Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 160038 - selinux targeted update breaks nscd
Summary: selinux targeted update breaks nscd
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 3
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
: 160232 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-10 10:04 UTC by Michael Young
Modified: 2007-11-30 22:11 UTC (History)
3 users (show)

Fixed In Version: 1.25.4-10.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-15 15:59:58 UTC


Attachments (Terms of Use)
Patch to nscd.te which allows nscd to read files of type cert_t (deleted)
2005-06-16 23:25 UTC, Jason Tibbitts
no flags Details | Diff

Description Michael Young 2005-06-10 10:04:20 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.8) Gecko/20050512 Firefox/1.0.4

Description of problem:
After upgrading to selinux-policy-targeted-1.17.30-3.2 I get the following avc error messages after each boot
Jun 10 10:41:28 bigspen kernel: audit(1118396481.548:0): avc:  denied  { search } for  pid=3036 exe=/sbin/syslogd name=nscd dev=hda3 ino=98348 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 10 10:41:28 bigspen kernel: audit(1118396481.548:0): avc:  denied  { search } for  pid=3036 exe=/sbin/syslogd name=nscd dev=hda3 ino=98348 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 10 10:41:28 bigspen kernel: audit(1118396482.763:0): avc:  denied  { search } for  pid=3176 exe=/sbin/ypbind name=nscd dev=hda3 ino=98348 scontext=user_u:system_r:ypbind_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 10 10:41:28 bigspen kernel: audit(1118396482.763:0): avc:  denied  { search } for  pid=3176 exe=/sbin/ypbind name=nscd dev=hda3 ino=98348 scontext=user_u:system_r:ypbind_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir

and nscd won't shut down from the init script (giving the error
Jun 10 10:55:15 bigspen kernel: audit(1118397315.279:0): avc:  denied  { connectto } for  pid=4937 exe=/usr/sbin/nscd path=/var/run/nscd/socket scontext=root:system_r:nscd_t tcontext=user_u:system_r:nscd_t tclass=unix_stream_socket
), though it does appear to restart without errors if killed manually.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-3.2

How reproducible:
Always

Steps to Reproduce:
1. upgrade file and boot
  

Additional info:

Comment 1 Daniel Walsh 2005-06-10 11:01:34 UTC
Can you check out selinux-policy-targeted-1.23.18-3.8

You can get it at 

ftp://people.redhat.com/dwalsh/SELinux/FC3/

Comment 2 Michael Young 2005-06-10 14:32:22 UTC
1.23.18-3.8 gives a load of different errors
Jun 10 14:38:19 bigspen kernel: audit(1118410695.223:0): avc:  denied  { search
} for  pid=3659 exe=/usr/sbin/nscd name=yp dev=hda3 ino=98343
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:var_yp_t tclass=dir
Jun 10 14:38:19 bigspen kernel: audit(1118410695.223:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=867
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=tcp_socket
Jun 10 14:38:19 bigspen kernel: audit(1118410695.223:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=868
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=tcp_socket
Jun 10 14:38:19 bigspen kernel: audit(1118410695.241:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=869
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=udp_socket
Jun 10 14:38:19 bigspen kernel: audit(1118410695.241:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=870
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=tcp_socket
Jun 10 14:38:19 bigspen kernel: audit(1118410695.244:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=871
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=tcp_socket
Jun 10 14:38:19 bigspen kernel: audit(1118410695.320:0): avc:  denied  { search
} for  pid=3659 exe=/usr/sbin/nscd name=yp dev=hda3 ino=98343
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:var_yp_t tclass=dir
Jun 10 14:38:19 bigspen kernel: audit(1118410695.320:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=872
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=tcp_socket
Jun 10 14:38:19 bigspen kernel: audit(1118410695.320:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=873
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=tcp_socket
Jun 10 14:38:19 bigspen kernel: audit(1118410695.330:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=874
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=udp_socket
Jun 10 14:38:19 bigspen kernel: audit(1118410695.330:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=875
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=tcp_socket
Jun 10 14:38:19 bigspen kernel: audit(1118410695.332:0): avc:  denied  {
name_bind } for  pid=3659 exe=/usr/sbin/nscd src=876
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:reserved_port_t
tclass=tcp_socket

Comment 3 David Juran 2005-06-11 19:35:45 UTC
I also have an isssue with selinux-policy-targeted-1.17.30-3.2 which might be
related. Whenever I start httpd ( httpd-2.0.52-3.1 ) I get the following message:

Jun 11 21:19:49 emilia kernel: audit(1118517589.376:0): avc:  denied  { search }
for  pid=27931 exe=/usr/sbin/httpd name=nscd dev=dm-3 ino=245801
scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir

The file referred to in inode 245801 is /var/run/nscd/

Do note that I do _not_ run nscd... 


