Bug 161937 - vpnc network causes nscd failure with selinux
Summary: vpnc network causes nscd failure with selinux
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 3
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-28 15:57 UTC by Derek Atkins
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 1.25.4-10.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-15 15:58:00 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Derek Atkins 2005-06-28 15:57:33 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
When I run vpnc and get a new DNS server and try to re-initialize nscd (clear the hosts table), I get selinux failures:

Jun 24 13:22:28 cliodev kernel: audit(1119633748.940:0): avc:  denied  { read write } for  pid=6442 exe=/usr/sbin/nscd path=socket:[29576] dev=sockfs ino=29576 scontext=root:system_r:nscd_t tcontext=root:system_r:unconfined_t tclass=udp_socket
Jun 24 13:22:28 cliodev kernel: audit(1119633748.940:0): avc:  denied  { read write } for  pid=6442 exe=/usr/sbin/nscd path=/dev/net/tun dev=tmpfs ino=1991 scontext=root:system_r:nscd_t tcontext=system_u:object_r:tun_tap_device_t tclass=chr_file

This happens every time I run vpnc to connect to my VPN.


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. run vpnc and connect to my VPN
2. check the logs.
3.
  

Actual Results:  nscd threw the selinux errors and nameservice wasn't flushed or failed.

Expected Results:  nscd should be allowed to talk over the tunnel device.

Additional info:

Comment 1 Nalin Dahyabhai 2005-07-05 14:51:06 UTC
Which version of vpnc are you using?  Is nscd's init script being called with
"restart" or "reload"?  If it's "restart", is vpnc passing these descriptors to
the init script?

Comment 2 Derek Atkins 2005-07-05 14:59:53 UTC
vpnc-0.3.2-3

As far as I can tell the vpnc code (vpnc-connect) is not calling the nscd init
script, but just calling "ncsd -i hosts" directly.  According to the manpage
that is supposed to invalidate the hosts cache.

I did (once, not sure how to repeat it) get nscd into a state where I couldn't
reload from the initscript because of selinux failures.   But I haven't been
able to reproduce that one so I didn't really want to talk about it.

Comment 3 Daniel Walsh 2005-07-11 17:31:21 UTC
Fixed in  selinux-policy-targeted-1.25.1-7

Comment 4 Derek Atkins 2005-07-11 22:39:38 UTC
Thank you, Daniel.  Any chance the fix can be backported to FC3?


Note You need to log in before you can comment on or make changes to this bug.