Bug 171509 - SELinux prevents nscd from resolving names
SELinux prevents nscd from resolving names
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
Blocks: 168429
  Show dependency treegraph
Reported: 2005-10-21 18:23 EDT by Matt Brodeur
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2006-0049
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-03-07 13:13:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 170064 None None None Never

  None (edit)
Description Matt Brodeur 2005-10-21 18:23:03 EDT
Description of problem:
The SELinux policy shipped with U2 prevents nscd from operating properly. 
Notably, nscd can't read /etc/resolv.conf and therefore can't resolve host
names.  This could be related to an invalid file context on resolv.conf after
it's created/updated by dhclient-scripts.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install RHEL4U2
2. Enable nscd (chkconfig nscd on)
3. Reboot

Actual results:
Networking works, but name resolution doesn't.  ie, you can ping by IP by not by

Expected results:
Name resolution should work.

Additional info:
The following denials occur during boot:
audit(1129919115.192:2): avc:  denied  { create } for  pid=1791 comm="nscd"
scontext=user_u:system_r:nscd_t tcontext=user_u:system_r:nscd_t
audit(1129919122.914:3): avc:  denied  { read } for  pid=1805 comm="nscd"
name="resolv.conf" dev=dm-0 ino=7077897 scontext=user_u:system_r:nscd_t
tcontext=root:object_r:etc_runtime_t tclass=file

The resolv.conf message appears periodically as processes attempt to look up
names.  Running "restorecon /etc/resolv.conf", or disabling enforcing, then
restarting networking and nscd will make name resolution work again.

This may be related to bug #170064, but this system is not running
NetworkManager.  Installing selinux-policy-targeted-1.17.30-2.117 from
ftp://people.redhat.com/dwalsh/SELinux/RHEL4/u3 resolves this issue.
Comment 1 Daniel Walsh 2005-10-24 09:15:54 EDT
FIxed in selinux-policy-targeted-1.17.30-2.117 
Comment 3 Tru Huynh 2005-11-04 10:56:27 EST
any chance to push to it before update 3?


Comment 6 Red Hat Bugzilla 2006-03-07 13:13:30 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.