Bug 161937 - vpnc network causes nscd failure with selinux
vpnc network causes nscd failure with selinux
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2005-06-28 11:57 EDT by Derek Atkins
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 1.25.4-10.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-09-15 11:58:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Derek Atkins 2005-06-28 11:57:33 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
When I run vpnc and get a new DNS server and try to re-initialize nscd (clear the hosts table), I get selinux failures:

Jun 24 13:22:28 cliodev kernel: audit(1119633748.940:0): avc:  denied  { read write } for  pid=6442 exe=/usr/sbin/nscd path=socket:[29576] dev=sockfs ino=29576 scontext=root:system_r:nscd_t tcontext=root:system_r:unconfined_t tclass=udp_socket
Jun 24 13:22:28 cliodev kernel: audit(1119633748.940:0): avc:  denied  { read write } for  pid=6442 exe=/usr/sbin/nscd path=/dev/net/tun dev=tmpfs ino=1991 scontext=root:system_r:nscd_t tcontext=system_u:object_r:tun_tap_device_t tclass=chr_file

This happens every time I run vpnc to connect to my VPN.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. run vpnc and connect to my VPN
2. check the logs.

Actual Results:  nscd threw the selinux errors and nameservice wasn't flushed or failed.

Expected Results:  nscd should be allowed to talk over the tunnel device.

Additional info:
Comment 1 Nalin Dahyabhai 2005-07-05 10:51:06 EDT
Which version of vpnc are you using?  Is nscd's init script being called with
"restart" or "reload"?  If it's "restart", is vpnc passing these descriptors to
the init script?
Comment 2 Derek Atkins 2005-07-05 10:59:53 EDT

As far as I can tell the vpnc code (vpnc-connect) is not calling the nscd init
script, but just calling "ncsd -i hosts" directly.  According to the manpage
that is supposed to invalidate the hosts cache.

I did (once, not sure how to repeat it) get nscd into a state where I couldn't
reload from the initscript because of selinux failures.   But I haven't been
able to reproduce that one so I didn't really want to talk about it.
Comment 3 Daniel Walsh 2005-07-11 13:31:21 EDT
Fixed in  selinux-policy-targeted-1.25.1-7
Comment 4 Derek Atkins 2005-07-11 18:39:38 EDT
Thank you, Daniel.  Any chance the fix can be backported to FC3?

Note You need to log in before you can comment on or make changes to this bug.