From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Description of problem: selinux won't allow nscd to read certificates in /usr/share/ssl/ because it isn't in /etc/selinux/targeted/contexts/files/file_contexts This allowed nscd to work for me: $ diff /etc/selinux/targeted/contexts/files/file_contexts /etc/selinux/targeted/contexts/files/file_contexts.dist 686d685 < /usr/share/ssl/.+ -- system_u:object_r:nscd_var_run_t If you don't have that entry in file_contexts, you get a bunch of junk like this logged if you're using ldap and you require CA certificates: Jan 4 19:56:56 box kernel: audit(1104890216.654:0): avc: denied { read } for pid=2002 exe=/usr/sbin/nscd name=cert.pem dev=hda2 ino=49153 scontext=user_u:system_r:nscd_t tcontext=user_u:object_r:usr_t tclass=file Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.51 How reproducible: Always Steps to Reproduce: 1. Do something that requires ldap like 'getent passwd' 2. Look at your screen 3. Actual Results: No response Expected Results: My passwd file from ldap Additional info:
The diff I mentioned does nothing. I must have had nscd disabled. A coworker filed a duplicate bug here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=144731 .
*** This bug has been marked as a duplicate of 144731 ***
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2005-251.html