Bug 160232 - nscd behaving very oddly under targeted 1.17.30-3.2
nscd behaving very oddly under targeted 1.17.30-3.2
Status: CLOSED DUPLICATE of bug 160038
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
All Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-13 14:26 EDT by Jason Tibbitts
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-13 17:49:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jason Tibbitts 2005-06-13 14:26:47 EDT
I've noticed some very odd behavior of nscd which started happeneing recently:

kscd -K run as root won't shut down the running nscd; the following is logged:

audit(1118686058.107:0): avc:  denied  { connectto } for  pid=25133
exe=/usr/sbin/nscd path=/var/run/nscd/socket scontext=root:system_r:nscd_t
tcontext=user_u:system_r:nscd_t tclass=unix_stream_socket

The same goes for nscd -i and -g; they can't access the control socket.  The
context seems correct:
srw-rw-rw-  root     root     user_u:object_r:nscd_var_run_t   socket


More damaging, though: nscd can't see anything in an ldap directory because it
can't read /usr/share/ssl/cacert.pem:

audit(1118685536.864:0): avc:  denied  { read } for  pid=6903 exe=/usr/sbin/nscd
name=cacert.pem dev=dm-3 ino=278529 scontext=user_u:system_r:nscd_t
tcontext=user_u:object_r:usr_t tclass=file

This, of course, breaks absolutely everything because all of our users have
ceased to exist.  Stopping nscd works, but since "service nscd stop" breaks due
to "nscd -K" not working, you have to kill it.

nscd will still serve information from its cache.

Note that there doesn't seem to be an nscd Bugzilla component.
Comment 1 Jason Tibbitts 2005-06-13 15:28:47 EDT
FYI, I rolled back to selinux-policy-targeted-1.17.30-2.96 and while there were
errors about unknown booleans things seem to work much better now.
Comment 2 Weiqi Gao 2005-06-13 16:25:48 EDT
I had problem with Subversion too.  (The httpd user cannot write to the
Subversion database files.)
Comment 3 Michael Young 2005-06-13 16:42:56 EDT
nscd is part of the glibc group of packages. But this bug is a duplicate of bug
160038 .
Comment 4 Jason Tibbitts 2005-06-13 17:49:33 EDT
Indeed it is a duplicate.  I did a search for "selinux nscd" earlier but got
zarro boogs; perhaps I made a typo.

nscd used to have its own component, and indeed it shows up in the full list. 
But  it is not shown as a component under FC3.

In any case, resolving as a duplicate.

*** This bug has been marked as a duplicate of 160038 ***

Note You need to log in before you can comment on or make changes to this bug.