1536689 – nscd cannot read its database in /var/db/nscd

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1536689 - nscd cannot read its database in /var/db/nscd

Summary: nscd cannot read its database in /var/db/nscd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	28
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-01-19 23:04 UTC by Mathieu Chouquet-Stringer
Modified:	2018-12-14 02:01 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-09-11 16:54:50 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Mathieu Chouquet-Stringer 2018-01-19 23:04:34 UTC

Description of problem:
SELinux is blocking access to all files under /var/db/nscd

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.13.1-283.21.fc27.noarch
nscd-2.26-21.fc27.x86_64


How reproducible:
Install nscd, start it and you will get the following in:

Jan 19 23:59:38 foobar systemd[1]: Starting Name Service Cache Daemon...
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring file `/etc/passwd` (1)
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring directory `/etc` (2)
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring file `/etc/group` (3)
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring directory `/etc` (2)
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring file `/etc/hosts` (4)
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring directory `/etc` (2)
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring file `/etc/resolv.conf` (5)
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring directory `/etc` (2)
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring file `/etc/services` (6)
Jan 19 23:59:38 foobar nscd[14613]: 14613 monitoring directory `/etc` (2)
Jan 19 23:59:38 foobar nscd[14613]: 14613 disabled inotify-based monitoring for file `/etc/netgroup': No such file or directory
Jan 19 23:59:38 foobar nscd[14613]: 14613 stat failed for file `/etc/netgroup'; will try again later: No such file or directory
Jan 19 23:59:38 foobar systemd[1]: Started Name Service Cache Daemon.
Jan 19 23:59:38 foobar nscd[14613]: 14613 cannot write to database file /var/db/nscd/passwd: Permission denied
Jan 19 23:59:38 foobar nscd[14613]: 14613 cannot write to database file /var/db/nscd/group: Permission denied
Jan 19 23:59:38 foobar nscd[14613]: 14613 cannot write to database file /var/db/nscd/hosts: Permission denied
Jan 19 23:59:38 foobar nscd[14613]: 14613 cannot write to database file /var/db/nscd/services: Permission denied
Jan 19 23:59:38 foobar nscd[14613]: 14613 cannot write to database file /var/db/nscd/netgroup: Permission denied
Jan 19 23:59:38 foobar nscd[14613]: 14613 Access Vector Cache (AVC) started
Jan 19 23:59:57 foobar nscd[14613]: 14613 checking for monitored file `/etc/netgroup': No such file or directory

At the same time, audit.log shows:
ype=AVC msg=audit(1516402778.936:1275): avc:  denied  { map } for  pid=14613 comm="nscd" path="/var/db/nscd/passwd" dev="dm-1" ino=12854056 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1516402778.936:1276): avc:  denied  { map } for  pid=14613 comm="nscd" path="/var/db/nscd/group" dev="dm-1" ino=12854057 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1516402778.937:1277): avc:  denied  { map } for  pid=14613 comm="nscd" path="/var/db/nscd/hosts" dev="dm-1" ino=12854058 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1516402778.937:1278): avc:  denied  { map } for  pid=14613 comm="nscd" path="/var/db/nscd/services" dev="dm-1" ino=12854059 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1516402778.937:1279): avc:  denied  { map } for  pid=14613 comm="nscd" path="/var/db/nscd/netgroup" dev="dm-1" ino=12854060 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

I've made sure the directory is properly labelled and it's all good.

Comment 1 Fedora Update System 2018-02-20 11:14:33 UTC

selinux-policy-3.13.1-283.26.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a9711c96b2

Comment 2 Fedora Update System 2018-02-20 18:19:07 UTC

selinux-policy-3.13.1-283.26.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a9711c96b2

Comment 3 Fedora Update System 2018-02-27 17:21:33 UTC

selinux-policy-3.13.1-283.26.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Mathieu Chouquet-Stringer 2018-04-19 20:49:23 UTC

Hello,

It seems to be fixed now, but fixing it added a new problem: clients of nscd (so basically anything using the glibc for host/user/group/more resolution) are denied access to the database.

Should this be a new bug or not?

type=AVC msg=audit(1524100503.021:20386): avc:  denied  { map } for  pid=18475 comm="logrotate" path="/var/db/nscd/passwd" dev="dm-0" ino=13347968 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524100503.023:20387): avc:  denied  { map } for  pid=18475 comm="logrotate" path="/var/db/nscd/group" dev="dm-0" ino=13347969 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524159812.542:20744): avc:  denied  { map } for  pid=27302 comm="kdump-dep-gener" path="/var/db/nscd/passwd" dev="dm-0" ino=13347968 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524159812.542:20745): avc:  denied  { map } for  pid=27307 comm="selinux-autorel" path="/var/db/nscd/passwd" dev="dm-0" ino=13347968 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524170248.248:148): avc:  denied  { map } for  pid=1082 comm="aliasesdb" path="/var/db/nscd/passwd" dev="dm-1" ino=13347968 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524170248.448:149): avc:  denied  { map } for  pid=1122 comm="(colord)" path="/var/db/nscd/passwd" dev="dm-1" ino=13347968 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524170248.448:150): avc:  denied  { map } for  pid=1122 comm="(colord)" path="/var/db/nscd/group" dev="dm-1" ino=13347969 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524170248.645:153): avc:  denied  { map } for  pid=1135 comm="chroot-update" path="/var/db/nscd/passwd" dev="dm-1" ino=13347968 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524170254.440:203): avc:  denied  { map } for  pid=1332 comm="(systemd)" path="/var/db/nscd/passwd" dev="dm-1" ino=13347968 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524170254.440:204): avc:  denied  { map } for  pid=1332 comm="(systemd)" path="/var/db/nscd/group" dev="dm-1" ino=13347969 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

type=AVC msg=audit(1524170256.896:238): avc:  denied  { map } for  pid=1560 comm="dhclient" path="/var/db/nscd/services" dev="dm-1" ino=13347971 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0


type=AVC msg=audit(1524170662.840:340): avc:  denied  { map } for  pid=4465 comm="dbus-daemon-lau" path="/var/db/nscd/group" dev="dm-1" ino=13347969 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=0

