Bug 171509 - SELinux prevents nscd from resolving names
Summary: SELinux prevents nscd from resolving names
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 168429
TreeView+ depends on / blocked
 
Reported: 2005-10-21 22:23 UTC by Matt Brodeur
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version: RHBA-2006-0049
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-03-07 18:13:30 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 170064 0 medium CLOSED NetworkManagerInfo cannot talk to dbus 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2006:0049 0 qe-ready SHIPPED_LIVE selinux-policy bug fix update 2006-03-06 05:00:00 UTC

Description Matt Brodeur 2005-10-21 22:23:03 UTC
Description of problem:
The SELinux policy shipped with U2 prevents nscd from operating properly. 
Notably, nscd can't read /etc/resolv.conf and therefore can't resolve host
names.  This could be related to an invalid file context on resolv.conf after
it's created/updated by dhclient-scripts.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.110


How reproducible:
Always


Steps to Reproduce:
1. Install RHEL4U2
2. Enable nscd (chkconfig nscd on)
3. Reboot

  
Actual results:
Networking works, but name resolution doesn't.  ie, you can ping by IP by not by
name.


Expected results:
Name resolution should work.


Additional info:
The following denials occur during boot:
audit(1129919115.192:2): avc:  denied  { create } for  pid=1791 comm="nscd"
scontext=user_u:system_r:nscd_t tcontext=user_u:system_r:nscd_t
tclass=netlink_audit_socket
audit(1129919122.914:3): avc:  denied  { read } for  pid=1805 comm="nscd"
name="resolv.conf" dev=dm-0 ino=7077897 scontext=user_u:system_r:nscd_t
tcontext=root:object_r:etc_runtime_t tclass=file

The resolv.conf message appears periodically as processes attempt to look up
names.  Running "restorecon /etc/resolv.conf", or disabling enforcing, then
restarting networking and nscd will make name resolution work again.

This may be related to bug #170064, but this system is not running
NetworkManager.  Installing selinux-policy-targeted-1.17.30-2.117 from
ftp://people.redhat.com/dwalsh/SELinux/RHEL4/u3 resolves this issue.

Comment 1 Daniel Walsh 2005-10-24 13:15:54 UTC
FIxed in selinux-policy-targeted-1.17.30-2.117 

Comment 3 Tru Huynh 2005-11-04 15:56:27 UTC
any chance to push to it before update 3?

Thanks



Comment 6 Red Hat Bugzilla 2006-03-07 18:13:30 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0049.html



Note You need to log in before you can comment on or make changes to this bug.