Bug 171509 - SELinux prevents nscd from resolving names
SELinux prevents nscd from resolving names
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks: 168429
  Show dependency treegraph
 
Reported: 2005-10-21 18:23 EDT by Matt Brodeur
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2006-0049
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-07 13:13:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 170064 None None None Never

  None (edit)
Description Matt Brodeur 2005-10-21 18:23:03 EDT
Description of problem:
The SELinux policy shipped with U2 prevents nscd from operating properly. 
Notably, nscd can't read /etc/resolv.conf and therefore can't resolve host
names.  This could be related to an invalid file context on resolv.conf after
it's created/updated by dhclient-scripts.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.110


How reproducible:
Always


Steps to Reproduce:
1. Install RHEL4U2
2. Enable nscd (chkconfig nscd on)
3. Reboot

  
Actual results:
Networking works, but name resolution doesn't.  ie, you can ping by IP by not by
name.


Expected results:
Name resolution should work.


Additional info:
The following denials occur during boot:
audit(1129919115.192:2): avc:  denied  { create } for  pid=1791 comm="nscd"
scontext=user_u:system_r:nscd_t tcontext=user_u:system_r:nscd_t
tclass=netlink_audit_socket
audit(1129919122.914:3): avc:  denied  { read } for  pid=1805 comm="nscd"
name="resolv.conf" dev=dm-0 ino=7077897 scontext=user_u:system_r:nscd_t
tcontext=root:object_r:etc_runtime_t tclass=file

The resolv.conf message appears periodically as processes attempt to look up
names.  Running "restorecon /etc/resolv.conf", or disabling enforcing, then
restarting networking and nscd will make name resolution work again.

This may be related to bug #170064, but this system is not running
NetworkManager.  Installing selinux-policy-targeted-1.17.30-2.117 from
ftp://people.redhat.com/dwalsh/SELinux/RHEL4/u3 resolves this issue.
Comment 1 Daniel Walsh 2005-10-24 09:15:54 EDT
FIxed in selinux-policy-targeted-1.17.30-2.117 
Comment 3 Tru Huynh 2005-11-04 10:56:27 EST
any chance to push to it before update 3?

Thanks

Comment 6 Red Hat Bugzilla 2006-03-07 13:13:30 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0049.html

Note You need to log in before you can comment on or make changes to this bug.