Red Hat Bugzilla – Bug 174422
nscd update for new audit messages
Last modified: 2007-11-30 17:11:18 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7
Description of problem:
The audit library is deprecating the function that is being used by nscd. This is because LSPP requires more information than is currently being logged.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Found by inspection
Created attachment 121562 [details]
patch updating to new audit functionality
Please review and apply.
I've added a slightly improved version of the patch.
But what is the FIXME about? When will this be corrected?
Thanks for looking at this. I was hoping to bump the so number early in Jan with
the old functions removed. nscd is the only app that is holding that up.
In any event, the FIXME is that the user field in the audit message is being
filled in with getuid() which is the user id of nscd...rather than the user that
requested the action that violated the SE Linux policy.
I don't know the data structures being passed around in nscd (or se linux) to
correctly attribute the caller for the violation of the policy. My main
objective at this moment was simply to change the called function so that I can
bump the so number.
There is another fix needed for nscd. When it changes from root to the nscd
user, it needs to keep CAP_AUDIT_WRITE. I haven't added that patch yet since I'm
still refining the technique with dbus and newrole. If you would like to go
ahead and add it, I'd really appreciate it.
> I was hoping to bump the so number early in Jan with
> the old functions removed.
Why? It is always bad to bump SONAMEs.
> I don't know the data structures being passed around in nscd (or se linux) to
> correctly attribute the caller for the violation of the policy.
The nscd side is trivial. nscd_request_avc_has_perm can easily be passed the
UID of the other side. We already compute it (sometimes) at the call side. The
question is: how to pass it to the printing routine. I guess it is called
through avc_has_perm. If you figure this out it's easy enough to add.
glibc-2.3.90-25 should show up in rawhide today.