Summary: SELinux is preventing /bin/bash "write" access on /var/run/nscd/socket. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by sa1. It is not expected that this access is required by sa1 and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:sysstat_t:s0 Target Context system_u:object_r:nscd_var_run_t:s0 Target Objects /var/run/nscd/socket [ sock_file ] Source sa1 Source Path /bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.1.2-4.fc13 Target RPM Packages nscd-2.12-1 Policy RPM selinux-policy-3.7.19-15.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.4-95.fc13.x86_64 #1 SMP Thu May 13 05:16:23 UTC 2010 x86_64 x86_64 Alert Count 16 First Seen Fri 28 May 2010 09:12:54 AM EDT Last Seen Fri 28 May 2010 09:28:01 AM EDT Local ID 4e3a01e6-80df-4768-942c-938a6d72f9b6 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1275053281.668:3047): avc: denied { write } for pid=8466 comm="sa1" name="socket" dev=dm-1 ino=20143 scontext=system_u:system_r:sysstat_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file node=(removed) type=AVC msg=audit(1275053281.668:3047): avc: denied { connectto } for pid=8466 comm="sa1" path="/var/run/nscd/socket" scontext=system_u:system_r:sysstat_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=unix_stream_socket node=(removed) type=SYSCALL msg=audit(1275053281.668:3047): arch=c000003e syscall=42 success=yes exit=128 a0=3 a1=7fffcecee9a0 a2=6e a3=400 items=0 ppid=8464 pid=8466 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sa1" exe="/bin/bash" subj=system_u:system_r:sysstat_t:s0 key=(null) Hash String generated from catchall,sa1,sysstat_t,nscd_var_run_t,sock_file,write audit2allow suggests: #============= sysstat_t ============== allow sysstat_t nscd_t:unix_stream_socket connectto; allow sysstat_t nscd_var_run_t:sock_file write;
Uli does this make sense to you?
How can this be handled? Not all bash invocations should need the permission. I assume sa1 is a shell script invoked as a command. The label should be applied to this script and it should then transfer to the shell.
Are you saying every app that has a context and is a bash script will try to communicate with nscd?
Miroslav, looks like we need to add optional_policy(` nscd_socket_use(sysstat_t) ')
Fixed in selinux-policy-3.7.19-24.fc13
selinux-policy-3.7.19-28.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-28.fc13
selinux-policy-3.7.19-28.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-28.fc13
selinux-policy-3.7.19-28.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.