Bug 557154 - Centos 5.3: not able to find groups for kerberos users when nscd is running with selinux enforcing mode
Centos 5.3: not able to find groups for kerberos users when nscd is running w...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.3
x86_64 Linux
low Severity high
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-20 10:40 EST by Pramod Rao
Modified: 2010-08-19 06:40 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-19 06:40:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
CentOS 4152 None None None Never

  None (edit)
Description Pramod Rao 2010-01-20 10:40:26 EST
Description of problem:

Kerberos user cannot login(by product of not being able to find groups for kerberos user) when system has selinux in enforcing mode and nscd is running. Setting selinux to permissive eliminates the issue but there are avc denied errors logged inside /var/log/audit/audit.log. details are mentioned under additional information. 

Running groups command for kerberos/ldap user on a system with selinux in enforcing mode and nscd running fails with error "no such user" but when selinux is set to permissive, groups for the same user are listed fine.


Version-Release number of selected component (if applicable):
Centos 5.3
krb5-libs.x86_64 1.6.1-31.el5
krb5-workstation.x86_64 1.6.1-31.el5
nss_ldap.x86_64 253-17.el5
nscd.x86_64 2.5-34
selinux-policy.noarch 2.4.6-203.el5 
selinux-policy-targeted.noarch 2.4.6-203.el5

How reproducible:
Always

Steps to Reproduce:
Below command can be used to reproduce what I am facing.

getenforce && groups foo && nscd -i passwd && nscd -i group && setenforce 1 && getenforce && service nscd restart && groups foo
Permissive

The output of the above command

foo : bargrp1 foogrp1 bargrp2
Enforcing
Stopping nscd: [ OK ]
Starting nscd: [ OK ]
id: foo: No such user


When I turn the selinux to permissive again, groups lookup work for the user

nscd -i passwd && nscd -i group && setenforce 0 && getenforce && service nscd restart && groups foo

Permissive
Stopping nscd: [ OK ]
Starting nscd: [ OK ]
foo : bargrp1 foogrp1 bargrp2

  
Additional info:

Audit Log snippet with nscd related avc messages

type=AVC msg=audit(1263943029.792:1505): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1263943029.792:1505): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695ae7a0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1263943029.792:1506): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1263943029.792:1506): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695befd0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1263943029.792:1507): avc: denied { read } for pid=19685 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1263943029.792:1507): arch=c000003e syscall=2 success=no exit=-13 a0=2b87696058e0 a1=0 a2=180 a3=2b875ca0aa30 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1263943029.792:1508): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1263943029.792:1508): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695ae2b0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1263943029.812:1509): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1263943029.812:1509): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695ae7a0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1263943029.812:1510): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1263943029.812:1510): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695befd0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1263943029.812:1511): avc: denied { read } for pid=19685 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1263943029.812:1511): arch=c000003e syscall=2 success=no exit=-13 a0=2b8769605910 a1=0 a2=180 a3=2b875ca0aa30 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1263943029.812:1512): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1263943029.812:1512): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695ae2b0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1263943029.832:1513): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1263943029.832:1513): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695ae7a0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1263943029.832:1514): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1263943029.832:1514): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695befd0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1263943029.832:1515): avc: denied { read } for pid=19685 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1263943029.832:1515): arch=c000003e syscall=2 success=no exit=-13 a0=2b87696061c0 a1=0 a2=180 a3=2b875ca0aa30 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1263943029.832:1516): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1263943029.832:1516): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695ae2b0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1263943029.852:1517): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1263943029.852:1517): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695ae7a0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1263943029.852:1518): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1263943029.852:1518): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695bee90 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1263943029.852:1519): avc: denied { read } for pid=19685 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1263943029.852:1519): arch=c000003e syscall=2 success=no exit=-13 a0=2b87695af2a0 a1=0 a2=180 a3=2b875ca0aa30 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1263943029.852:1520): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1263943029.852:1520): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695ae2b0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
Comment 1 Daniel Walsh 2010-01-20 15:38:08 EST
Try 

# restorecon -v  /etc/krb5.conf /tmp/krb*
Comment 2 Pramod Rao 2010-01-20 17:11:36 EST
I did try that. /etc/krb5.conf got its selinux context fixed. But /tmp/krb5cc_00 context did not change.

restorecon -v  /etc/krb5.conf /tmp/krb*
restorecon reset /etc/krb5.conf context system_u:object_r:etc_t:s0->system_u:object_r:krb5_conf_t:s0

After that in enforcing mode, groups lookup resulted in same error as before. AVC messages are as below.

type=AVC msg=audit(1264024958.980:4220): avc:  denied  { read } for  pid=4184 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1264024958.980:4220): arch=c000003e syscall=2 success=no exit=-13 a0=2b5fc8464410 a1=0 a2=180 a3=2b5fae065a30 items=0 ppid=1 pid=4184 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1264024959.000:4221): avc:  denied  { read } for  pid=4184 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1264024959.000:4221): arch=c000003e syscall=2 success=no exit=-13 a0=2b5fc8492420 a1=0 a2=180 a3=2b5fae065a30 items=0 ppid=1 pid=4184 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1264024959.100:4222): avc:  denied  { read } for  pid=4184 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1264024959.100:4222): arch=c000003e syscall=2 success=no exit=-13 a0=2b5fc8492480 a1=0 a2=180 a3=2b5fae065a30 items=0 ppid=1 pid=4184 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1264024959.200:4223): avc:  denied  { read } for  pid=4184 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1264024959.200:4223): arch=c000003e syscall=2 success=no exit=-13 a0=2b5fc83c5c40 a1=0 a2=180 a3=2b5fae065a30 items=0 ppid=1 pid=4184 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)



