-autorelabel-generator.sh 

We need to add proper labeling somewhere to avoid running this under init_t. 

Thanks,
Lukas.

Comment 2 Petr Lautrbach 2018-12-07 17:17:59 UTC
o_O cat /usr/lib/systemd/system-generators/selinux-autorelabel-generator.sh 
#!/usr/bin/sh

# This systemd.generator(7) detects if SELinux is running and if the
# user requested an autorelabel, and if so sets the default target to
# selinux-autorelabel.target, which will cause the filesystem to be
# relabelled and then the system will reboot again and boot into the
# real default target.

Comment 3 Lukas Vrabec 2018-12-10 12:52:27 UTC
commit f9e84fea9286198ece5d9e366bbce0460713f138 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Dec 10 13:51:59 2018 +0100

    Allow systemd to mmap all pidfiles


Note You need to log in before you can comment on or make changes to this bug.