Description of problem: Kerberos user cannot login(by product of not being able to find groups for kerberos user) when system has selinux in enforcing mode and nscd is running. Setting selinux to permissive eliminates the issue but there are avc denied errors logged inside /var/log/audit/audit.log. details are mentioned under additional information. Running groups command for kerberos/ldap user on a system with selinux in enforcing mode and nscd running fails with error "no such user" but when selinux is set to permissive, groups for the same user are listed fine. Version-Release number of selected component (if applicable): Centos 5.3 krb5-libs.x86_64 1.6.1-31.el5 krb5-workstation.x86_64 1.6.1-31.el5 nss_ldap.x86_64 253-17.el5 nscd.x86_64 2.5-34 selinux-policy.noarch 2.4.6-203.el5 selinux-policy-targeted.noarch 2.4.6-203.el5 How reproducible: Always Steps to Reproduce: Below command can be used to reproduce what I am facing. getenforce && groups foo && nscd -i passwd && nscd -i group && setenforce 1 && getenforce && service nscd restart && groups foo Permissive The output of the above command foo : bargrp1 foogrp1 bargrp2 Enforcing Stopping nscd: [ OK ] Starting nscd: [ OK ] id: foo: No such user When I turn the selinux to permissive again, groups lookup work for the user nscd -i passwd && nscd -i group && setenforce 0 && getenforce && service nscd restart && groups foo Permissive Stopping nscd: [ OK ] Starting nscd: [ OK ] foo : bargrp1 foogrp1 bargrp2 Additional info: Audit Log snippet with nscd related avc messages type=AVC msg=audit(1263943029.792:1505): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1263943029.792:1505): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695ae7a0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1263943029.792:1506): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1263943029.792:1506): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695befd0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1263943029.792:1507): avc: denied { read } for pid=19685 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1263943029.792:1507): arch=c000003e syscall=2 success=no exit=-13 a0=2b87696058e0 a1=0 a2=180 a3=2b875ca0aa30 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1263943029.792:1508): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1263943029.792:1508): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695ae2b0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1263943029.812:1509): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1263943029.812:1509): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695ae7a0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1263943029.812:1510): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1263943029.812:1510): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695befd0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1263943029.812:1511): avc: denied { read } for pid=19685 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1263943029.812:1511): arch=c000003e syscall=2 success=no exit=-13 a0=2b8769605910 a1=0 a2=180 a3=2b875ca0aa30 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1263943029.812:1512): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1263943029.812:1512): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695ae2b0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1263943029.832:1513): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1263943029.832:1513): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695ae7a0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1263943029.832:1514): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1263943029.832:1514): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695befd0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1263943029.832:1515): avc: denied { read } for pid=19685 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1263943029.832:1515): arch=c000003e syscall=2 success=no exit=-13 a0=2b87696061c0 a1=0 a2=180 a3=2b875ca0aa30 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1263943029.832:1516): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1263943029.832:1516): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695ae2b0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1263943029.852:1517): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1263943029.852:1517): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695ae7a0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1263943029.852:1518): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1263943029.852:1518): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695bee90 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1263943029.852:1519): avc: denied { read } for pid=19685 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1263943029.852:1519): arch=c000003e syscall=2 success=no exit=-13 a0=2b87695af2a0 a1=0 a2=180 a3=2b875ca0aa30 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1263943029.852:1520): avc: denied { write } for pid=19685 comm="nscd" name="krb5.conf" dev=dm-0 ino=1279092 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1263943029.852:1520): arch=c000003e syscall=21 success=no exit=-13 a0=2b87695ae2b0 a1=2 a2=2b875bc5f1e8 a3=65726373662f7274 items=0 ppid=1 pid=19685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)
Try # restorecon -v /etc/krb5.conf /tmp/krb*