Setting selinux to permissive mode enabled groups lookup for kerberos user but resulted in below AVC messages

type=AVC msg=audit(1264025107.290:4234): avc:  denied  { read } for  pid=4183 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1264025107.290:4234): arch=c000003e syscall=2 success=yes exit=16 a0=2b5fc83ad0f0 a1=0 a2=180 a3=2b5fae065a30 items=0 ppid=1 pid=4183 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1264025107.290:4235): avc:  denied  { lock } for  pid=4183 comm="nscd" path="/tmp/krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1264025107.290:4235): arch=c000003e syscall=72 success=yes exit=0 a0=10 a1=7 a2=4318ad20 a3=2b5fae065a30 items=0 ppid=1 pid=4183 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1264025107.330:4236): avc:  denied  { write } for  pid=4183 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1264025107.330:4236): arch=c000003e syscall=2 success=yes exit=16 a0=2b5fc83ad0f0 a1=2 a2=180 a3=2 items=0 ppid=1 pid=4183 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1264025107.460:4237): avc:  denied  { read } for  pid=4180 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1264025107.460:4237): arch=c000003e syscall=2 success=yes exit=17 a0=2b5fc8f848a0 a1=0 a2=180 a3=2b5fae065a30 items=0 ppid=1 pid=4180 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1264025107.460:4238): avc:  denied  { lock } for  pid=4180 comm="nscd" path="/tmp/krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1264025107.460:4238): arch=c000003e syscall=72 success=yes exit=0 a0=11 a1=7 a2=42b87830 a3=2b5fae065a30 items=0 ppid=1 pid=4180 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1264025107.560:4239): avc:  denied  { write } for  pid=4184 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1264025107.560:4239): arch=c000003e syscall=2 success=yes exit=17 a0=2b5fc8f88810 a1=2 a2=180 a3=2 items=0 ppid=1 pid=4184 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)

Note: *nscd is running as user root*
Comment 3 Daniel Walsh 2010-01-21 08:11:48 EST
Why is nscd using a credential cache file?  Why is a credential cache file owned by root?
Comment 4 Pramod Rao 2010-01-21 11:32:36 EST
nscd is using kerberos tgt of the system which resides under /tmp. ldap user/group lookups use kerberos/gssapi. 

nscd is running as root user for the same reason that it can do ldap lookups using system tgt.
Comment 5 Pramod Rao 2010-01-21 12:05:54 EST
nscd is using kerberos tgt of the system which resides under /tmp. ldap user/group lookups use kerberos/gssapi. 

nscd is running as root user for the same reason that it can do ldap lookups using system tgt.
Comment 6 Daniel Walsh 2010-01-21 13:12:30 EST
Is nscd is using a keytab file to create a tgt?  Who created the /tmp/krbcc_0 file?
Comment 7 Pramod Rao 2010-01-21 17:13:25 EST
nscd does not create tgt but is tryng to access the ticket cache obtained by the system. kinit run from a cron job obtains/renews tgt using principal SERVERNAME$@KERBEROS.REALM.
Comment 8 Daniel Walsh 2010-01-22 10:06:30 EST
If this tgt is just for ncsd why not create it in /var/run/nscd?  Then nscd can read it and no users can attack it.
Comment 9 Pramod Rao 2010-01-22 17:22:59 EST
This tgt is not specific to nscd. It is used by the system as well.
Comment 10 Daniel Walsh 2010-01-25 10:57:52 EST
Pramod you can add this access for now.

Nalin do you have any suggestions?
Comment 11 Pramod Rao 2010-01-25 11:11:06 EST
Thanks. I have put selinux policy changes below. Will this be a workaround for now?

module nscd 1.0;

require {
        type tmp_t;
        type etc_t;
        type nscd_t;
        class process ptrace;
        class file { read lock write };
}

#============= nscd_t ==============
allow nscd_t etc_t:file write;
allow nscd_t self:process ptrace;
allow nscd_t tmp_t:file { read lock write };
Comment 12 Daniel Walsh 2010-01-25 14:30:20 EST
Remove the etc_t line, you do not need this.

Not sure where the ptrace line came from.


I think you actually need

policy_module(mynscd, 1.0)
gen_require(`
type nscd_t, tmp_t;
')

allow nscd_t tmp_t:file read_file_perms;
dontaudit nscd_t tmp_t:file write;
Comment 13 Pramod Rao 2010-01-25 14:53:29 EST
I got it from audit2allow output.
Comment 14 Daniel Walsh 2010-01-25 15:01:58 EST
The etc_t entry was caused by the /etc/krb5.conf file being mislabeled.

You did not show the ptrace output from earlier.  Adding that access is not a problem.
Comment 15 Pramod Rao 2010-01-25 15:06:41 EST
I am getting the error below when I try to compile the module. I am using the
command.

checkmodule -M -m mynscd.te -o mynscd.pp

checkmodule:  loading policy configuration from mynscd.te
(unknown source)::ERROR 'syntax error' at token 'policy_module' on line 1:

I used audit2allow output to create the module before successfully.
Comment 16 Daniel Walsh 2010-01-25 15:27:39 EST
Use the make file

make -f /usr/share/selinux/devel/Makefile

Note You need to log in before you can comment on or make changes to this bug.