Description of problem: When the bundled makedb tool is used to create DB files in /var/db (either directly, or more likely through the Makefile), the created files all have the default context. In all likelihood, the shadow.db file should be in the same domain as /etc/shadow, from which it's built. Version-Release number of selected component (if applicable): nss_db-2.2-28 How reproducible: Always Steps to Reproduce: 1. rm -f /var/db/*.db 2. make -C /var/db 3. ls -lZ /var/db Actual results: shadow.db is in the var_t domain Expected results: shadow.db should be in the shadow_t domain or an equivalent Additional info: This assumes that the SELinux policy defines a specific context for this file, which may not (yet) be the case.
I suggest these additions to the targeted policy's types.fc file: /var/db/.*\.db system_u:object_r:etc_t /var/db/shadow.db system_u:object_r:shadow_t
Ugh, that second line should be /var/db/shadow\.db system_u:object_r:shadow_t
In 2.2-29 and later, makedb will modify its file creation context before opening databases, so that new database files will be created with a context which has been specified by the policy.