Bug 503595

Summary: selinux denies read access to nssitch.conf for ypbind
Product: Red Hat Enterprise Linux 5 Reporter: Jeff Moyer <jmoyer>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: low    
Version: 5.4CC: ikent
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-02 12:32:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Daniel Walsh 2009-06-02 12:32:01 UTC 
nsswitch.conf is mislabeled.  Run restorecon on it to fix its context.  

If this file is created in an init script the initscript needs to make sure the file is labeled correctly just like it would need to make sure it has the right ownership and permissions.


So if this is a test it is a test bug, if it is a shipping initscript then the initscript needs to be fixed.

But this is not an SELinux bug.
Comment 2 Daniel Walsh 2009-06-02 12:32:40 UTC 
*** Bug 503596 has been marked as a duplicate of this bug. ***
Comment 3 Jeff Moyer 2009-06-02 13:39:56 UTC 
I don't doubt that you are right, but I do have one further question.  The script does the following:

cp -f /etc/nsswitch.conf /etc/nsswitch.conf.orig
cp -f /testdir/nsswitch.conf /etc/nsswitch.conf

Can you just confirm that this sequence of commands is supposed to change the label of /etc/nsswitch.conf?

Thanks, Dan!
Comment 4 Daniel Walsh 2009-06-02 20:55:03 UTC 
If /etc/nsswitch.conf exist it should stay the same label as it was originally labeled.

So if it is labeled etc_t at the beginning, it should stay etc_t.