Description of problem: SELinux denied ['write'] access for the file (/etc/group) requested by /usr/sbin/nscd. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.3.3-22 How reproducible: Unknown Steps to Reproduce: 1. Install a bunch of packages via "pirut". Actual results: "AVC" denial icon pops up in the notification area. Expected results: Access rights get granted as requested. Additional info: Target Object: /etc/group Affected RPMs: nscd-2.4.90-22 Existing Bug Reports: coming soon Policy RPM: selinux-policy-2.3.3-22 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive
Could you attach the avc messages from /var/log/audit/audit.log
Sorry, but I have already hopped back to "rawhide". This channel thing seems to have changed with respect to "RHEL4 beta X", not obvious if one gets updates or not ... repodata broken, etc. Btw, what I have posted above is copied 100% from the notification applet. I will give "RHEL 5 beta1" another try in "QEMU" and post the result .. a little patience, please.
Created attachment 135921 [details] "audit" log file for "RHEL5 beta 1"
Created attachment 135922 [details] "SELinux Alert" screenshot for "RHEL5 beta 1"
This is caused by a leaked file descriptor in groupadd. Basically all file descriptos have to be closed on exec, or the execed application will have access to the file descriptors. fcntl(fd, F_SETFD, FD_CLOEXEC) The kernel is noticing the open file descriptor when it tries to exec the nscd application, it then checks what access nscd has and triggers this avc message.
*** Bug 206519 has been marked as a duplicate of this bug. ***
I can't reproduce it. I have tried user{add,del} group{add,del,mod} for many times without any success. I have also tried several firstboots (#206519) # service auditd status auditd (pid 1597) is running... # service nscd status nscd (pid 2470) is running... # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted # rpm -q selinux-policy-targeted selinux-policy-targeted-2.3.14-6
You have nscd turned on? This is happening when cron runs an RPM update that includes a groupadd/useradd I believe.
Yes I have.
Created attachment 136940 [details] strace -fo log rpm -i nfs-utils-1.0.9-7.fc6.i386.rpm # egrep -e 'AVC|avc' /var/log/audit/audit.log no avc messages in audit.log
I'm closing this issue, since I'm not able to reproduce it with latest shadow-utils-4.0.17-5. If this problem occurs again, feel free to reopen it.