Description of problem: Getting lots of: audit(1193328010.286:20): user pid=4054 uid=28 auid=4294967295 subj=root:system_r:nscd_t:s0 msg='avc: granted null for scontext=user_u:system_r:unconfined_t:s0 tcontext=root:system_r:nscd_t:s0 tclass=nscd Version-Release number of selected component (if applicable): selinux-policy-2.6.4-49.fc7
Did you add an auditallow policy module? This should not come out of the current policy. Do these messages happen when you load new policy? Try semodule -B And see if a message gets generated.
I do have some extra policy modules loaded, but nothing to do with nscd that I'm aware of. Do I need to rebuild my modules? # diff -r /etc/selinux/targeted/modules/active/modules /usr/share/selinux/targeted/ Only in /etc/selinux/targeted/modules/active/modules: amanda.pp Only in /etc/selinux/targeted/modules/active/modules: audio_entropy.pp Only in /usr/share/selinux/targeted/: audioentropy.pp Only in /usr/share/selinux/targeted/: base.pp Only in /usr/share/selinux/targeted/: enableaudit.pp Only in /etc/selinux/targeted/modules/active/modules: iscsid.pp Only in /usr/share/selinux/targeted/: iscsi.pp Only in /etc/selinux/targeted/modules/active/modules: mountd.pp Only in /etc/selinux/targeted/modules/active/modules: ypbind_udp.pp module -B results in: Oct 25 11:49:31 saga kernel: audit(1193334571.067:511): user pid=2351 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=3) Oct 25 11:49:31 saga kernel: : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' Oct 25 11:49:32 saga nscd: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=3) : exe="?" (sauid=28, hostname=?, addr=?, terminal=?) Oct 25 11:49:32 saga kernel: audit(1193334571.074:512): policy loaded auid=4294967295 I'm not running auditd (obviously).
The 'null' string suggests that ncsd passed a 0 access vector/permission value to avc_has_perm. Version of nscd? libselinux?
nscd-2.6-4 libselinux-2.0.14-9.fc7
Uhm, You are talking about nscd, not nsd. So I guess this needs to be re-assigned to either glibc or selinux ?
Trying glibc....
I think the reason is that the glibc version in question was compiled with old SELinux headers. The service database vectors were not available in the SELinux headers until late. glibc 2.6-4 is old anyway. Try the F8 code. In any case, I've added upstream some code which should handle the case of old headers better.
Well? Can we get some feedback based on more recent code?
Well, it is true that I don't see it in F8. It does not appear that there is a newer version in F7.
This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 7's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 7 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. If possible, it is recommended that you try the newest available Fedora distribution to see if your bug still exists. Please read the Release Notes for the newest Fedora distribution to make sure it will meet your needs: http://docs.fedoraproject.org/release-notes/ The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping