Bug 189779
Summary: | nscd can't use paranoia mode with default config | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Bastien Nocera <bnocera> |
Component: | glibc | Assignee: | Jakub Jelinek <jakub> |
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.0 | CC: | tao |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHBA-2006-0510 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-08-10 21:36:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 181409 |
Description
Bastien Nocera
2006-04-24 16:15:16 UTC
I checked in a patch upstream which should fix this issue. We should have used setres[gu]id instead of set[gu]id in a few places. The customer tested this patch: http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/nscd/connections.c.diff?cvsroot=glibc&r1=1.86&r2=1.87 And it would only restart once using the paranoia, then would throw the same error: 26908: re-exec failed: Permission denied; disabling paranoia mode Any audit messages regarding this? On FC5 where glibc-2.4-7 (fc5-updates-candidate) has the same patch nscd will not reexec properly due to SELinux policy not allowing it: rpm -q nscd; egrep '^[^#].*(paranoia|restart|user)' /etc/nscd.conf nscd-2.4-7 server-user nscd paranoia yes restart-interval 60 May 9 13:40:03 hammer nscd: 21463 Access Vector Cache (AVC) started May 9 13:41:09 hammer nscd: 21463 re-exec failed: Permission denied; disabling paranoia mode May 9 13:41:09 hammer kernel: audit(1147174869.158:9): avc: denied { execute_no_trans } for pid=21463 comm="nscd" name="nscd" dev=hda3 ino=396997 scontext=user_u:system_r:nscd_t:s0 tcontext=system_u:object_r:nscd_exec_t:s0 tclass=file while if I sudo chcon system_u:object_r:bin_t /usr/sbin/nscd and restart nscd, it works fine: May 9 13:44:30 hammer nscd: 21596 Access Vector Cache (AVC) started May 9 13:45:30 hammer nscd: 21657 Access Vector Cache (AVC) started May 9 13:46:31 hammer nscd: 21706 Access Vector Cache (AVC) started May 9 13:47:32 hammer nscd: 21755 Access Vector Cache (AVC) started May 9 13:48:32 hammer nscd: 21803 Access Vector Cache (AVC) started May 9 13:49:33 hammer nscd: 21851 Access Vector Cache (AVC) started May 9 13:50:33 hammer nscd: 21901 Access Vector Cache (AVC) started May 9 13:51:35 hammer nscd: 21950 Access Vector Cache (AVC) started May 9 13:52:35 hammer nscd: 21999 Access Vector Cache (AVC) started May 9 13:53:36 hammer nscd: 22048 Access Vector Cache (AVC) started May 9 13:54:37 hammer nscd: 22095 Access Vector Cache (AVC) started SELinux is disabled on the machine nscd was started on. Is the patch posted above sufficient to fix this problem? The patch in glibc-2.3.4-2.20 (and FC4/FC5 testing updates) is not just -r1.8{6,7} of nscd/connections.c, but -r1.8{5,7}. http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/nscd/connections.c.diff?cvsroot=glibc&r1=1.85&r2=1.87 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0510.html |