Bug 217640

Summary: nscd cannot access avahi socket
Product: [Fedora] Fedora Reporter: Ulrich Drepper <drepper>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.4.6-4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-13 20:29:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ulrich Drepper 2006-11-29 03:32:26 UTC 
Description of problem:
When the avahi nss module (not part of core) is used nscd must access

  /var/run/avahi-daemon/socket

which has the context

  root:object_r:avahi_var_run_t

This socket is created by avahi-dnsconfd which *IS* part of core.  So, please
allow access.  This extension probably has to be added to the same place which
allows access to NIS sockets since all programs with their own domain need this
permission, too.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.5-3.fc6

How reproducible:
always

Steps to Reproduce:
1.install nss-mdns (from arprms)
2.add mdns to the hosts entry in /etc/nsswitch.conf
3.restart nscd
4.clean nscd cache (/usr/sbin/nscd -i hosts)
5.ping somelocalhost.local
  
Actual results:
failed to lookup

Expected results:
resolving succeeds

Additional info:
Comment 1 Daniel Walsh 2006-11-29 17:36:33 UTC 
Added to auth_use_nsswitch() Which most domains use.

Fixed in selinux-policy-2.4.6-1
Comment 2 Ulrich Drepper 2006-11-30 21:15:52 UTC 
Some more changes are neded.  The code also needs

  allow nscd_t avahi_var_run_t:dir_search

(well, the generic non-nscd specific form).
Comment 3 Daniel Walsh 2006-11-30 21:55:57 UTC 
That is in the 2.4.6-1 policy.
Comment 4 Ulrich Drepper 2006-11-30 22:13:21 UTC 
I have the 2.4.6-1 policy installed, even relabeled everything, and still get
this message from nscd.  Are you sure you added search permission to the
directory and not only access to the socket?
Comment 5 Ulrich Drepper 2006-11-30 22:56:13 UTC 
I looked at the 2.4.6-1.fc6 sources and the changes are there.  But despite
having the policy loaded and rebooting and relabeling I continue to get the message.

Is for some reason the avahi part not included in your policy?  I don't know
exactly how the 'optional_policy' macro works.
Comment 6 Daniel Walsh 2006-12-01 16:22:18 UTC 
Fixed in selinux-policy-2.4.6-4
Comment 7 Ulrich Drepper 2007-02-13 20:29:26 UTC 
Seems to be fixed.