Bug 352601 - Lots of avc: granted null for messages
Summary: Lots of avc: granted null for messages
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: glibc
Version: 7
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-10-25 16:05 UTC by Orion Poplawski
Modified: 2008-05-14 15:12 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-05-14 15:12:57 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Orion Poplawski 2007-10-25 16:05:45 UTC
Description of problem:

Getting lots of:

audit(1193328010.286:20): user pid=4054 uid=28 auid=4294967295
subj=root:system_r:nscd_t:s0 msg='avc:  granted  null for 
scontext=user_u:system_r:unconfined_t:s0 tcontext=root:system_r:nscd_t:s0
tclass=nscd


Version-Release number of selected component (if applicable):
selinux-policy-2.6.4-49.fc7

Comment 1 Daniel Walsh 2007-10-25 17:45:15 UTC
Did you add an auditallow policy module?    This should not come out of the
current policy.  Do these messages happen when you load new policy?  

Try 
semodule -B 

And see if a message gets generated.



Comment 2 Orion Poplawski 2007-10-25 17:58:08 UTC
I do have some extra policy modules loaded, but nothing to do with nscd that I'm
aware of.  Do I need to rebuild my modules?

# diff -r /etc/selinux/targeted/modules/active/modules /usr/share/selinux/targeted/
Only in /etc/selinux/targeted/modules/active/modules: amanda.pp
Only in /etc/selinux/targeted/modules/active/modules: audio_entropy.pp
Only in /usr/share/selinux/targeted/: audioentropy.pp
Only in /usr/share/selinux/targeted/: base.pp
Only in /usr/share/selinux/targeted/: enableaudit.pp
Only in /etc/selinux/targeted/modules/active/modules: iscsid.pp
Only in /usr/share/selinux/targeted/: iscsi.pp
Only in /etc/selinux/targeted/modules/active/modules: mountd.pp
Only in /etc/selinux/targeted/modules/active/modules: ypbind_udp.pp


module -B results in:

Oct 25 11:49:31 saga kernel: audit(1193334571.067:511): user pid=2351 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received
policyload notice (seqno=3)
Oct 25 11:49:31 saga kernel: : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
Oct 25 11:49:32 saga nscd: Can't send to audit system: USER_AVC avc:  received
policyload notice (seqno=3) : exe="?" (sauid=28, hostname=?, addr=?, terminal=?)
Oct 25 11:49:32 saga kernel: audit(1193334571.074:512): policy loaded
auid=4294967295

I'm not running auditd (obviously).


Comment 3 Stephen Smalley 2007-10-25 18:05:11 UTC
The 'null' string suggests that ncsd passed a 0 access vector/permission value
to avc_has_perm.  Version of nscd?  libselinux?


Comment 4 Orion Poplawski 2007-10-25 18:19:36 UTC
nscd-2.6-4
libselinux-2.0.14-9.fc7


Comment 5 Paul Wouters 2007-10-30 04:10:56 UTC
Uhm, You are talking about nscd, not nsd. So I guess this needs to be
re-assigned to either glibc or selinux ?

Comment 6 Orion Poplawski 2007-11-02 17:21:08 UTC
Trying glibc....

Comment 7 Ulrich Drepper 2007-11-06 17:32:33 UTC
I think the reason is that the glibc version in question was compiled with old
SELinux headers.  The service database vectors were not available in the SELinux
headers until late.  glibc 2.6-4 is old anyway.  Try the F8 code.  In any case,
I've added upstream some code which should handle the case of old headers better.

Comment 8 Ulrich Drepper 2008-03-30 05:44:25 UTC
Well?  Can we get some feedback based on more recent code?

Comment 9 Orion Poplawski 2008-03-31 23:03:49 UTC
Well, it is true that I don't see it in F8.  It does not appear that there is a
newer version in F7.

Comment 10 Bug Zapper 2008-05-14 14:52:00 UTC
This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'.

Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 7's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 7 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug. If you are unable to change the version, please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. If possible, it is recommended that you try the newest available Fedora distribution to see if your bug still exists.

Please read the Release Notes for the newest Fedora distribution to make sure it will meet your needs:
http://docs.fedoraproject.org/release-notes/

The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping


Note You need to log in before you can comment on or make changes to this bug.