Comment 5 Mathieu Chouquet-Stringer 2018-04-19 21:43:09 UTC

There's also:
type=AVC msg=audit(1524173771.997:285): avc:  denied  { connectto } for  pid=1049 comm="abrt-dump-journ" path="/run/nscd/socket" scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=unix_stream_socket permissive=0

Comment 6 Mathieu Chouquet-Stringer 2018-05-15 19:58:52 UTC

Same thing present in F28.

SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/group.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that dbus-daemon-lau should be allowed map access on the group file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dbus-daemon-lau' --raw | audit2allow -M my-dbusdaemonlau
# semodule -X 300 -i my-dbusdaemonlau.pp

And so on...

SELinux is preventing logrotate from map access on the file /var/db/nscd/group.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that logrotate should be allowed map access on the group file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'logrotate' --raw | audit2allow -M my-logrotate
# semodule -X 300 -i my-logrotate.pp

Comment 7 John Hein 2018-06-07 20:11:33 UTC

Still happening on F27...

Jun  7 09:20:23 myhostxxx setroubleshoot[12840]: SELinux is preventing nscd from write access on the sock_file system_bus_socket. For complete SELinux messages run: sealert -l 854c2b4b-b1e5-49bc-948f-5baa04773dec
Jun  7 09:20:23 myhostxxx python3[12840]: SELinux is preventing nscd from write access on the sock_file system_bus_socket.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that nscd should be allowed write access on the system_bus_socket sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'nscd' --raw | audit2allow -M my-nscd#012# semodule -X 300 -i my-nscd.pp#012
Jun  7 09:20:26 myhostxxx setroubleshoot[12840]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/passwd. For complete SELinux messages run: sealert -l 287ebeba-bbfe-4224-8101-bc3990bdf98e
Jun  7 09:20:26 myhostxxx python3[12840]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/passwd.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dbus-daemon-lau should be allowed map access on the passwd file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dbus-daemon-lau' --raw | audit2allow -M my-dbusdaemonlau#012# semodule -X 300 -i my-dbusdaemonlau.pp#012
Jun  7 09:20:28 myhostxxx audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jun  7 09:20:29 myhostxxx setroubleshoot[12840]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/group. For complete SELinux messages run: sealert -l 287ebeba-bbfe-4224-8101-bc3990bdf98e
Jun  7 09:20:29 myhostxxx python3[12840]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/group.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dbus-daemon-lau should be allowed map access on the group file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dbus-daemon-lau' --raw | audit2allow -M my-dbusdaemonlau#012# semodule -X 300 -i my-dbusdaemonlau.pp#012

Comment 8 Ken Snider 2018-08-20 20:49:29 UTC

This is still an issue, and has now migrated to the most recent updates of RHEL7 as well.

Comment 9 Fedora Update System 2018-09-06 21:56:11 UTC

selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217

Comment 10 Fedora Update System 2018-09-07 17:11:39 UTC

selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217

Comment 11 Fedora Update System 2018-09-11 16:54:50 UTC

selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Francesco Simula 2018-10-12 14:18:46 UTC

(In reply to Fedora Update System from comment #11)
> selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable
> repository. If problems still persist, please make note of it in this bug
> report.

selinux-policy is already at version 3.14.1-44 but the problem still persists (on Fedora 28), at least as spam in journalctl because everything seems to be working...

ott 12 16:15:30 grundig setroubleshoot[1932]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/passwd. For complete SELinux messages run: sealert -l 5e1fd7c8-dcca-4536-bbbe-017abfe58180
ott 12 16:15:30 grundig python3[1932]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/passwd.
                                       
                                       *****  Plugin catchall (100. confidence) suggests   **************************
                                       
                                       If you believe that dbus-daemon-lau should be allowed map access on the passwd file by default.
                                       Then you should report this as a bug.
                                       You can generate a local policy module to allow this access.
                                       Do
                                       allow this access for now by executing:
                                       # ausearch -c 'dbus-daemon-lau' --raw | audit2allow -M my-dbusdaemonlau
                                       # semodule -X 300 -i my-dbusdaemonlau.pp
                                       
ott 12 16:15:30 grundig setroubleshoot[1932]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/group. For complete SELinux messages run: sealert -l 5e1fd7c8-dcca-4536-bbbe-017abfe58180
ott 12 16:15:30 grundig python3[1932]: SELinux is preventing dbus-daemon-lau from map access on the file /var/db/nscd/group.
                                       
                                       *****  Plugin catchall (100. confidence) suggests   **************************
                                       
                                       If you believe that dbus-daemon-lau should be allowed map access on the group file by default.
                                       Then you should report this as a bug.
                                       You can generate a local policy module to allow this access.
                                       Do
                                       allow this access for now by executing:
                                       # ausearch -c 'dbus-daemon-lau' --raw | audit2allow -M my-dbusdaemonlau
                                       # semodule -X 300 -i my-dbusdaemonlau.pp

Note You need to log in before you can comment on or make changes to this bug.