Bug 866605 - Fedora 18 avc denial for useradd transition to nscd
Fedora 18 avc denial for useradd transition to nscd
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-15 13:38 EDT by Scott Poore
Modified: 2012-12-20 10:15 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-20 10:15:57 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Scott Poore 2012-10-15 13:38:12 EDT
Description of problem:

With nscd installed, ipa-replica-install seems to fail because of an AVC denial for useradd.  Some digging makes it seem like it's an AVC denial problem?

Version-Release number of selected component (if applicable):
selinux-policy-3.11.1-36.fc18.noarch
nscd-2.16-20.fc18.x86_64

How reproducible:
unknown

Steps to Reproduce:
On F18 server (my case was a minimal install).
1.  yum -y install nscd
2.  yum -y install freeipa-server bind bind-dyndb-ldap
3.  on existing ipa server:  ipa-replica-prepare -p <PASSWD> --ip-address=<IP> <hostname>
4.  copy /var/lib/ipa/replica-info-<hostname>.gpg file to new server
5.  ipa-replica-install   -U --setup-dns --setup-ca --forwarder=<DNSFORWARD> -w <PASSWD> -p <PASSWD> replica-info-<HOSTNAME>.gpg

Actual results:

ipa-replica-install output:
...
Configuring directory server: Estimated time 1 minute
  [1/31]: creating directory server user
  [2/31]: creating directory server instance

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Unexpected error - see /var/log/ipareplica-install.log for details:
KeyError: 'getpwnam(): name not found: dirsrv'

I lost the /var/log/ipareplica-install.log errors but, it pointed to a problem with permissions for useradd accessing something nscd related.  So, I checked for AVC denials.

ausearch output:

time->Mon Oct 15 12:59:52 2012
type=SYSCALL msg=audit(1350320392.966:941): arch=c000003e syscall=59 success=no exit=-13 a0=7f76bf3e7f43 a1=7fffc29cc0a0 a2=7fffc29cc090 a3=7f76bf3c2a90 items=0 ppid=7852 pid=7853 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=6 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1350320392.966:941): avc:  denied  { transition } for  pid=7853 comm="useradd" path="/usr/sbin/nscd" dev="dm-1" ino=155180 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:nscd_t:s0-s0:c0.c1023 tclass=process
----
time->Mon Oct 15 12:59:52 2012
type=SYSCALL msg=audit(1350320392.967:942): arch=c000003e syscall=59 success=no exit=-13 a0=7f76bf3e7f43 a1=7fffc29cc0a0 a2=7fffc29cc090 a3=7f76bf3c2a90 items=0 ppid=7852 pid=7854 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=6 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1350320392.967:942): avc:  denied  { transition } for  pid=7854 comm="useradd" path="/usr/sbin/nscd" dev="dm-1" ino=155180 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:nscd_t:s0-s0:c0.c1023 tclass=process
----
time->Mon Oct 15 12:59:52 2012
type=SYSCALL msg=audit(1350320392.968:943): arch=c000003e syscall=59 success=no exit=-13 a0=7f76bf3e7f43 a1=7fffc29cc4d0 a2=7fffc29cc4c0 a3=7f76bf3c2a90 items=0 ppid=7852 pid=7855 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=6 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1350320392.968:943): avc:  denied  { transition } for  pid=7855 comm="useradd" path="/usr/sbin/nscd" dev="dm-1" ino=155180 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:nscd_t:s0-s0:c0.c1023 tclass=process
----
time->Mon Oct 15 12:59:52 2012
type=SYSCALL msg=audit(1350320392.971:944): arch=c000003e syscall=59 success=no exit=-13 a0=7f76bf3e7f43 a1=7fffc29cc4d0 a2=7fffc29cc4c0 a3=7f76bf3c2a90 items=0 ppid=7852 pid=7856 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=6 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1350320392.971:944): avc:  denied  { transition } for  pid=7856 comm="useradd" path="/usr/sbin/nscd" dev="dm-1" ino=155180 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:nscd_t:s0-s0:c0.c1023 tclass=process


Expected results:


Additional info:

One thing here confusing me is that there appears to be a rule for this:
[root@f18-3 ~]# sesearch -s useradd_t -t nscd_t -c process  --allow -C
Found 1 semantic av rules:
   allow useradd_t nscd_t : process transition ;
Comment 1 Scott Poore 2012-10-15 13:49:14 EDT
FYI, I have confirmed that this is not consistently reproducing the ipa-replica-install problem.

Here's some /var/log/ipareplica-install.log output from an attempt to reproduce:

2012-10-15T17:45:43Z DEBUG adding ds user dirsrv
2012-10-15T17:45:43Z DEBUG args=/usr/sbin/useradd -g dirsrv -c DS System User -d /var/lib/dirsrv -s /sb
in/nologin -M -r dirsrv
2012-10-15T17:45:43Z DEBUG stdout=
2012-10-15T17:45:43Z DEBUG stderr=useradd: cannot execute /usr/sbin/nscd: Permission denied
useradd: nscd exited with status 126
useradd: Failed to flush the nscd cache.
useradd: cannot execute /usr/sbin/nscd: Permission denied
useradd: nscd exited with status 126
useradd: Failed to flush the nscd cache.
useradd: cannot execute /usr/sbin/nscd: Permission denied
useradd: nscd exited with status 126
useradd: Failed to flush the nscd cache.
useradd: cannot execute /usr/sbin/nscd: Permission denied
useradd: nscd exited with status 126
useradd: Failed to flush the nscd cache.

2012-10-15T17:45:43Z DEBUG done adding user

in the failed attempt earlier though, the user was not created.  And I saw no other AVC denials.
Comment 2 Miroslav Grepl 2012-10-16 08:01:15 EDT
Fixed in selinux-policy-3.11.1-40.fc18.noarch
Comment 3 Fedora Update System 2012-10-23 16:35:05 EDT
selinux-policy-3.11.1-43.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-43.fc18
Comment 4 Fedora Update System 2012-10-26 11:38:01 EDT
selinux-policy-3.11.1-46.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-46.fc18
Comment 5 Fedora Update System 2012-10-26 15:27:33 EDT
Package selinux-policy-3.11.1-46.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-46.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16862/selinux-policy-3.11.1-46.fc18
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2012-12-20 10:15:59 EST
selinux-policy-3.11.1-46.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.