Bug 671258 - SELinux prevents nslcd from setsched,read
Summary: SELinux prevents nslcd from setsched,read
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: nss-pam-ldapd
Version: 14
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-20 21:39 UTC by Anthony Messina
Modified: 2011-07-05 15:15 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-07-05 15:15:18 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Anthony Messina 2011-01-20 21:39:58 UTC 
With a new Fedora 14 install using nss-pam-ldapd, I receive the following errors when nslcd starts up:

type=AVC msg=audit(1295559193.181:4): avc:  denied  { setsched } for  pid=1009 comm="nslcd" scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:system_r:nslcd_t:s0 tclass=process
type=SYSCALL msg=audit(1295559193.181:4): arch=c000003e syscall=144 success=yes exit=0 a0=3f1 a1=0 a2=7f89ba40ccb0 a3=1 items=0 ppid=1 pid=1009 auid=4294967295 uid=65 gid=55 euid=65 suid=65 fsuid=65 egid=55 sgid=55 fsgid=55 tty=(none) ses=4294967295 comm="nslcd" exe="/usr/sbin/nslcd" subj=system_u:system_r:nslcd_t:s0 key=(null)
type=AVC msg=audit(1295559193.199:5): avc:  denied  { read } for  pid=1009 comm="nslcd" name="tmp" dev=dm-0 ino=1703937 scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1295559193.199:5): arch=c000003e syscall=2 success=yes exit=13 a0=332e442a17 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=1009 auid=4294967295 uid=65 gid=55 euid=65 suid=65 fsuid=65 egid=55 sgid=55 fsgid=55 tty=(none) ses=4294967295 comm="nslcd" exe="/usr/sbin/nslcd" subj=system_u:system_r:nslcd_t:s0 key=(null)
type=AVC msg=audit(1295559193.200:6): avc:  denied  { read } for  pid=1009 comm="nslcd" name="tmp" dev=dm-0 ino=132043 scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1295559193.200:6): arch=c000003e syscall=4 success=yes exit=0 a0=332e442a1c a1=7f89ba408270 a2=7f89ba408270 a3=1 items=0 ppid=1 pid=1009 auid=4294967295 uid=65 gid=55 euid=65 suid=65 fsuid=65 egid=55 sgid=55 fsgid=55 tty=(none) ses=4294967295 comm="nslcd" exe="/usr/sbin/nslcd" subj=system_u:system_r:nslcd_t:s0 key=(null)

audit2allow says:

#============= nslcd_t ==============
allow nslcd_t self:process setsched;
allow nslcd_t tmp_t:dir read;
allow nslcd_t usr_t:lnk_file read;

In case it's of note, I use NFSv4 & krp5p mounted /home directories and the users are stores in LDAP: 389 DS,
Comment 1 Daniel Walsh 2011-01-21 13:07:55 UTC 
Any idea what it is doing with /usr/tmp?
Comment 2 Anthony Messina 2011-01-21 21:41:12 UTC 
I can't tell for sure, but this is what lives there:

-rw-------.  1 root     root      533 Jan 21 15:39 default_0
drwx------.  7 mmessina mmessina 4096 Jan 20 22:20 kdecache-mmessina
drwx------.  2 root     root     4096 Dec 29 10:20 kdecache-root
-rw-------.  1 root     root     1175 Jan 21 15:39 kojid.ccache
drwx------.  3 mmessina mmessina 4096 Jan  1 23:08 yum-mmessina-d1FbzA
drwx------.  2 root     root     4096 Dec 29 13:05 yum-root-jWFk9G
Comment 3 Daniel Walsh 2011-01-24 16:05:18 UTC 
Nalin do you nslcd create kerberos content in /usr/tmp (/var/tmp)
Comment 4 Nalin Dahyabhai 2011-01-24 16:25:33 UTC 
You can configure nslcd to use an already-established credential cache when it needs to authenticate to a directory server using SASL/GSSAPI.  That's about it.
Comment 5 Daniel Walsh 2011-01-24 16:35:11 UTC 
So we need

allow nslcd_t self:process { setsched signal };

files_read_usr_symlinks(nslcd_t)

userdom_read_user_tmp_files(nslcd_t)
Comment 6 Anthony Messina 2011-07-01 20:38:28 UTC 
I no longer see this issue with selinux-policy-targeted-3.9.16-30.fc15.noarch and nss-pam-ldapd-0.7.13-3.fc15.x86_64
Comment 7 Nalin Dahyabhai 2011-07-05 15:15:18 UTC 
Awesome!  If I'm reading the package changelog right, this was also fixed for F14 in 3.9.7-39, so I'll mark this as fixed.
Note You need to log in before you can comment on or make changes to this bug.