FC3 nscd AVC denied

Lamont R. Peterson lamont at gurulabs.com
Wed Jan 11 22:01:33 UTC 2006 

All,

Here's the setup ... Using authconfig to turn on nscd and setup TLS encrypted 
LDAP authentication & user information, the LDAP server's "server.crt" file 
has been copied to /etc/openldap/ on the client and 
the /etc/openldap/ldap.conf file got the line 
"TLS_CACERT /etc/openldap/server.crt" added to it.  I'm using the latest nscd 
package for FC3 (which fixed another bug related to LDAP).

Starting nscd produces these three avc denied messages 
(from /var/log/messages):

Jan 11 09:56:52 station13 nscd: 27993 Access Vector Cache (AVC) started
Jan 11 09:56:52 station13 nscd: nscd startup succeeded
Jan 11 09:56:53 station13 kernel: audit(1136998613.032:0): avc:  denied  
{ read } for  pid=27993 exe=/usr/sbin/nscd name=cert.pem dev=sda2 ino=738049 
scontext=root:system_r:nscd_t tcontext=system_u:object_r:usr_t 
tclass=lnk_file
Jan 11 09:56:53 station13 kernel: audit(1136998613.032:0): avc:  denied  
{ read } for  pid=27993 exe=/usr/sbin/nscd name=urandom dev=tmpfs ino=935 
scontext=root:system_r:nscd_t tcontext=system_u:object_r:urandom_device_t 
tclass=chr_file
Jan 11 09:56:53 station13 kernel: audit(1136998613.032:0): avc:  denied  
{ read } for  pid=27993 exe=/usr/sbin/nscd name=random dev=tmpfs ino=934 
scontext=root:system_r:nscd_t tcontext=system_u:object_r:random_device_t 
tclass=chr_file

Also, in this configuration, logins to LDAP accounts fail; the username is 
unrecognized.  If I shut down nscd, then LDAP account logins work again.

Running "setsebool -P nscd_disable_trans 1" and then restarting nscd (i.e. 
"/etc/init.d/nscd restart") fixes the login problem.  It appears that nscd 
will only attempts to open file handles to /usr/share/ssl/cert.pem which is a 
symlink to certs/ca-bundle.crt (both have the label system_u:object_r:usr_t) 
and /dev/random & /dev/urandom at startup.

Examining /etc/selinux/targeted/src/policy/domains/program/nscd.te (that is 
the right file, yes?) in the latest selinux-policy-targeted-sources for FC3 
looks like nscd_t should have access to both urandom_device_t & 
random_device_t:

75: allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr 
read};

which is a little different from the originally shipped policy:

85:  allow nscd_t uransom_device_t:chr_file { getattr read };

It also looks like nscd.te used to have:

86:  r_dir_file(nscd_t, usr_t)

but the newest policy has no lines referencing usr_t.  I'm not certain that 
nscd actually needs to read /usr/share/ssl/cert.pem in order for TLS to work, 
but I can understand the need to access /dev/random and/or /dev/urandom.

OK.  So, I haven't done much writing of SELinux policy, and most of that was a 
while ago, but It looks like the original policy shouldn't have been causing 
these problems to begin with.

What am I missing here?

Oh, and BTW, this configuration works fine on a RHEL4 client without updates. 
which made me think that updating the FC3 selinux-policy-targeted package 
could fix the issue.  Nope; it didn't.

Thanks for all your hard work on SELinux and policy.
-- 
Lamont R. Peterson <lamont at gurulabs.com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20060111/c5ca3193/attachment.bin

More information about the selinux mailing list