Bug 182071 - ping not allowed to use nscd
ping not allowed to use nscd
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-02-20 01:14 EST by Ulrich Drepper
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-09 15:15:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ulrich Drepper 2006-02-20 01:14:14 EST
Description of problem:
ping is execution in its own context (ping_exec_t) and this context is
apparently not allowed to use nscd.  I get

type=AVC msg=audit(1140416086.417:35186): avc:  denied  { name_connect } for 
pid=25684 comm="spamassassin" dest=111 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket


Version-Release number of selected component (if applicable):
selinux-policy-2.2.11-1

How reproducible:
always

Steps to Reproduce:
1.as root: strace ping www.redhat.com
2.
3.
  
Actual results:
above message in audit logs

Expected results:
nscd used, connect syscall succeeds

Additional info:
Comment 1 Ulrich Drepper 2006-02-20 01:17:04 EST
I pasted the wrong audit message:

type=AVC msg=audit(1140416531.597:35201): avc:  denied  { name_connect } for 
pid=25810 comm="ping" dest=111 scontext=user_u:system_r:ping_t:s0-s0:c0.c255
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1140416531.597:35201): arch=c000003e syscall=42
success=no exit=-13 a0=4 a1=7fffffd87b00 a2=10 a3=3 items=0 pid=25810
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="ping" exe="/bin/ping"
type=SOCKADDR msg=audit(1140416531.597:35201):
saddr=0200006F7F000001301F675555550000
type=AVC msg=audit(1140416531.597:35202): avc:  denied  { name_bind } for 
pid=25810 comm="ping" src=970 scontext=user_u:system_r:ping_t:s0-s0:c0.c255
tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1140416531.597:35202): arch=c000003e syscall=49
success=no exit=-13 a0=4 a1=7fffffd878a0 a2=10 a3=3 items=0 pid=25810
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="ping" exe="/bin/ping"
type=SOCKADDR msg=audit(1140416531.597:35202):
saddr=020003CA000000000000000000000000
type=AVC msg=audit(1140416531.597:35203): avc:  denied  { name_connect } for 
pid=25810 comm="ping" dest=111 scontext=user_u:system_r:ping_t:s0-s0:c0.c255
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1140416531.597:35203): arch=c000003e syscall=42
success=no exit=-13 a0=4 a1=7fffffd87b00 a2=10 a3=3 items=0 pid=25810
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="ping" exe="/bin/ping"
type=SOCKADDR msg=audit(1140416531.597:35203):
saddr=0200006F7F000001301F675555550000
type=AVC msg=audit(1140416531.597:35204): avc:  denied  { name_connect } for 
pid=25810 comm="ping" dest=111 scontext=user_u:system_r:ping_t:s0-s0:c0.c255
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1140416531.597:35204): arch=c000003e syscall=42
success=no exit=-13 a0=4 a1=7fffffd87b30 a2=10 a3=0 items=0 pid=25810
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="ping" exe="/bin/ping"
type=SOCKADDR msg=audit(1140416531.597:35204):
saddr=0200006F7F000001CAA44921952B0000
type=AVC msg=audit(1140416531.597:35205): avc:  denied  { name_bind } for 
pid=25810 comm="ping" src=971 scontext=user_u:system_r:ping_t:s0-s0:c0.c255
tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1140416531.597:35205): arch=c000003e syscall=49
success=no exit=-13 a0=4 a1=7fffffd878d0 a2=10 a3=3 items=0 pid=25810
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="ping" exe="/bin/ping"
type=SOCKADDR msg=audit(1140416531.597:35205):
saddr=020003CB000000000000000000000000
type=AVC msg=audit(1140416531.597:35206): avc:  denied  { name_connect } for 
pid=25810 comm="ping" dest=111 scontext=user_u:system_r:ping_t:s0-s0:c0.c255
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1140416531.597:35206): arch=c000003e syscall=42
success=no exit=-13 a0=4 a1=7fffffd87b30 a2=10 a3=3 items=0 pid=25810
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="ping" exe="/bin/ping"
type=SOCKADDR msg=audit(1140416531.597:35206):
saddr=0200006F7F000001CAA44921952B0000
Comment 2 Daniel Walsh 2006-02-20 12:43:10 EST
Do you have ypbind running on your machine, if so is the allow_ypbind boolean
turned on?
Comment 3 Ulrich Drepper 2006-02-25 13:05:58 EST
Yes, I'm using ypbind and /selinux/boolean/allow_yobind contains 0 0.

But it's also nscd I worry about:

fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 EACCES
(Permission denied)


nscd access is also not allowed.
Comment 4 Daniel Walsh 2006-05-09 15:15:06 EDT
FIxed in rawhide.

Note You need to log in before you can comment on or make changes to this bug.