Bug 1772852 - AVCs seen when nscd service is enabled
Summary: AVCs seen when nscd service is enabled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.3
Assignee: Zdenek Pytela
QA Contact: Milos Malik
Jan Fiala
URL:
Whiteboard:
: 1872304 (view as bug list)
Depends On:
Blocks: 1825061
TreeView+ depends on / blocked
 
Reported: 2019-11-15 10:25 UTC by Renaud Métrich
Modified: 2020-11-04 01:57 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
.NSCD databases can now use different modes Domains in the `nsswitch_domain` attribute are allowed access to Name Service Cache Daemon (NSCD) services. Each NSCD database is configured in the `nscd.conf` file, and the `shared` property determines whether the database uses Shared memory or Socket mode. Previously, all NSCD databases had to use the same access mode, depending on the `nscd_use_shm` boolean value. Now, using Unix stream socket is always allowed, and therefore different NSCD databases can use different modes.
Clone Of:
Environment:
Last Closed: 2020-11-04 01:55:53 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4595551 0 None None None 2019-11-21 09:41:04 UTC
Red Hat Product Errata RHBA-2020:4528 0 None None None 2020-11-04 01:56:19 UTC

Description Renaud Métrich 2019-11-15 10:25:32 UTC 
Description of problem:

By default, the "nscd_use_shm" boolean is enabled. When enabling "nscd.service" unit, a customer sees AVCs related to mapping the nscd files into memory:

Examples:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=MMAP msg=audit(1573121827.671:504): fd=9 flags=0x1
type=SYSCALL msg=audit(1573121827.671:504): arch=c000003e syscall=9 success=yes exit=139970810851328 a0=0 a1=34fc8 a2=1 a3=1 items=0 ppid=1458 pid=11370 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=system_u:system_r:postfix_cleanup_t:s0 key=(null)
type=AVC msg=audit(1573121827.671:504): avc:  denied  { map } for  pid=11370 comm="cleanup" path="/var/db/nscd/hosts" dev="dm-3" ino=2113217 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=1

type=MMAP msg=audit(1573127709.632:479): fd=5 flags=0x1
type=SYSCALL msg=audit(1573127709.632:479): arch=c000003e syscall=9 success=yes exit=140258057723904 a0=0 a1=34fc8 a2=1 a3=1 items=0 ppid=89285 pid=89286 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="chronyc" exe="/usr/bin/chronyc" subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1573127709.632:479): avc:  denied  { map } for  pid=89286 comm="chronyc" path="/var/db/nscd/hosts" dev="dm-3" ino=2113217 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=1
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

All nscd clients ("nsswitch_domain" domains) are affected, in particular postfix_*_t domains.
Additionally, "chronyc_t" domain is affected: this domain is not part of "nsswitch_domain" attribute and I believe it's missing.

Looking closely, I can see that a rule exists for "nsswitch_domain" on "nscd_var_run_t", but *only* if "nscd_use_shm" is disabled, which looks weird to me:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
allow nsswitch_domain nscd_var_run_t:file map; [ nscd_use_shm ]:False
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

I would expect "nscd_use_shm" boolean adds more rules, but not toggles rules, since a nscd client may use shm or not (this depends on the configuration in /etc/nscd.conf and is table dependent: you may have a "shared yes" for 1 table but not the other) and the socket seems always used anyway.

Policy shows it's a "If Else" definition "Either SHM, or SOCKET):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
interface(`nscd_use',`
        tunable_policy(`nscd_use_shm',`
                nscd_shm_use($1)
        ',` 
                nscd_socket_use($1)
        ')  
')
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Additionally, I would expect "chronyc_t" to be part of "nsswitch_domain".


Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-20.el8.noarch


How reproducible:

Always


Steps to Reproduce:
1. Install chrony and nscd

  # yum -y install chronyc nscd
  # systemctl start nscd
  # systemctl start chronyd

2. Execute chronyc

  # chronyc sources

Actual results:

type=MMAP msg=audit(1573813431.484:214): fd=5 flags=0x1
type=SYSCALL msg=audit(1573813431.484:214): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=34fc8 a2=1 a3=1 items=0 ppid=1715 pid=4860 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="chronyc" exe="/usr/bin/chronyc" subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1573813431.484:214): avc:  denied  { map } for  pid=4860 comm="chronyc" path="/var/db/nscd/hosts" dev="dm-0" ino=50333164 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0


Expected results:

No AVC. Also, if "nscd_use_shm" is disabled, no AVC (the same happens here because chronyc_t is not part of nsswitch_domain).
Comment 3 yuk 2020-03-26 08:33:32 UTC 
Any news?
Which is the target release now?

Thanks
Comment 4 Milos Malik 2020-03-26 09:46:53 UTC 
My guess is: RHEL-8.3
Comment 5 Zdenek Pytela 2020-03-26 10:07:55 UTC 
Target release set to 8.3.
Comment 7 Lukas Vrabec 2020-05-18 15:53:07 UTC 
Backported to Fedora: 

commit cafd50640ad014d92e9efdc9aef3dbde638f1816 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela@redhat.com>
Date:   Mon May 18 17:36:08 2020 +0200

    Allow chronyc_t domain to use nsswitch

commit 5ac560626979e00693831bd570c2a4575e50d896
Author: Zdenek Pytela <zpytela@redhat.com>
Date:   Mon May 18 17:09:37 2020 +0200

    Allow nscd_socket_use() for domains in nscd_use() unconditionally
    
    The nscd_use() interface is used for nsswitch_domain or particular
    domains to allow access to nscd services.
    Each nscd database can be configured by the "shared" property in
    nscd.conf to use the Shared memory or Socket mode.
    Previously, either nscd_shm_use() or nscd_socket_use() were used,
    depending on the value of the nscd_use_shm boolean.
    Since this commit, nscd_socket_use() is always allowed so that in
    different nscd databases different modes can be used.
Comment 17 Zdenek Pytela 2020-09-10 09:34:14 UTC 
*** Bug 1872304 has been marked as a duplicate of this bug. ***
Comment 20 errata-xmlrpc 2020-11-04 01:55:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4528
Note You need to log in before you can comment on or make changes to this bug.