Comment 4 Daniel Walsh 2005-06-13 15:43:16 UTC
Are you running in permissive mode?  If yes, run in enforcing mode and see if
AVC message goes away.


Comment 5 Jason Tibbitts 2005-06-13 21:49:40 UTC
*** Bug 160232 has been marked as a duplicate of this bug. ***

Comment 6 Michael Young 2005-06-14 14:31:06 UTC
I get the errors in #2 with enforcing on. 1.17.30-3.9 gives similar errors.

Comment 7 Brad Wade 2005-06-14 18:34:28 UTC
I also get errors from httpd and mysqld with selinux-policy-targeted-1.17.30-3.2
with the same nscd directory (I'm not using nscd, though):

(httpd)
Jun 14 12:32:39 aslan kernel: audit(1118773959.736:0): avc:  denied  { search }
for  pid=5598 exe=/usr/sbin/httpd name=nscd dev=hda10 ino=139972 scontext=root:s
ystem_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 14 12:32:39 aslan kernel: audit(1118773959.737:0): avc:  denied  { search }
for  pid=5598 exe=/usr/sbin/httpd name=nscd dev=hda10 ino=139972 scontext=root:s
ystem_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 14 12:32:39 aslan kernel: audit(1118773959.738:0): avc:  denied  { search }
for  pid=5598 exe=/usr/sbin/httpd name=nscd dev=hda10 ino=139972 scontext=root:s
ystem_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 14 12:32:39 aslan kernel: audit(1118773959.739:0): avc:  denied  { search }
for  pid=5598 exe=/usr/sbin/httpd name=nscd dev=hda10 ino=139972 scontext=root:s
ystem_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir

(mysqld)
Jun 14 12:33:17 aslan kernel: audit(1118773997.379:0): avc:  denied  { search }
for  pid=5764 exe=/usr/libexec/mysqld name=nscd dev=hda10 ino=139972 scontext=ro
ot:system_r:mysqld_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 14 12:33:17 aslan kernel: audit(1118773997.379:0): avc:  denied  { search }
for  pid=5764 exe=/usr/libexec/mysqld name=nscd dev=hda10 ino=139972 scontext=ro
ot:system_r:mysqld_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 14 12:33:17 aslan kernel: audit(1118773997.380:0): avc:  denied  { search }
for  pid=5764 exe=/usr/libexec/mysqld name=nscd dev=hda10 ino=139972 scontext=ro
ot:system_r:mysqld_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 14 12:33:17 aslan kernel: audit(1118773997.380:0): avc:  denied  { search }
for  pid=5764 exe=/usr/libexec/mysqld name=nscd dev=hda10 ino=139972 scontext=ro
ot:system_r:mysqld_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir

Comment 8 Daniel Walsh 2005-06-15 14:50:55 UTC
If you are running ypbind, please execute 

setsebool -P allow_ypbind=1

Dan

Comment 9 Jason Tibbitts 2005-06-15 18:23:44 UTC
I updated to selinux-policy-targeted-1.17.30-3.9; it seemed to relabel the
entire filesystem.  In any case, the nscd control socket stuff (-g, -K, -i)
works fine, but it still traps access to /usr/share/ssl/cacert.pem:

audit(1118858107.560:0): avc:  denied  { read } for  pid=3205 exe=/usr/sbin/nscd
name=cacert.pem dev=dm-3 ino=786433 scontext=user_u:system_r:nscd_t
tcontext=user_u:object_r:usr_t tclass=file

I'm beginning to think that I've chosen a poor location for cacert.pem; I was
just following an example I saw somewhere and can move it somewhere else if it's
causing problems.

Is there some official location that would be better?  /usr/share/ssl/certs?  I
recall that FC4 is using /etc/certs; will that work in FC3?

