Description of problem: Currently nscd restarts itself, if in paranoia mode, by running execv ("/proc/self/exe", argv); Bug 490010 is about changing this to (essentially) bytes = readlink("/proc/self/exe", target, 255); target[bytes] = '\0'; execv (target, argv); On RHEL 5.3, target is /usr/sbin/nscd SELinux policy blocks this from running. The error is type=AVC msg=audit(1236889747.325:55): avc: denied { search } for pid=10495 comm="nscd" name="sbin" dev=dm-0 ino=2352438 scontext=root:system_r:nscd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir A one line addition to the policy fixes the problem allow nscd_t sbin_t:dir { search } ; Version-Release number of selected component (if applicable): selinux-policy-2.4.6-203.el5.noarch selinux-policy-targeted-2.4.6-203.el5.noarch How reproducible: every time Steps to Reproduce: 1. patch glibc as shown in bug 490010 2. start nscd in paranoia mode with a short timeout of 30 seconds Actual results: Within 30 seconds if starting nscd, nscd fails to restart itself and the above error appears in /var/log/audit.log Expected results: nscd restarts itself Additional info:
Fixed in selinux-policy-2.4.6-218.el5 Preview to U4 policy is available on http://people.redhat.com/dwalsh/SElinux/RHEL5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1242.html