Bug 217640 - nscd cannot access avahi socket
nscd cannot access avahi socket
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2006-11-28 22:32 EST by Ulrich Drepper
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 2.4.6-4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-02-13 15:29:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ulrich Drepper 2006-11-28 22:32:26 EST
Description of problem:
When the avahi nss module (not part of core) is used nscd must access


which has the context


This socket is created by avahi-dnsconfd which *IS* part of core.  So, please
allow access.  This extension probably has to be added to the same place which
allows access to NIS sockets since all programs with their own domain need this
permission, too.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.install nss-mdns (from arprms)
2.add mdns to the hosts entry in /etc/nsswitch.conf
3.restart nscd
4.clean nscd cache (/usr/sbin/nscd -i hosts)
5.ping somelocalhost.local
Actual results:
failed to lookup

Expected results:
resolving succeeds

Additional info:
Comment 1 Daniel Walsh 2006-11-29 12:36:33 EST
Added to auth_use_nsswitch() Which most domains use.

Fixed in selinux-policy-2.4.6-1
Comment 2 Ulrich Drepper 2006-11-30 16:15:52 EST
Some more changes are neded.  The code also needs

  allow nscd_t avahi_var_run_t:dir_search

(well, the generic non-nscd specific form).
Comment 3 Daniel Walsh 2006-11-30 16:55:57 EST
That is in the 2.4.6-1 policy.
Comment 4 Ulrich Drepper 2006-11-30 17:13:21 EST
I have the 2.4.6-1 policy installed, even relabeled everything, and still get
this message from nscd.  Are you sure you added search permission to the
directory and not only access to the socket?
Comment 5 Ulrich Drepper 2006-11-30 17:56:13 EST
I looked at the 2.4.6-1.fc6 sources and the changes are there.  But despite
having the policy loaded and rebooting and relabeling I continue to get the message.

Is for some reason the avahi part not included in your policy?  I don't know
exactly how the 'optional_policy' macro works.
Comment 6 Daniel Walsh 2006-12-01 11:22:18 EST
Fixed in selinux-policy-2.4.6-4
Comment 7 Ulrich Drepper 2007-02-13 15:29:26 EST
Seems to be fixed.

Note You need to log in before you can comment on or make changes to this bug.