Comment 10 Jason Tibbitts 2005-06-16 23:24:12 UTC
I read up enough to gain enough understanding of Selinux to be dangerous.  I
don't think that nscd.te includes anything that would allow nscd to access files
of type cert_t.  I hacked a patch (attached) into the RPM and rebuilt; nscd
seems to work now although starting it logs a single line:

audit(1118963275.487:0): avc:  denied  { read } for  pid=2815 exe=/usr/sbin/nscd
name=cert.pem dev=dm-3 ino=49451 scontext=root:system_r:nscd_t
tcontext=system_u:object_r:usr_t tclass=lnk_file

cert.pem is placed by the openssl package in /usr/share/ssl; it is just a link
to /usr/share/ssl/certs/ca-bundle.crt.  ca-bundle.crt has the appropriate
context.  I do not know if I can configure anything to force it to look
elsewhere.  In any case, this doesn't seem to bother nscd.

Comment 11 Jason Tibbitts 2005-06-16 23:25:23 UTC
Created attachment 115584 [details]
Patch to nscd.te which allows nscd to read files of type cert_t

Comment 12 Jason Tibbitts 2005-06-27 05:59:09 UTC
The latest targeted policy update (1.17.30-3.13) triggers a different error upon
nscd invocation:

nscd: error while loading shared libraries: librt.so.1: failed to map segment
from shared object: Permission denied

audit(1119851000.894:0): avc:  denied  { execute } for  pid=14464 comm=nscd
path=/lib/tls/librt-2.3.5.so dev=dm-0 ino=49183 scontext=root:system_r:nscd_t
tcontext=system_u:object_r:lib_t tclass=file

[root@ld83 ~]# ls -lZ /lib/tls/librt*
-rwxr-xr-x  root     root     system_u:object_r:shlib_t       
/lib/tls/librt-2.3.5.so
lrwxrwxrwx  root     root     system_u:object_r:lib_t         
/lib/tls/librt.so.1 -> librt-2.3.5.so

The machine has not survived a reboot.  I'll be happy to provide more
information once I'm in the office with the machine.


Comment 13 Jason Tibbitts 2005-06-27 16:58:08 UTC
The machine was hung at shutdown; this is the last thing that was logged:

Jun 27 00:51:33 ld83 nifd: nifd shutdown succeeded
Jun 27 00:51:34 ld83 autofs: automount shutdown succeeded
Jun 27 00:51:34 ld83 kernel: audit(1119851494.786:0): avc:  denied  { execute }
for  pid=15241 comm=nscd path=/lib/tls/librt
-2.3.5.so dev=dm-0 ino=49183 scontext=user_u:system_r:nscd_t
tcontext=system_u:object_r:lib_t tclass=file
Jun 27 00:51:34 ld83 nscd: nscd shutdown failed
Jun 27 00:51:34 ld83 ntpd[3447]: ntpd exiting on signal 15
Jun 27 00:51:34 ld83 ntpd: ntpd shutdown succeeded
Jun 27 00:51:34 ld83 nfslock: lockd shutdown failed
Jun 27 00:51:34 ld83 rpc.statd[2880]: Caught signal 15, un-registering and exiting.
Jun 27 00:51:35 ld83 nfslock: rpc.statd shutdown succeeded
Jun 27 00:51:35 ld83 portmap: portmap shutdown succeeded
Jun 27 00:51:35 ld83 kernel: Kernel logging (proc) stopped.
Jun 27 00:51:35 ld83 kernel: Kernel log daemon terminating.
Jun 27 00:51:36 ld83 syslog: klogd shutdown succeeded
Jun 27 00:51:36 ld83 exiting on signal 15

It is headless so I have no further information.

When I rebooted the machine today it came up fine.  The following errors are
logged at nscd startup:

audit(1119891121.027:0): avc:  denied  { read } for  pid=3202 exe=/usr/sbin/nscd
name=cert.pem dev=dm-3 ino=49451 scontext=user_u:system_r:nscd_t
tcontext=system_u:object_r:usr_t tclass=lnk_file

(that's the same as before)

audit(1119891124.568:0): avc:  denied  { search } for  pid=3429
exe=/usr/sbin/ntpd name=pki dev=dm-0 ino=33637 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:cert_t tclass=dir
audit(1119891124.571:0): avc:  denied  { search } for  pid=3429
exe=/usr/sbin/ntpd name=pki dev=dm-0 ino=33637 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:cert_t tclass=dir

(these two are new)

but nscd still seems to work OK.

I have no idea why the machine would have hung at shutdown.  I will try to make
sure that I'm present when rebooting all of my other machines to make sure they
don't hang as well.  If I get any further information I'll report it here.


Note You need to log in before you can comment on or make changes to this bug.