Bug 352601 – Lots of avc: granted null for messages

Bug 352601 - Lots of avc: granted null for messages

Summary:	Lots of avc: granted null for messages

Status:	CLOSED NEXTRELEASE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	glibc (Show other bugs)
Sub Component:
Version:	7
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Jakub Jelinek
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2007-10-25 12:05 EDT by Orion Poplawski
Modified:	2008-05-14 11:12 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2008-05-14 11:12:57 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Orion Poplawski 2007-10-25 12:05:45 EDT

Description of problem:

Getting lots of:

audit(1193328010.286:20): user pid=4054 uid=28 auid=4294967295
subj=root:system_r:nscd_t:s0 msg='avc:  granted  null for 
scontext=user_u:system_r:unconfined_t:s0 tcontext=root:system_r:nscd_t:s0
tclass=nscd


Version-Release number of selected component (if applicable):
selinux-policy-2.6.4-49.fc7

Comment 1 Daniel Walsh 2007-10-25 13:45:15 EDT

Did you add an auditallow policy module?    This should not come out of the
current policy.  Do these messages happen when you load new policy?  

Try 
semodule -B 

And see if a message gets generated.

Comment 2 Orion Poplawski 2007-10-25 13:58:08 EDT

I do have some extra policy modules loaded, but nothing to do with nscd that I'm
aware of.  Do I need to rebuild my modules?

# diff -r /etc/selinux/targeted/modules/active/modules /usr/share/selinux/targeted/
Only in /etc/selinux/targeted/modules/active/modules: amanda.pp
Only in /etc/selinux/targeted/modules/active/modules: audio_entropy.pp
Only in /usr/share/selinux/targeted/: audioentropy.pp
Only in /usr/share/selinux/targeted/: base.pp
Only in /usr/share/selinux/targeted/: enableaudit.pp
Only in /etc/selinux/targeted/modules/active/modules: iscsid.pp
Only in /usr/share/selinux/targeted/: iscsi.pp
Only in /etc/selinux/targeted/modules/active/modules: mountd.pp
Only in /etc/selinux/targeted/modules/active/modules: ypbind_udp.pp


module -B results in:

Oct 25 11:49:31 saga kernel: audit(1193334571.067:511): user pid=2351 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received
policyload notice (seqno=3)
Oct 25 11:49:31 saga kernel: : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
Oct 25 11:49:32 saga nscd: Can't send to audit system: USER_AVC avc:  received
policyload notice (seqno=3) : exe="?" (sauid=28, hostname=?, addr=?, terminal=?)
Oct 25 11:49:32 saga kernel: audit(1193334571.074:512): policy loaded
auid=4294967295

I'm not running auditd (obviously).

Comment 3 Stephen Smalley 2007-10-25 14:05:11 EDT

The 'null' string suggests that ncsd passed a 0 access vector/permission value
to avc_has_perm.  Version of nscd?  libselinux?

Comment 4 Orion Poplawski 2007-10-25 14:19:36 EDT

nscd-2.6-4
libselinux-2.0.14-9.fc7

Comment 5 Paul Wouters 2007-10-30 00:10:56 EDT

Uhm, You are talking about nscd, not nsd. So I guess this needs to be
re-assigned to either glibc or selinux ?

Comment 6 Orion Poplawski 2007-11-02 13:21:08 EDT

Trying glibc....

Comment 7 Ulrich Drepper 2007-11-06 12:32:33 EST

I think the reason is that the glibc version in question was compiled with old
SELinux headers.  The service database vectors were not available in the SELinux
headers until late.  glibc 2.6-4 is old anyway.  Try the F8 code.  In any case,
I've added upstream some code which should handle the case of old headers better.

Comment 8 Ulrich Drepper 2008-03-30 01:44:25 EDT

Well?  Can we get some feedback based on more recent code?

Comment 9 Orion Poplawski 2008-03-31 19:03:49 EDT

Well, it is true that I don't see it in F8.  It does not appear that there is a
newer version in F7.

Comment 10 Bug Zapper 2008-05-14 10:52:00 EDT

This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'.

Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 7's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 7 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug. If you are unable to change the version, please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. If possible, it is recommended that you try the newest available Fedora distribution to see if your bug still exists.

Please read the Release Notes for the newest Fedora distribution to make sure it will meet your needs:
http://docs.fedoraproject.org/release-notes/

The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.