the audit2allow prg has helped me to generate this file:
===
allow nscd_t unconfined_t:unix_stream_socket connectto;
#EXE=/usr/sbin/nscd PATH=/var/run/keyservsock : connectto
#EXE=/usr/sbin/nscd PATH=/var/run/keyservsock : connectto
allow nscd_t var_run_t:sock_file write;
#EXE=/usr/sbin/nscd NAME=keyservsock : write
#EXE=/usr/sbin/nscd NAME=keyservsock : write
#EXE=/usr/sbin/nscd NAME=keyservsock : write
allow nscd_t var_t:file { getattr read };
#EXE=/usr/sbin/nscd NAME=NIS_COLD_START : read
#EXE=/usr/sbin/nscd NAME=NIS_COLD_START : read
#EXE=/usr/sbin/nscd PATH=/var/nis/NIS_COLD_START : getattr
#EXE=/usr/sbin/nscd PATH=/var/nis/NIS_COLD_START : getattr
===
using that nscd starts without trouble!
it still cannot get any nis+ data it seems.
no audit errors are produced...
i'll check that tomorrow.
niki
On 24-Feb-2005 Niki Waibel wrote:
> hi, i am new to selinux.
>
> i usually extend redhat/fedora linux by nis-utils-1.4.1
> to access the NIS+ environment.
>
> i've just found out that this is not configured in selinux
> of fc3 for nscd:
> ===
> Feb 23 18:35:14 pcxeon-1 kernel: audit(1109180114.178:0):
> avc: denied { read } for pid=20078 exe=/usr/sbin/nscd
> name=NIS_COLD_START dev=sda1 ino=737383 scontext=root:system_r:nscd_t
> tcontext=root:object_r:var_t tclass=file
> ===
> so i guess that the /var/nis/NIS_COLD_START file has to be made
> available to the nscd command.
>
> i tried the following (cheers russell coker):
> ===
> cd /etc/selinux/targeted/src/policy
> echo "allow nscd_t var_t:file { getattr read };" >> domains/misc/custom.te
> make load
> ===
> but now i get:
> ===
> Feb 24 18:03:14 pcxeon-1 kernel: audit(1109264594.241:0):
> avc: denied { write } for pid=8888 exe=/usr/sbin/nscd
> name=keyservsock dev=sda1 ino=737436 scontext=root:system_r:nscd_t
> tcontext=user_u:object_r:var_run_t tclass=sock_file
> ===
>
> i think that the /var/nis (NIS+) dir should be integrated
> into the targeted policy like the /var/yp (NIS) dir...
>
> i've tried to add
> /var/nis(/.*)? system_u:object_r:var_nis_t
> at several places, without success. (i am simply too new
> to all this selinux stuff...).
>
> anyway, using >>allow nscd_t var_t:file { getattr read };<< now nscd
> seems to contact the keyserv program of the portmapper:
> ===
># rpcinfo -p
> program vers proto port
> 100000 2 tcp 111 portmapper
> 100000 2 udp 111 portmapper
> 100029 1 udp 980 keyserv
> 100029 2 udp 980 keyserv
> 100024 1 udp 32772 status
> 100024 1 tcp 32776 status
> 100021 1 udp 32778 nlockmgr
> 100021 3 udp 32778 nlockmgr
> 100021 4 udp 32778 nlockmgr
> 100021 1 tcp 33060 nlockmgr
> 100021 3 tcp 33060 nlockmgr
> 100021 4 tcp 33060 nlockmgr
> ===
>
> which seems to have an open socket at:
># ls -la /var/run/keyservsock
> srw-rw-rw- 1 root root 0 Feb 24 04:58 /var/run/keyservsock
>
> niki
> --
> niki w. waibel - system administrator @ newlogic technologies ag
