hi, i am new to selinux. i usually extend redhat/fedora linux by nis-utils-1.4.1 to access the NIS+ environment. i've just found out that this is not configured in selinux of fc3 for nscd: === Feb 23 18:35:14 pcxeon-1 kernel: audit(1109180114.178:0): avc: denied { read } for pid=20078 exe=/usr/sbin/nscd name=NIS_COLD_START dev=sda1 ino=737383 scontext=root:system_r:nscd_t tcontext=root:object_r:var_t tclass=file === so i guess that the /var/nis/NIS_COLD_START file has to be made available to the nscd command. i tried the following (cheers russell coker): === cd /etc/selinux/targeted/src/policy echo "allow nscd_t var_t:file { getattr read };" >> domains/misc/custom.te make load === but now i get: === Feb 24 18:03:14 pcxeon-1 kernel: audit(1109264594.241:0): avc: denied { write } for pid=8888 exe=/usr/sbin/nscd name=keyservsock dev=sda1 ino=737436 scontext=root:system_r:nscd_t tcontext=user_u:object_r:var_run_t tclass=sock_file === i think that the /var/nis (NIS+) dir should be integrated into the targeted policy like the /var/yp (NIS) dir... i've tried to add /var/nis(/.*)? system_u:object_r:var_nis_t at several places, without success. (i am simply too new to all this selinux stuff...). anyway, using >>allow nscd_t var_t:file { getattr read };<< now nscd seems to contact the keyserv program of the portmapper: === # rpcinfo -p program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100029 1 udp 980 keyserv 100029 2 udp 980 keyserv 100024 1 udp 32772 status 100024 1 tcp 32776 status 100021 1 udp 32778 nlockmgr 100021 3 udp 32778 nlockmgr 100021 4 udp 32778 nlockmgr 100021 1 tcp 33060 nlockmgr 100021 3 tcp 33060 nlockmgr 100021 4 tcp 33060 nlockmgr === which seems to have an open socket at: # ls -la /var/run/keyservsock srw-rw-rw- 1 root root 0 Feb 24 04:58 /var/run/keyservsock niki -- niki w. waibel - system administrator @ newlogic technologies ag