Bug 182071 - ping not allowed to use nscd
Summary: ping not allowed to use nscd
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-02-20 06:14 UTC by Ulrich Drepper
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-05-09 19:15:06 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Ulrich Drepper 2006-02-20 06:14:14 UTC 
Description of problem:
ping is execution in its own context (ping_exec_t) and this context is
apparently not allowed to use nscd.  I get

type=AVC msg=audit(1140416086.417:35186): avc:  denied  { name_connect } for 
pid=25684 comm="spamassassin" dest=111 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket


Version-Release number of selected component (if applicable):
selinux-policy-2.2.11-1

How reproducible:
always

Steps to Reproduce:
1.as root: strace ping www.redhat.com
2.
3.
  
Actual results:
above message in audit logs

Expected results:
nscd used, connect syscall succeeds

Additional info:
Comment 1 Ulrich Drepper 2006-02-20 06:17:04 UTC 
I pasted the wrong audit message:

type=AVC msg=audit(1140416531.597:35201): avc:  denied  { name_connect } for 
pid=25810 comm="ping" dest=111 scontext=user_u:system_r:ping_t:s0-s0:c0.c255
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1140416531.597:35201): arch=c000003e syscall=42
success=no exit=-13 a0=4 a1=7fffffd87b00 a2=10 a3=3 items=0 pid=25810
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="ping" exe="/bin/ping"
type=SOCKADDR msg=audit(1140416531.597:35201):
saddr=0200006F7F000001301F675555550000
type=AVC msg=audit(1140416531.597:35202): avc:  denied  { name_bind } for 
pid=25810 comm="ping" src=970 scontext=user_u:system_r:ping_t:s0-s0:c0.c255
tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1140416531.597:35202): arch=c000003e syscall=49
success=no exit=-13 a0=4 a1=7fffffd878a0 a2=10 a3=3 items=0 pid=25810
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="ping" exe="/bin/ping"
type=SOCKADDR msg=audit(1140416531.597:35202):
saddr=020003CA000000000000000000000000
type=AVC msg=audit(1140416531.597:35203): avc:  denied  { name_connect } for 
pid=25810 comm="ping" dest=111 scontext=user_u:system_r:ping_t:s0-s0:c0.c255
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1140416531.597:35203): arch=c000003e syscall=42
success=no exit=-13 a0=4 a1=7fffffd87b00 a2=10 a3=3 items=0 pid=25810
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="ping" exe="/bin/ping"
type=SOCKADDR msg=audit(1140416531.597:35203):
saddr=0200006F7F000001301F675555550000
type=AVC msg=audit(1140416531.597:35204): avc:  denied  { name_connect } for 
pid=25810 comm="ping" dest=111 scontext=user_u:system_r:ping_t:s0-s0:c0.c255
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1140416531.597:35204): arch=c000003e syscall=42
success=no exit=-13 a0=4 a1=7fffffd87b30 a2=10 a3=0 items=0 pid=25810
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="ping" exe="/bin/ping"
type=SOCKADDR msg=audit(1140416531.597:35204):
saddr=0200006F7F000001CAA44921952B0000
type=AVC msg=audit(1140416531.597:35205): avc:  denied  { name_bind } for 
pid=25810 comm="ping" src=971 scontext=user_u:system_r:ping_t:s0-s0:c0.c255
tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1140416531.597:35205): arch=c000003e syscall=49
success=no exit=-13 a0=4 a1=7fffffd878d0 a2=10 a3=3 items=0 pid=25810
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="ping" exe="/bin/ping"
type=SOCKADDR msg=audit(1140416531.597:35205):
saddr=020003CB000000000000000000000000
type=AVC msg=audit(1140416531.597:35206): avc:  denied  { name_connect } for 
pid=25810 comm="ping" dest=111 scontext=user_u:system_r:ping_t:s0-s0:c0.c255
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1140416531.597:35206): arch=c000003e syscall=42
success=no exit=-13 a0=4 a1=7fffffd87b30 a2=10 a3=3 items=0 pid=25810
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="ping" exe="/bin/ping"
type=SOCKADDR msg=audit(1140416531.597:35206):
saddr=0200006F7F000001CAA44921952B0000
Comment 2 Daniel Walsh 2006-02-20 17:43:10 UTC 
Do you have ypbind running on your machine, if so is the allow_ypbind boolean
turned on?
Comment 3 Ulrich Drepper 2006-02-25 18:05:58 UTC 
Yes, I'm using ypbind and /selinux/boolean/allow_yobind contains 0 0.

But it's also nscd I worry about:

fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 EACCES
(Permission denied)


nscd access is also not allowed.
Comment 4 Daniel Walsh 2006-05-09 19:15:06 UTC 
FIxed in rawhide.
Note You need to log in before you can comment on or make changes to this bug.