From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4 Description of problem: When I run vpnc and get a new DNS server and try to re-initialize nscd (clear the hosts table), I get selinux failures: Jun 24 13:22:28 cliodev kernel: audit(1119633748.940:0): avc: denied { read write } for pid=6442 exe=/usr/sbin/nscd path=socket:[29576] dev=sockfs ino=29576 scontext=root:system_r:nscd_t tcontext=root:system_r:unconfined_t tclass=udp_socket Jun 24 13:22:28 cliodev kernel: audit(1119633748.940:0): avc: denied { read write } for pid=6442 exe=/usr/sbin/nscd path=/dev/net/tun dev=tmpfs ino=1991 scontext=root:system_r:nscd_t tcontext=system_u:object_r:tun_tap_device_t tclass=chr_file This happens every time I run vpnc to connect to my VPN. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. run vpnc and connect to my VPN 2. check the logs. 3. Actual Results: nscd threw the selinux errors and nameservice wasn't flushed or failed. Expected Results: nscd should be allowed to talk over the tunnel device. Additional info:
Which version of vpnc are you using? Is nscd's init script being called with "restart" or "reload"? If it's "restart", is vpnc passing these descriptors to the init script?
vpnc-0.3.2-3 As far as I can tell the vpnc code (vpnc-connect) is not calling the nscd init script, but just calling "ncsd -i hosts" directly. According to the manpage that is supposed to invalidate the hosts cache. I did (once, not sure how to repeat it) get nscd into a state where I couldn't reload from the initscript because of selinux failures. But I haven't been able to reproduce that one so I didn't really want to talk about it.
Fixed in selinux-policy-targeted-1.25.1-7
Thank you, Daniel. Any chance the fix can be backported to FC3?