All,
Here's the setup ... Using authconfig to turn on nscd and setup TLS encrypted
LDAP authentication & user information, the LDAP server's "server.crt" file
has been copied to /etc/openldap/ on the client and
the /etc/openldap/ldap.conf file got the line
"TLS_CACERT /etc/openldap/server.crt" added to it. I'm using the latest nscd
package for FC3 (which fixed another bug related to LDAP).
Starting nscd produces these three avc denied messages
(from /var/log/messages):
Jan 11 09:56:52 station13 nscd: 27993 Access Vector Cache (AVC) started
Jan 11 09:56:52 station13 nscd: nscd startup succeeded
Jan 11 09:56:53 station13 kernel: audit(1136998613.032:0): avc: denied
{ read } for pid=27993 exe=/usr/sbin/nscd name=cert.pem dev=sda2 ino=738049
scontext=root:system_r:nscd_t tcontext=system_u:object_r:usr_t
tclass=lnk_file
Jan 11 09:56:53 station13 kernel: audit(1136998613.032:0): avc: denied
{ read } for pid=27993 exe=/usr/sbin/nscd name=urandom dev=tmpfs ino=935
scontext=root:system_r:nscd_t tcontext=system_u:object_r:urandom_device_t
tclass=chr_file
Jan 11 09:56:53 station13 kernel: audit(1136998613.032:0): avc: denied
{ read } for pid=27993 exe=/usr/sbin/nscd name=random dev=tmpfs ino=934
scontext=root:system_r:nscd_t tcontext=system_u:object_r:random_device_t
tclass=chr_file
Also, in this configuration, logins to LDAP accounts fail; the username is
unrecognized. If I shut down nscd, then LDAP account logins work again.
Running "setsebool -P nscd_disable_trans 1" and then restarting nscd (i.e.
"/etc/init.d/nscd restart") fixes the login problem. It appears that nscd
will only attempts to open file handles to /usr/share/ssl/cert.pem which is a
symlink to certs/ca-bundle.crt (both have the label system_u:object_r:usr_t)
and /dev/random & /dev/urandom at startup.
Examining /etc/selinux/targeted/src/policy/domains/program/nscd.te (that is
the right file, yes?) in the latest selinux-policy-targeted-sources for FC3
looks like nscd_t should have access to both urandom_device_t &
random_device_t:
75: allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr
read};
which is a little different from the originally shipped policy:
85: allow nscd_t uransom_device_t:chr_file { getattr read };
It also looks like nscd.te used to have:
86: r_dir_file(nscd_t, usr_t)
but the newest policy has no lines referencing usr_t. I'm not certain that
nscd actually needs to read /usr/share/ssl/cert.pem in order for TLS to work,
but I can understand the need to access /dev/random and/or /dev/urandom.
OK. So, I haven't done much writing of SELinux policy, and most of that was a
while ago, but It looks like the original policy shouldn't have been causing
these problems to begin with.
What am I missing here?
Oh, and BTW, this configuration works fine on a RHEL4 client without updates.
which made me think that updating the FC3 selinux-policy-targeted package
could fix the issue. Nope; it didn't.
Thanks for all your hard work on SELinux and policy.
--
Lamont R. Peterson <lamont@xxxxxxxxxxxx>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
Attachment:
pgptWi6Vy15iv.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
