Bug 375381 - Strange AVCs related to nscd from various services
Strange AVCs related to nscd from various services
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-10 21:59 EST by Kostas Georgiou
Modified: 2008-01-08 10:58 EST (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.0.8-58.fc8.noarch
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-08 10:58:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kostas Georgiou 2007-11-10 21:59:52 EST
In three of the machines that I upgraded f7->f8 I get AVCs similar to
the following:

type=USER_AVC msg=audit(1194749294.593:183): user pid=16004 uid=28 auid=1000
subj=system_u:system_r:nscd_t:s0 msg='avc:  denied  { 0x200 } for
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:nscd_t:s0
tclass=nscd : exe="?" (sauid=28, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1194749294.594:184): user pid=16004 uid=28 auid=1000
subj=system_u:system_r:nscd_t:s0 msg='avc:  denied  { 0x100 } for
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:nscd_t:s0
tclass=nscd : exe="?" (sauid=28, hostname=?, addr=?, terminal=?)'

It's not just httpd that generates them, sendmail, procmail, spamd, etc. also
give the same errors. The errors don't show up when running in non enforcing
mode for some strange reason.
Comment 1 Daniel Walsh 2007-11-12 10:38:35 EST
Have you updated the policy?

This looks like you have a policy mismatch?

rpm -q selinux-policy kernel
Comment 2 Kostas Georgiou 2007-11-14 14:15:51 EST
Everything is at the latest versions, all three machines are running with the
xen kernel though (both dom0 and domU show the denials btw).

$ rpm -q kernel-xen selinux-policy
kernel-xen-2.6.21-2950.fc8.x86_64
selinux-policy-3.0.8-47.fc8.noarch
Comment 3 Daniel Walsh 2007-11-14 14:59:57 EST
Are you continuing to see the messages or was it just during upgrade.  If it was
just during upgrade, it could have been nscd being updated before selinux policy
so nscd started generating the messages before selinux-policy has been installed
to define them.

I think you 
yum upgrade selinux-policy
Followed by 

yum upgrade

you would not see this.
Comment 4 Kostas Georgiou 2007-11-15 11:01:04 EST
I see the errors after the update, I didn't check for errors during the update.
Is there any way to find out what 0x100 and 0x200 mean? As it is I can not even
guess what might be the cause.
Comment 5 Eric Paris 2007-11-15 11:38:37 EST
note to self: tclass=nscd ???
Comment 6 Daniel Walsh 2007-11-15 11:44:49 EST
I would guess these are getserv and shmemserv
Comment 7 Stephen Smalley 2007-11-15 13:29:35 EST
Bug in libselinux:  lacks updated string table definitions for new nscd permissions.
nscd though would benefit by migrating over to the new interfaces for dynamic
discovery of class and permission values.
Comment 8 Ulrich Drepper 2007-11-15 13:41:51 EST
(In reply to comment #7)
> nscd though would benefit by migrating over to the new interfaces for dynamic
> discovery of class and permission values.

Reference?
Comment 10 Kostas Georgiou 2007-11-15 19:58:47 EST
Do you want me to open a separate bug for the services that are prevented from
using nscd?

With a quick look I see denials from cupsd_t, cyrus_t, gssd_t, httpd_t,
mysqld_t, nfsd_t, ntpd_t, saslauthd_t, sendmail_t, exim_t, squid_t, system_mail_t.
Not all of them need to be able to access nscd I guess but then they should be
in don't audit right?
Comment 11 Daniel Walsh 2007-11-19 10:48:16 EST
No but I would like to know why you are the only one reporting this bugzilla.  I
have not seen this from any other Fedora 8 users.  It is almost like you have
nscd set up differently.
Comment 12 Kostas Georgiou 2007-11-19 15:53:38 EST
I suspect that I am one of the very few people that enable nscd (it's not
enabled by default). I also thought that might have to do something with my
config I've noticed the denials on machines that where update from f7 but a
clean install on a laptop gives me the same errors (after I enabled nscd of course).
Comment 13 Daniel Walsh 2007-11-19 16:34:41 EST
selinux-policy-3.0.8-58.fc8.noarch

Note You need to log in before you can comment on or make changes to this bug.