From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1 Description of problem: If logging of nscd is enabled, SELinux prohibits Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.52.1 How reproducible: Always Steps to Reproduce: 1. enable logging of nscd (by editing /etc/nscd.conf) 2. service nscd restart 3. SELinux deny messages in kernel log Actual Results: Won't start anymore, kernel log: Mar 23 11:24:41 host audit(1111573481.690:0): avc: denied { search } for pid=9334 exe=/usr/sbin/nscd name=/ dev=md2 ino=2 scontext=root:system_r:nscd_t tcontext=system_u:object_r:var_log_t tclass=dir Mar 23 11:26:34 host audit(1111573594.476:0): avc: denied { write } for pid=9419 exe=/usr/sbin/nscd name=/ dev=md2 ino=2 scontext=root:system_r:nscd_t tcontext=system_u:object_r:var_log_t tclass=dir Mar 23 11:28:06 host audit(1111573686.537:0): avc: denied { add_name } for pid=9495 exe=/usr/sbin/nscd name=nscd.log scontext=root:system_r:nscd_t tcontext=system_u:object_r:var_log_t tclass=dir Mar 23 11:29:39 host audit(1111573779.211:0): avc: denied { create } for pid=9579 exe=/usr/sbin/nscd name=nscd.log scontext=root:system_r:nscd_t tcontext=root:object_r:var_log_t tclass=file Mar 23 11:30:39 host audit(1111573839.665:0): avc: denied { append } for pid=9692 exe=/usr/sbin/nscd path=/var/log/nscd.log dev=md2 ino=35 scontext=root:system_r:nscd_t tcontext=root:object_r:var_log_t tclass=file Mar 23 11:30:39 host audit(1111573839.663:0): avc: denied { getattr } for pid=9692 exe=/usr/sbin/nscd path=/var/log/nscd.log dev=md2 ino=35 scontext=root:system_r:nscd_t tcontext=root:object_r:var_log_t tclass=file Expected Results: Starting Additional info: Following SELinux extension was successfully tested (rules add step-by-step) ## nscd logging allow nscd_t var_log_t:dir search; allow nscd_t var_log_t:dir write; allow nscd_t var_log_t:dir add_name; allow nscd_t var_log_t:file create; allow nscd_t var_log_t:file append; allow nscd_t var_log_t:file getattr;
Please update to the U1 policy. Currently available on ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{selinux-policy-targeted, policycoreutils} Does that solve your problem? Dan
No, didn't believe it after reading the change log. The upper shown extensions are still needed (readd rules step-by-step).
Forgot following note: I've updated the policy and relabled the system before retry and readd.
I didn't know nscd could log. I will add log_domain(nscd) to policy. Dan
Logging is not enabled by default, but easily to switch on (mostly during debugging problems): --- etc/nscd.conf 9 Mar 2005 16:53:04 -0000 1.1 +++ etc/nscd.conf 23 Mar 2005 15:56:43 -0000 @@ -28,12 +28,12 @@ # -# logfile /var/log/nscd.log + logfile /var/log/nscd.log # threads 6 # max-threads 128 server-user nscd # stat-user nocpulse - debug-level 0 + debug-level 1 # reload-count 5 paranoia no # restart-interval 3600
Could you try out selinux-policy-targeted-1.17.30-2.93 on ftp://people.redhat.com/dwalsh/SELinux/FC3 If this works for you I will role it into the U2 release for RHEL4.
Ok, installed on RHEL4, previous log file removed, logging enabled, nscd restart, log file was created. So the issue is solved now.