Bug 375381
Summary: | Strange AVCs related to nscd from various services | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Kostas Georgiou <k.georgiou> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8 | CC: | drepper, eparis, sdsmall |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.0.8-58.fc8.noarch | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-01-08 15:58:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Kostas Georgiou
2007-11-11 02:59:52 UTC
Have you updated the policy? This looks like you have a policy mismatch? rpm -q selinux-policy kernel Everything is at the latest versions, all three machines are running with the xen kernel though (both dom0 and domU show the denials btw). $ rpm -q kernel-xen selinux-policy kernel-xen-2.6.21-2950.fc8.x86_64 selinux-policy-3.0.8-47.fc8.noarch Are you continuing to see the messages or was it just during upgrade. If it was just during upgrade, it could have been nscd being updated before selinux policy so nscd started generating the messages before selinux-policy has been installed to define them. I think you yum upgrade selinux-policy Followed by yum upgrade you would not see this. I see the errors after the update, I didn't check for errors during the update. Is there any way to find out what 0x100 and 0x200 mean? As it is I can not even guess what might be the cause. note to self: tclass=nscd ??? I would guess these are getserv and shmemserv Bug in libselinux: lacks updated string table definitions for new nscd permissions. nscd though would benefit by migrating over to the new interfaces for dynamic discovery of class and permission values. (In reply to comment #7) > nscd though would benefit by migrating over to the new interfaces for dynamic > discovery of class and permission values. Reference? http://marc.info/?l=selinux&m=118115491908422&w=2 http://marc.info/?l=selinux&m=118114723416269&w=2 Worked example in the X server: http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=blob;h=cefde9d37adbc40882107b20663c591d5803b12d;hb=XACE-SELINUX;f=Xext/xselinux.c http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=blob;h=ea8d9e44020032f694c68c594ab748637fd07d1f;hb=XACE-SELINUX;f=Xext/xselinux.h Feel free to send a note to selinux list or to Eamon Walsh <ewalsh.gov> about the specifics. Man pages are still to come, sadly. Do you want me to open a separate bug for the services that are prevented from using nscd? With a quick look I see denials from cupsd_t, cyrus_t, gssd_t, httpd_t, mysqld_t, nfsd_t, ntpd_t, saslauthd_t, sendmail_t, exim_t, squid_t, system_mail_t. Not all of them need to be able to access nscd I guess but then they should be in don't audit right? No but I would like to know why you are the only one reporting this bugzilla. I have not seen this from any other Fedora 8 users. It is almost like you have nscd set up differently. I suspect that I am one of the very few people that enable nscd (it's not enabled by default). I also thought that might have to do something with my config I've noticed the denials on machines that where update from f7 but a clean install on a laptop gives me the same errors (after I enabled nscd of course). selinux-policy-3.0.8-58.fc8.noarch |