Description of problem: Since rebooting with selinux-policy-3.5.13-57.fc10.noarch and kernel-2.6.29.1-42.fc10.i686 I'm seeing lots of nscd denials: Apr 28 09:57:28 saga kernel: type=1400 audit(1240934248.739:4): avc: denied { read} for pid=3614 comm="nscd" name="exe" dev=proc ino=11368 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=lnk_file Apr 28 09:57:28 saga kernel: type=1400 audit(1240934248.755:5): avc: denied { read} for pid=3613 comm="nscd" name="exe" dev=proc ino=11394 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=lnk_file Apr 28 09:57:28 saga kernel: type=1400 audit(1240934248.761:6): avc: denied { read} for pid=3615 comm="nscd" name="exe" dev=proc ino=11409 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=lnk_file Apr 28 09:57:28 saga kernel: type=1400 audit(1240934248.766:7): avc: denied { read} for pid=3613 comm="nscd" name="exe" dev=proc ino=11424 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=lnk_file Apr 28 09:57:28 saga kernel: type=1400 audit(1240934248.770:8): avc: denied { read} for pid=3615 comm="nscd" name="exe" dev=proc ino=11439 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=lnk_file Apr 28 09:57:28 saga kernel: type=1400 audit(1240934248.775:9): avc: denied { read} for pid=3613 comm="nscd" name="exe" dev=proc ino=11454 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=lnk_file ..... Does not appear to be affecting operation.
Some strace of nscd: 3616 read(16, "passwd\0"..., 7) = 7 3616 write(3, "3596: handle_request: request rec"..., 67) = 67 3616 getsockopt(16, SOL_SOCKET, SO_PEERSEC, "system_u:system_r:sshd_t:s0-s0:c0"...,[40]) = 0 3616 socket(PF_FILE, 0x80001 /* SOCK_??? */, 0) = 17 3616 connect(17, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"...}, 110) = -1 ENOENT (No such file or directory) 3616 close(17) = 0 3616 gettid() = 3616 3616 open("/proc/self/task/3616/attr/current", O_RDONLY|O_LARGEFILE) = 17 3616 read(17, "system_u:system_r:nscd_t:s0\0"..., 4095) = 28 3616 close(17) = 0 3616 socket(PF_FILE, 0x80001 /* SOCK_??? */, 0) = 17 3616 connect(17, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"...}, 110) = -1 ENOENT (No such file or directory) 3616 close(17) = 0 3616 socket(PF_FILE, 0x80001 /* SOCK_??? */, 0) = 17 3616 connect(17, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"...}, 110) = -1 ENOENT (No such file or directory) 3616 close(17) = 0 3616 socket(PF_FILE, 0x80001 /* SOCK_??? */, 0) = 17 3616 connect(17, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"...}, 110) = -1 ENOENT (No such file or directory) 3616 close(17) = 0 3616 readlink("/proc/6072/exe", 0xb0e7fcfa, 4095) = -1 EACCES (Permission denied) 3616 write(3, "3596: request from 6072 not handl"..., 62) = 62 3616 close(16) = 0 I am actually seeing nscd errors in /var/log/nscd.log (debugging turned on): 3596: handle_request: request received (Version = 2) from PID 6206 3596: request from 6206 not handled due to missing permission
Relevant code from nscd/connections.c:1054: /* Perform the SELinux check before we go on to the standard checks. */ if (selinux_enabled && nscd_request_avc_has_perm (fd, req->type) != 0) { if (debug_level > 0) { #ifdef SO_PEERCRED # ifdef PATH_MAX char buf[PATH_MAX]; # else char buf[4096]; # endif snprintf (buf, sizeof (buf), "/proc/%ld/exe", (long int) pid); ssize_t n = readlink (buf, buf, sizeof (buf) - 1); if (n <= 0) dbg_log (_("\ request from %ld not handled due to missing permission"), (long int) pid); else { buf[n] = '\0'; dbg_log (_("\ request from '%s' [%ld] not handled due to missing permission"), buf, (long int) pid); } #else dbg_log (_("request not handled due to missing permission")); #endif } return; }
Ah, I see, turning on debugging triggered this.
Uli, Is this something we should allow. Basically allowing nscd to read the domain state of all apps that use nscd?
(In reply to comment #4) > Is this something we should allow. Basically allowing nscd to read the domain > state of all apps that use nscd? I'm not sure. This is exclusively used when debugging. In that situation you can either live with the messages (they aren't fatal) or turn SELinux off temporarily. I rather not give the process unnecessary privileges.