Bug 498047 - Lots of nscd denials
Summary: Lots of nscd denials
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 10
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-04-28 16:10 UTC by Orion Poplawski
Modified: 2009-04-28 18:04 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-04-28 18:04:18 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Orion Poplawski 2009-04-28 16:10:35 UTC
Description of problem:

Since rebooting with selinux-policy-3.5.13-57.fc10.noarch and kernel-2.6.29.1-42.fc10.i686 I'm seeing lots of nscd denials:


Apr 28 09:57:28 saga kernel: type=1400 audit(1240934248.739:4): avc:  denied  { read} for  pid=3614 comm="nscd" name="exe" dev=proc ino=11368 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=lnk_file
Apr 28 09:57:28 saga kernel: type=1400 audit(1240934248.755:5): avc:  denied  { read} for  pid=3613 comm="nscd" name="exe" dev=proc ino=11394 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=lnk_file
Apr 28 09:57:28 saga kernel: type=1400 audit(1240934248.761:6): avc:  denied  { read} for  pid=3615 comm="nscd" name="exe" dev=proc ino=11409 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=lnk_file
Apr 28 09:57:28 saga kernel: type=1400 audit(1240934248.766:7): avc:  denied  { read} for  pid=3613 comm="nscd" name="exe" dev=proc ino=11424 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=lnk_file
Apr 28 09:57:28 saga kernel: type=1400 audit(1240934248.770:8): avc:  denied  { read} for  pid=3615 comm="nscd" name="exe" dev=proc ino=11439 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=lnk_file
Apr 28 09:57:28 saga kernel: type=1400 audit(1240934248.775:9): avc:  denied  { read} for  pid=3613 comm="nscd" name="exe" dev=proc ino=11454 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=lnk_file
.....

Does not appear to be affecting operation.

Comment 1 Orion Poplawski 2009-04-28 16:15:39 UTC
Some strace of nscd:

3616  read(16, "passwd\0"..., 7)        = 7
3616  write(3, "3596: handle_request: request rec"..., 67) = 67
3616  getsockopt(16, SOL_SOCKET, SO_PEERSEC, "system_u:system_r:sshd_t:s0-s0:c0"...,[40]) = 0
3616  socket(PF_FILE, 0x80001 /* SOCK_??? */, 0) = 17
3616  connect(17, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"...}, 110) = -1 ENOENT (No such file or directory)
3616  close(17)                         = 0
3616  gettid()                          = 3616
3616  open("/proc/self/task/3616/attr/current", O_RDONLY|O_LARGEFILE) = 17
3616  read(17, "system_u:system_r:nscd_t:s0\0"..., 4095) = 28
3616  close(17)                         = 0
3616  socket(PF_FILE, 0x80001 /* SOCK_??? */, 0) = 17
3616  connect(17, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"...}, 110) = -1 ENOENT (No such file or directory)
3616  close(17)                         = 0
3616  socket(PF_FILE, 0x80001 /* SOCK_??? */, 0) = 17
3616  connect(17, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"...}, 110) = -1 ENOENT (No such file or directory)
3616  close(17)                         = 0
3616  socket(PF_FILE, 0x80001 /* SOCK_??? */, 0) = 17
3616  connect(17, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"...}, 110) = -1 ENOENT (No such file or directory)
3616  close(17)                         = 0
3616  readlink("/proc/6072/exe", 0xb0e7fcfa, 4095) = -1 EACCES (Permission denied)
3616  write(3, "3596: request from 6072 not handl"..., 62) = 62
3616  close(16)                         = 0

I am actually seeing nscd errors in /var/log/nscd.log (debugging turned on):

3596: handle_request: request received (Version = 2) from PID 6206
3596: request from 6206 not handled due to missing permission

Comment 2 Orion Poplawski 2009-04-28 16:21:16 UTC
Relevant code from nscd/connections.c:1054:

  /* Perform the SELinux check before we go on to the standard checks.  */
  if (selinux_enabled && nscd_request_avc_has_perm (fd, req->type) != 0)
    {
      if (debug_level > 0)
        {
#ifdef SO_PEERCRED
# ifdef PATH_MAX
          char buf[PATH_MAX];
# else
          char buf[4096];
# endif

          snprintf (buf, sizeof (buf), "/proc/%ld/exe", (long int) pid);
          ssize_t n = readlink (buf, buf, sizeof (buf) - 1);

          if (n <= 0)
            dbg_log (_("\
request from %ld not handled due to missing permission"), (long int) pid);
          else
            {
              buf[n] = '\0';
              dbg_log (_("\
request from '%s' [%ld] not handled due to missing permission"),
                       buf, (long int) pid);
            }
#else
          dbg_log (_("request not handled due to missing permission"));
#endif
        }
      return;
    }

Comment 3 Orion Poplawski 2009-04-28 16:24:05 UTC
Ah, I see, turning on debugging triggered this.

Comment 4 Daniel Walsh 2009-04-28 17:30:22 UTC
Uli, 

Is this something we should allow. Basically allowing nscd to read the domain state of all apps that use nscd?

Comment 5 Ulrich Drepper 2009-04-28 17:41:20 UTC
(In reply to comment #4)
> Is this something we should allow. Basically allowing nscd to read the domain
> state of all apps that use nscd?  

I'm not sure.  This is exclusively used when debugging.  In that situation you can either live with the messages (they aren't fatal) or turn SELinux off temporarily.  I rather not give the process unnecessary privileges.


Note You need to log in before you can comment on or make changes to this bug.