Re: nscd AVC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Jan 11, 2011, at 9:09 AM, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 01/11/2011 09:02 AM, Vadym Chepkov wrote:
>> 
>> On Jan 11, 2011, at 8:40 AM, Daniel J Walsh wrote:
>> 
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> 
>>> On 01/11/2011 07:26 AM, Vadym Chepkov wrote:
>>>> 
>>>> On Jan 10, 2011, at 2:35 PM, Daniel J Walsh wrote:
>>>> 
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>> 
>>>>> On 01/10/2011 02:12 PM, Vadym Chepkov wrote:
>>>>>> 
>>>>>> On Jan 10, 2011, at 1:32 PM, Daniel J Walsh wrote:
>>>>>> 
>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>> Hash: SHA1
>>>>>>> 
>>>>>>> On 01/10/2011 12:40 PM, Vadym Chepkov wrote:
>>>>>>>> Hi,
>>>>>>>> 
>>>>>>>> Is it safe to permit these?
>>>>>>>> 
>>>>>>>> selinux-policy-3.9.7-18.fc14.noarch
>>>>>>>> 
>>>>>>>> # ausearch -m avc -ts yesterday
>>>>>>>> ----
>>>>>>>> time->Sun Jan  9 11:23:14 2011
>>>>>>>> type=SYSCALL msg=audit(1294590194.604:12): arch=40000003 syscall=5 success=yes exit=18 a0=57b497 a1=0 a2=1b6 a3=58856a items=0 ppid=1 pid=997 auid=4294967295 uid=28 gid=28 euid=28 suid=28 fsuid=28 egid=28 sgid=28 fsgid=28 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=system_u:system_r:nscd_t:s0 key=(null)
>>>>>>>> type=AVC msg=audit(1294590194.604:12): avc:  denied  { read } for  pid=997 comm="nscd" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
>>>>>>>> ----
>>>>>>>> time->Sun Jan  9 11:23:14 2011
>>>>>>>> type=SYSCALL msg=audit(1294590194.604:13): arch=40000003 syscall=195 success=yes exit=0 a0=57b49c a1=ae2f16bc a2=29fff4 a3=3 items=0 ppid=1 pid=997 auid=4294967295 uid=28 gid=28 euid=28 suid=28 fsuid=28 egid=28 sgid=28 fsgid=28 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=system_u:system_r:nscd_t:s0 key=(null)
>>>>>>>> type=AVC msg=audit(1294590194.604:13): avc:  denied  { read } for  pid=997 comm="nscd" name="tmp" dev=dm-0 ino=15581 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file
>>>>>>>> ----
>>>>>>>> time->Sun Jan  9 11:41:04 2011
>>>>>>>> type=SYSCALL msg=audit(1294591264.449:7): arch=40000003 syscall=195 success=yes exit=0 a0=3f049c a1=ae9f964c a2=38bff4 a3=3 items=0 ppid=1 pid=973 auid=4294967295 uid=28 gid=28 euid=28 suid=28 fsuid=28 egid=28 sgid=28 fsgid=28 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=system_u:system_r:nscd_t:s0 key=(null)
>>>>>>>> type=AVC msg=audit(1294591264.449:7): avc:  denied  { read } for  pid=973 comm="nscd" name="tmp" dev=dm-0 ino=15581 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file
>>>>>>>> ----
>>>>>>>> time->Sun Jan  9 11:41:04 2011
>>>>>>>> type=SYSCALL msg=audit(1294591264.448:6): arch=40000003 syscall=5 success=yes exit=16 a0=3f0497 a1=0 a2=1b6 a3=3fd56a items=0 ppid=1 pid=973 auid=4294967295 uid=28 gid=28 euid=28 suid=28 fsuid=28 egid=28 sgid=28 fsgid=28 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=system_u:system_r:nscd_t:s0 key=(null)
>>>>>>>> type=AVC msg=audit(1294591264.448:6): avc:  denied  { read } for  pid=973 comm="nscd" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> --
>>>>>>>> selinux mailing list
>>>>>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>> 
>>>>>> 
>>>>>>> What is nscd looking for in /tmp?
>>>>>> 
>>>>>> nscd is part of glibc, so the source code is really huge and it uses TMPDIR environment variable all over the place.
