nscd-2.3.4-2.19-x86_64 Setting the following configuration options, to have nscd restart itself every 1200 seconds fails when the user nscd is running as is "nscd": paranoia yes restart-interval 1200 It will show: 25936: cannot change to old UID: Operation not permitted; disabling paranoia mode It works fine if you use "root" as the user to run nscd as.
I checked in a patch upstream which should fix this issue. We should have used setres[gu]id instead of set[gu]id in a few places.
The customer tested this patch: http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/nscd/connections.c.diff?cvsroot=glibc&r1=1.86&r2=1.87 And it would only restart once using the paranoia, then would throw the same error: 26908: re-exec failed: Permission denied; disabling paranoia mode
Any audit messages regarding this? On FC5 where glibc-2.4-7 (fc5-updates-candidate) has the same patch nscd will not reexec properly due to SELinux policy not allowing it: rpm -q nscd; egrep '^[^#].*(paranoia|restart|user)' /etc/nscd.conf nscd-2.4-7 server-user nscd paranoia yes restart-interval 60 May 9 13:40:03 hammer nscd: 21463 Access Vector Cache (AVC) started May 9 13:41:09 hammer nscd: 21463 re-exec failed: Permission denied; disabling paranoia mode May 9 13:41:09 hammer kernel: audit(1147174869.158:9): avc: denied { execute_no_trans } for pid=21463 comm="nscd" name="nscd" dev=hda3 ino=396997 scontext=user_u:system_r:nscd_t:s0 tcontext=system_u:object_r:nscd_exec_t:s0 tclass=file while if I sudo chcon system_u:object_r:bin_t /usr/sbin/nscd and restart nscd, it works fine: May 9 13:44:30 hammer nscd: 21596 Access Vector Cache (AVC) started May 9 13:45:30 hammer nscd: 21657 Access Vector Cache (AVC) started May 9 13:46:31 hammer nscd: 21706 Access Vector Cache (AVC) started May 9 13:47:32 hammer nscd: 21755 Access Vector Cache (AVC) started May 9 13:48:32 hammer nscd: 21803 Access Vector Cache (AVC) started May 9 13:49:33 hammer nscd: 21851 Access Vector Cache (AVC) started May 9 13:50:33 hammer nscd: 21901 Access Vector Cache (AVC) started May 9 13:51:35 hammer nscd: 21950 Access Vector Cache (AVC) started May 9 13:52:35 hammer nscd: 21999 Access Vector Cache (AVC) started May 9 13:53:36 hammer nscd: 22048 Access Vector Cache (AVC) started May 9 13:54:37 hammer nscd: 22095 Access Vector Cache (AVC) started
SELinux is disabled on the machine nscd was started on. Is the patch posted above sufficient to fix this problem?
The patch in glibc-2.3.4-2.20 (and FC4/FC5 testing updates) is not just -r1.8{6,7} of nscd/connections.c, but -r1.8{5,7}. http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/nscd/connections.c.diff?cvsroot=glibc&r1=1.85&r2=1.87
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0510.html