Bug 161937

Summary: vpnc network causes nscd failure with selinux
Product: [Fedora] Fedora Reporter: Derek Atkins <warlord>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: nalin
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: 1.25.4-10.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-15 15:58:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Derek Atkins 2005-06-28 15:57:33 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
When I run vpnc and get a new DNS server and try to re-initialize nscd (clear the hosts table), I get selinux failures:

Jun 24 13:22:28 cliodev kernel: audit(1119633748.940:0): avc:  denied  { read write } for  pid=6442 exe=/usr/sbin/nscd path=socket:[29576] dev=sockfs ino=29576 scontext=root:system_r:nscd_t tcontext=root:system_r:unconfined_t tclass=udp_socket
Jun 24 13:22:28 cliodev kernel: audit(1119633748.940:0): avc:  denied  { read write } for  pid=6442 exe=/usr/sbin/nscd path=/dev/net/tun dev=tmpfs ino=1991 scontext=root:system_r:nscd_t tcontext=system_u:object_r:tun_tap_device_t tclass=chr_file

This happens every time I run vpnc to connect to my VPN.


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. run vpnc and connect to my VPN
2. check the logs.
3.
  

Actual Results:  nscd threw the selinux errors and nameservice wasn't flushed or failed.

Expected Results:  nscd should be allowed to talk over the tunnel device.

Additional info:
Comment 1 Nalin Dahyabhai 2005-07-05 14:51:06 UTC 
Which version of vpnc are you using?  Is nscd's init script being called with
"restart" or "reload"?  If it's "restart", is vpnc passing these descriptors to
the init script?
Comment 2 Derek Atkins 2005-07-05 14:59:53 UTC 
vpnc-0.3.2-3

As far as I can tell the vpnc code (vpnc-connect) is not calling the nscd init
script, but just calling "ncsd -i hosts" directly.  According to the manpage
that is supposed to invalidate the hosts cache.

I did (once, not sure how to repeat it) get nscd into a state where I couldn't
reload from the initscript because of selinux failures.   But I haven't been
able to reproduce that one so I didn't really want to talk about it.
Comment 3 Daniel Walsh 2005-07-11 17:31:21 UTC 
Fixed in  selinux-policy-targeted-1.25.1-7
Comment 4 Derek Atkins 2005-07-11 22:39:38 UTC 
Thank you, Daniel.  Any chance the fix can be backported to FC3?