>>>>>> "Don't know" would be an honest answer. Shall I open bugzilla about it?
>>>>>> 
>>>>>> Thanks,
>>>>>> Vadym
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>> I have a feeling that you can dontaudit these rather then allow.  Might
>>>>> be a leaked file descriptor from the calling app. (cron?)
>>>> 
>>>> nscd is started by init script.
>>>> and if selinux is in enforcing mode I get these in the syslog during start.
>>>> 
>>>> Jan 11 07:20:55 pegasus nscd: 20613 Access Vector Cache (AVC) started
>>>> Jan 11 07:20:55 pegasus nscd: Can't send to audit system: USER_AVC avc:  netlink poll: error 4#012: exe="?" sauid=28 hostname=? addr=? terminal=?
>>>> Jan 11 07:20:55 pegasus nscd: Can't send to audit system: USER_AVC avc:  netlink recvfrom: error 1#012: exe="?" sauid=28 hostname=? addr=? terminal=?
>>>> Jan 11 07:20:55 pegasus nscd: Can't send to audit system: USER_AVC avc:  netlink thread: errors encountered, terminating#012: exe="?" sauid=28 hostname=? addr=? terminal=?
>>>> 
>>>> and then, a bit later, avc's :
>>>> 
>>>> ----
>>>> time->Tue Jan 11 07:21:24 2011
>>>> type=SYSCALL msg=audit(1294748484.434:7816): arch=40000003 syscall=5 success=no exit=-13 a0=516497 a1=0 a2=1b6 a3=52356a items=0 ppid=1 pid=20622 auid=500 uid=28 gid=28 euid=28 suid=28 fsuid=28 egid=28 sgid=28 fsgid=28 tty=(none) ses=1010 comm="nscd" exe="/usr/sbin/nscd" subj=unconfined_u:system_r:nscd_t:s0 key=(null)
>>>> type=AVC msg=audit(1294748484.434:7816): avc:  denied  { read } for  pid=20622 comm="nscd" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:nscd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
>>>> ----
>>>> time->Tue Jan 11 07:21:24 2011
>>>> type=SYSCALL msg=audit(1294748484.435:7817): arch=40000003 syscall=5 success=no exit=-13 a0=516493 a1=0 a2=1b6 a3=52356a items=0 ppid=1 pid=20622 auid=500 uid=28 gid=28 euid=28 suid=28 fsuid=28 egid=28 sgid=28 fsgid=28 tty=(none) ses=1010 comm="nscd" exe="/usr/sbin/nscd" subj=unconfined_u:system_r:nscd_t:s0 key=(null)
>>>> type=AVC msg=audit(1294748484.435:7817): avc:  denied  { read } for  pid=20622 comm="nscd" name="tmp" dev=dm-3 ino=8194 scontext=unconfined_u:system_r:nscd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
>>>> ----
>>>> time->Tue Jan 11 07:21:24 2011
>>>> type=SYSCALL msg=audit(1294748484.435:7818): arch=40000003 syscall=195 success=no exit=-13 a0=51649c a1=ae3f1350 a2=798ff4 a3=3 items=0 ppid=1 pid=20622 auid=500 uid=28 gid=28 euid=28 suid=28 fsuid=28 egid=28 sgid=28 fsgid=28 tty=(none) ses=1010 comm="nscd" exe="/usr/sbin/nscd" subj=unconfined_u:system_r:nscd_t:s0 key=(null)
>>>> type=AVC msg=audit(1294748484.435:7818): avc:  denied  { read } for  pid=20622 comm="nscd" name="tmp" dev=dm-0 ino=15581 scontext=unconfined_u:system_r:nscd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file
>>>> 
>>>> 
>>>> Vadym
>>>> 
>>> Do you have some kind of special nscd plugin installed?  Anything to do
>>> with Kerberos?
>> 
>> 
>> 
>> No, nothing custom, it is used to cache ldap credentials (authconfig --enablecache)
>> 
>> Vadym
>> 
>> 
>> --
>> selinux mailing list
>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> Does it write the cache to /var/tmp?


No, cache is in /var/db/nscd/

Vadym


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux