Bug 498047 - Lots of nscd denials
Lots of nscd denials
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-28 12:10 EDT by Orion Poplawski
Modified: 2009-04-28 14:04 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-28 14:04:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2009-04-28 12:10:35 EDT
Description of problem:

Since rebooting with selinux-policy-3.5.13-57.fc10.noarch and kernel-2.6.29.1-42.fc10.i686 I'm seeing lots of nscd denials:


Apr 28 09:57:28 saga kernel: type=1400 audit(1240934248.739:4): avc:  denied  { read} for  pid=3614 comm="nscd" name="exe" dev=proc ino=11368 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=lnk_file
Apr 28 09:57:28 saga kernel: type=1400 audit(1240934248.755:5): avc:  denied  { read} for  pid=3613 comm="nscd" name="exe" dev=proc ino=11394 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=lnk_file
Apr 28 09:57:28 saga kernel: type=1400 audit(1240934248.761:6): avc:  denied  { read} for  pid=3615 comm="nscd" name="exe" dev=proc ino=11409 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=lnk_file
Apr 28 09:57:28 saga kernel: type=1400 audit(1240934248.766:7): avc:  denied  { read} for  pid=3613 comm="nscd" name="exe" dev=proc ino=11424 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=lnk_file
Apr 28 09:57:28 saga kernel: type=1400 audit(1240934248.770:8): avc:  denied  { read} for  pid=3615 comm="nscd" name="exe" dev=proc ino=11439 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=lnk_file
Apr 28 09:57:28 saga kernel: type=1400 audit(1240934248.775:9): avc:  denied  { read} for  pid=3613 comm="nscd" name="exe" dev=proc ino=11454 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=lnk_file
.....

Does not appear to be affecting operation.
Comment 1 Orion Poplawski 2009-04-28 12:15:39 EDT
Some strace of nscd:

3616  read(16, "passwd\0"..., 7)        = 7
3616  write(3, "3596: handle_request: request rec"..., 67) = 67
3616  getsockopt(16, SOL_SOCKET, SO_PEERSEC, "system_u:system_r:sshd_t:s0-s0:c0"...,[40]) = 0
3616  socket(PF_FILE, 0x80001 /* SOCK_??? */, 0) = 17
3616  connect(17, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"...}, 110) = -1 ENOENT (No such file or directory)
3616  close(17)                         = 0
3616  gettid()                          = 3616
3616  open("/proc/self/task/3616/attr/current", O_RDONLY|O_LARGEFILE) = 17
3616  read(17, "system_u:system_r:nscd_t:s0\0"..., 4095) = 28
3616  close(17)                         = 0
3616  socket(PF_FILE, 0x80001 /* SOCK_??? */, 0) = 17
3616  connect(17, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"...}, 110) = -1 ENOENT (No such file or directory)
3616  close(17)                         = 0
3616  socket(PF_FILE, 0x80001 /* SOCK_??? */, 0) = 17
3616  connect(17, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"...}, 110) = -1 ENOENT (No such file or directory)
3616  close(17)                         = 0
3616  socket(PF_FILE, 0x80001 /* SOCK_??? */, 0) = 17
3616  connect(17, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"...}, 110) = -1 ENOENT (No such file or directory)
3616  close(17)                         = 0
3616  readlink("/proc/6072/exe", 0xb0e7fcfa, 4095) = -1 EACCES (Permission denied)
3616  write(3, "3596: request from 6072 not handl"..., 62) = 62
3616  close(16)                         = 0

I am actually seeing nscd errors in /var/log/nscd.log (debugging turned on):

3596: handle_request: request received (Version = 2) from PID 6206
3596: request from 6206 not handled due to missing permission
Comment 2 Orion Poplawski 2009-04-28 12:21:16 EDT
Relevant code from nscd/connections.c:1054:

  /* Perform the SELinux check before we go on to the standard checks.  */
  if (selinux_enabled && nscd_request_avc_has_perm (fd, req->type) != 0)
    {
      if (debug_level > 0)
        {
#ifdef SO_PEERCRED
# ifdef PATH_MAX
          char buf[PATH_MAX];
# else
          char buf[4096];
# endif

          snprintf (buf, sizeof (buf), "/proc/%ld/exe", (long int) pid);
          ssize_t n = readlink (buf, buf, sizeof (buf) - 1);

          if (n <= 0)
            dbg_log (_("\
request from %ld not handled due to missing permission"), (long int) pid);
          else
            {
              buf[n] = '\0';
              dbg_log (_("\
request from '%s' [%ld] not handled due to missing permission"),
                       buf, (long int) pid);
            }
#else
          dbg_log (_("request not handled due to missing permission"));
#endif
        }
      return;
    }
Comment 3 Orion Poplawski 2009-04-28 12:24:05 EDT
Ah, I see, turning on debugging triggered this.
Comment 4 Daniel Walsh 2009-04-28 13:30:22 EDT
Uli, 

Is this something we should allow. Basically allowing nscd to read the domain state of all apps that use nscd?
Comment 5 Ulrich Drepper 2009-04-28 13:41:20 EDT
(In reply to comment #4)
> Is this something we should allow. Basically allowing nscd to read the domain
> state of all apps that use nscd?  

I'm not sure.  This is exclusively used when debugging.  In that situation you can either live with the messages (they aren't fatal) or turn SELinux off temporarily.  I rather not give the process unnecessary privileges.

Note You need to log in before you can comment on or make changes to this bug.