Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=491767 --- Comment #17 from Nalin Dahyabhai <nalin@xxxxxxxxxx> 2009-04-21 11:39:50 EDT --- (In reply to comment #16) > Well, I figured out that my problems getting this to work simply go away with > 'setenforce 0'. Here are the complaints I see while running in permissive > mode: > > type=1400 audit(1240256724.128:55): avc: denied { write } for pid=1712 > comm="nscd" name="socket" dev=dm-4 ino=409614 > scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:var_run_t:s0 > tclass=sock_file > > type=1400 audit(1240256724.134:56): avc: denied { connectto } for pid=1712 > comm="nscd" path="/var/run/nslcd/socket" scontext=system_u:system_r:nscd_t:s0 > tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket > > The daemon started fine, but it seems that nothing could talk to it. I guess > some policy tweaks will be needed before this gets to the point of being > useful. Well, it can't talk to nscd, and nscd can't talk to it. I'm having trouble reproducing the case where this causes things to fail completely, but temporarily stopping nscd should take these out of the picture. (Until we get a policy for it, the daemon's running as initrc_t, which is effectively unconfined, so it shouldn't have difficulties itself. BTW which policy version do you have installed?) > BTW, does Simo know you're packaging this for inclusion? I thought SSSD was > supposed to do the same thing in a different way. I'm pretty sure, yes. It's pretty clear that SSSD won't replace nss_ldap or its successors for 100% of cases. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Fedora-package-review mailing list Fedora-package-review@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-package-review