Bug 205876 - "AVC" denial of "nscd"
"AVC" denial of "nscd"
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: shadow-utils (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Peter Vrabec
David Lawrence
: 206519 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2006-09-09 06:25 EDT by Joachim Frieben
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-10-04 07:54:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
"audit" log file for "RHEL5 beta 1" (23.97 KB, text/plain)
2006-09-10 08:03 EDT, Joachim Frieben
no flags Details
"SELinux Alert" screenshot for "RHEL5 beta 1" (61.28 KB, image/png)
2006-09-10 08:04 EDT, Joachim Frieben
no flags Details
strace -fo log rpm -i nfs-utils-1.0.9-7.fc6.i386.rpm (600.96 KB, text/plain)
2006-09-22 08:45 EDT, Peter Vrabec
no flags Details

  None (edit)
Description Joachim Frieben 2006-09-09 06:25:57 EDT
Description of problem:
SELinux denied ['write'] access for the file (/etc/group) requested by

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install a bunch of packages via "pirut".
Actual results:
"AVC" denial icon pops up in the notification area.

Expected results:
Access rights get granted as requested.

Additional info:
Target Object:        /etc/group
Affected RPMs:        nscd-2.4.90-22
Existing Bug Reports: coming soon
Policy RPM:           selinux-policy-2.3.3-22
Selinux Enabled:      True
Policy Type:          targeted
MLS Enabled:          True
Enforcing Mode:       Permissive
Comment 1 Daniel Walsh 2006-09-09 07:06:55 EDT
Could you attach the avc messages from /var/log/audit/audit.log
Comment 2 Joachim Frieben 2006-09-09 09:20:01 EDT
Sorry, but I have already hopped back to "rawhide". This channel
thing seems to have changed with respect to "RHEL4 beta X", not
obvious if one gets updates or not ... repodata broken, etc.
Btw, what I have posted above is copied 100% from the notification
applet. I will give "RHEL 5 beta1" another try in "QEMU" and post
the result .. a little patience, please.
Comment 3 Joachim Frieben 2006-09-10 08:03:06 EDT
Created attachment 135921 [details]
"audit" log file for "RHEL5 beta 1"
Comment 4 Joachim Frieben 2006-09-10 08:04:15 EDT
Created attachment 135922 [details]
"SELinux Alert" screenshot for "RHEL5 beta 1"
Comment 5 Daniel Walsh 2006-09-18 12:33:13 EDT
This is caused by a leaked file descriptor in groupadd.  Basically all file
descriptos have to be closed on exec, or the execed application will have access
to the file descriptors.

fcntl(fd, F_SETFD, FD_CLOEXEC)

The kernel is noticing the open file descriptor when it tries to exec the nscd
application, it then checks what access nscd has and triggers this avc message.
Comment 7 Peter Vrabec 2006-09-21 08:51:56 EDT
*** Bug 206519 has been marked as a duplicate of this bug. ***
Comment 8 Peter Vrabec 2006-09-21 08:59:58 EDT
I can't reproduce it. I have tried user{add,del} group{add,del,mod} for many times without any 
success. I have also tried several firstboots (#206519)

# service auditd status
auditd (pid 1597) is running...
# service nscd status
nscd (pid 2470) is running...

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

# rpm -q selinux-policy-targeted
Comment 9 Daniel Walsh 2006-09-21 09:26:23 EDT
You have nscd turned on?

This is happening when cron runs an RPM update that includes a groupadd/useradd
I believe.
Comment 10 Peter Vrabec 2006-09-21 10:09:38 EDT
Yes I have.
Comment 11 Peter Vrabec 2006-09-22 08:45:10 EDT
Created attachment 136940 [details]
strace -fo log rpm -i nfs-utils-1.0.9-7.fc6.i386.rpm

# egrep -e 'AVC|avc' /var/log/audit/audit.log
no avc messages in audit.log
Comment 12 Peter Vrabec 2006-10-04 07:54:10 EDT
I'm closing this issue, since I'm not able to reproduce it with latest shadow-utils-4.0.17-5. If this 
problem occurs again, feel free to reopen it.

Note You need to log in before you can comment on or make changes to this bug.