nis+ support f nscd in targeted pol
Niki Waibel
niki.waibel at newlogic.com
Thu Feb 24 17:33:56 UTC 2005
hi, i am new to selinux.
i usually extend redhat/fedora linux by nis-utils-1.4.1
to access the NIS+ environment.
i've just found out that this is not configured in selinux
of fc3 for nscd:
===
Feb 23 18:35:14 pcxeon-1 kernel: audit(1109180114.178:0):
avc: denied { read } for pid=20078 exe=/usr/sbin/nscd
name=NIS_COLD_START dev=sda1 ino=737383 scontext=root:system_r:nscd_t
tcontext=root:object_r:var_t tclass=file
===
so i guess that the /var/nis/NIS_COLD_START file has to be made
available to the nscd command.
i tried the following (cheers russell coker):
===
cd /etc/selinux/targeted/src/policy
echo "allow nscd_t var_t:file { getattr read };" >> domains/misc/custom.te
make load
===
but now i get:
===
Feb 24 18:03:14 pcxeon-1 kernel: audit(1109264594.241:0):
avc: denied { write } for pid=8888 exe=/usr/sbin/nscd
name=keyservsock dev=sda1 ino=737436 scontext=root:system_r:nscd_t
tcontext=user_u:object_r:var_run_t tclass=sock_file
===
i think that the /var/nis (NIS+) dir should be integrated
into the targeted policy like the /var/yp (NIS) dir...
i've tried to add
/var/nis(/.*)? system_u:object_r:var_nis_t
at several places, without success. (i am simply too new
to all this selinux stuff...).
anyway, using >>allow nscd_t var_t:file { getattr read };<< now nscd
seems to contact the keyserv program of the portmapper:
===
# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100029 1 udp 980 keyserv
100029 2 udp 980 keyserv
100024 1 udp 32772 status
100024 1 tcp 32776 status
100021 1 udp 32778 nlockmgr
100021 3 udp 32778 nlockmgr
100021 4 udp 32778 nlockmgr
100021 1 tcp 33060 nlockmgr
100021 3 tcp 33060 nlockmgr
100021 4 tcp 33060 nlockmgr
===
which seems to have an open socket at:
# ls -la /var/run/keyservsock
srw-rw-rw- 1 root root 0 Feb 24 04:58 /var/run/keyservsock
niki
--
niki w. waibel - system administrator @ newlogic technologies ag
More information about the selinux
mailing list