I did try that. /etc/krb5.conf got its selinux context fixed. But /tmp/krb5cc_00 context did not change. restorecon -v /etc/krb5.conf /tmp/krb* restorecon reset /etc/krb5.conf context system_u:object_r:etc_t:s0->system_u:object_r:krb5_conf_t:s0 After that in enforcing mode, groups lookup resulted in same error as before. AVC messages are as below. type=AVC msg=audit(1264024958.980:4220): avc: denied { read } for pid=4184 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264024958.980:4220): arch=c000003e syscall=2 success=no exit=-13 a0=2b5fc8464410 a1=0 a2=180 a3=2b5fae065a30 items=0 ppid=1 pid=4184 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1264024959.000:4221): avc: denied { read } for pid=4184 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264024959.000:4221): arch=c000003e syscall=2 success=no exit=-13 a0=2b5fc8492420 a1=0 a2=180 a3=2b5fae065a30 items=0 ppid=1 pid=4184 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1264024959.100:4222): avc: denied { read } for pid=4184 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264024959.100:4222): arch=c000003e syscall=2 success=no exit=-13 a0=2b5fc8492480 a1=0 a2=180 a3=2b5fae065a30 items=0 ppid=1 pid=4184 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1264024959.200:4223): avc: denied { read } for pid=4184 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264024959.200:4223): arch=c000003e syscall=2 success=no exit=-13 a0=2b5fc83c5c40 a1=0 a2=180 a3=2b5fae065a30 items=0 ppid=1 pid=4184 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) Setting selinux to permissive mode enabled groups lookup for kerberos user but resulted in below AVC messages type=AVC msg=audit(1264025107.290:4234): avc: denied { read } for pid=4183 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264025107.290:4234): arch=c000003e syscall=2 success=yes exit=16 a0=2b5fc83ad0f0 a1=0 a2=180 a3=2b5fae065a30 items=0 ppid=1 pid=4183 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1264025107.290:4235): avc: denied { lock } for pid=4183 comm="nscd" path="/tmp/krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264025107.290:4235): arch=c000003e syscall=72 success=yes exit=0 a0=10 a1=7 a2=4318ad20 a3=2b5fae065a30 items=0 ppid=1 pid=4183 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1264025107.330:4236): avc: denied { write } for pid=4183 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264025107.330:4236): arch=c000003e syscall=2 success=yes exit=16 a0=2b5fc83ad0f0 a1=2 a2=180 a3=2 items=0 ppid=1 pid=4183 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1264025107.460:4237): avc: denied { read } for pid=4180 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264025107.460:4237): arch=c000003e syscall=2 success=yes exit=17 a0=2b5fc8f848a0 a1=0 a2=180 a3=2b5fae065a30 items=0 ppid=1 pid=4180 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1264025107.460:4238): avc: denied { lock } for pid=4180 comm="nscd" path="/tmp/krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264025107.460:4238): arch=c000003e syscall=72 success=yes exit=0 a0=11 a1=7 a2=42b87830 a3=2b5fae065a30 items=0 ppid=1 pid=4180 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1264025107.560:4239): avc: denied { write } for pid=4184 comm="nscd" name="krb5cc_0" dev=dm-0 ino=1048580 scontext=root:system_r:nscd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1264025107.560:4239): arch=c000003e syscall=2 success=yes exit=17 a0=2b5fc8f88810 a1=2 a2=180 a3=2 items=0 ppid=1 pid=4184 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) Note: *nscd is running as user root*
Why is nscd using a credential cache file? Why is a credential cache file owned by root?
nscd is using kerberos tgt of the system which resides under /tmp. ldap user/group lookups use kerberos/gssapi. nscd is running as root user for the same reason that it can do ldap lookups using system tgt.
Is nscd is using a keytab file to create a tgt? Who created the /tmp/krbcc_0 file?
nscd does not create tgt but is tryng to access the ticket cache obtained by the system. kinit run from a cron job obtains/renews tgt using principal SERVERNAME$@KERBEROS.REALM.
If this tgt is just for ncsd why not create it in /var/run/nscd? Then nscd can read it and no users can attack it.
This tgt is not specific to nscd. It is used by the system as well.
Pramod you can add this access for now. Nalin do you have any suggestions?
Thanks. I have put selinux policy changes below. Will this be a workaround for now? module nscd 1.0; require { type tmp_t; type etc_t; type nscd_t; class process ptrace; class file { read lock write }; } #============= nscd_t ============== allow nscd_t etc_t:file write; allow nscd_t self:process ptrace; allow nscd_t tmp_t:file { read lock write };
Remove the etc_t line, you do not need this. Not sure where the ptrace line came from. I think you actually need policy_module(mynscd, 1.0) gen_require(` type nscd_t, tmp_t; ') allow nscd_t tmp_t:file read_file_perms; dontaudit nscd_t tmp_t:file write;
I got it from audit2allow output.
The etc_t entry was caused by the /etc/krb5.conf file being mislabeled. You did not show the ptrace output from earlier. Adding that access is not a problem.
I am getting the error below when I try to compile the module. I am using the command. checkmodule -M -m mynscd.te -o mynscd.pp checkmodule: loading policy configuration from mynscd.te (unknown source)::ERROR 'syntax error' at token 'policy_module' on line 1: I used audit2allow output to create the module before successfully.
Use the make file make -f /usr/share/selinux/devel/Makefile