First Last Prev Next    This bug is not in your last search results.
Bug 171509 - SELinux prevents nscd from resolving names
SELinux prevents nscd from resolving names
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks: 168429
  Show dependency treegraph
 
Reported: 2005-10-21 18:23 EDT by Matt Brodeur
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2006-0049
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-07 13:13:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 170064 None None None Never

  None (edit)
Description Matt Brodeur 2005-10-21 18:23:03 EDT 
Description of problem:
The SELinux policy shipped with U2 prevents nscd from operating properly. 
Notably, nscd can't read /etc/resolv.conf and therefore can't resolve host
names.  This could be related to an invalid file context on resolv.conf after
it's created/updated by dhclient-scripts.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.110


How reproducible:
Always


Steps to Reproduce:
1. Install RHEL4U2
2. Enable nscd (chkconfig nscd on)
3. Reboot

  
Actual results:
Networking works, but name resolution doesn't.  ie, you can ping by IP by not by
name.


Expected results:
Name resolution should work.


Additional info:
The following denials occur during boot:
audit(1129919115.192:2): avc:  denied  { create } for  pid=1791 comm="nscd"
scontext=user_u:system_r:nscd_t tcontext=user_u:system_r:nscd_t
tclass=netlink_audit_socket
audit(1129919122.914:3): avc:  denied  { read } for  pid=1805 comm="nscd"
name="resolv.conf" dev=dm-0 ino=7077897 scontext=user_u:system_r:nscd_t
tcontext=root:object_r:etc_runtime_t tclass=file

The resolv.conf message appears periodically as processes attempt to look up
names.  Running "restorecon /etc/resolv.conf", or disabling enforcing, then
restarting networking and nscd will make name resolution work again.

This may be related to bug #170064, but this system is not running
NetworkManager.  Installing selinux-policy-targeted-1.17.30-2.117 from
ftp://people.redhat.com/dwalsh/SELinux/RHEL4/u3 resolves this issue.
Comment 1 Daniel Walsh 2005-10-24 09:15:54 EDT 
FIxed in selinux-policy-targeted-1.17.30-2.117
Comment 3 Tru Huynh 2005-11-04 10:56:27 EST 
any chance to push to it before update 3?

Thanks
Comment 6 Red Hat Bugzilla 2006-03-07 13:13:30 EST 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0049.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.