Description of problem: When the avahi nss module (not part of core) is used nscd must access /var/run/avahi-daemon/socket which has the context root:object_r:avahi_var_run_t This socket is created by avahi-dnsconfd which *IS* part of core. So, please allow access. This extension probably has to be added to the same place which allows access to NIS sockets since all programs with their own domain need this permission, too. Version-Release number of selected component (if applicable): selinux-policy-2.4.5-3.fc6 How reproducible: always Steps to Reproduce: 1.install nss-mdns (from arprms) 2.add mdns to the hosts entry in /etc/nsswitch.conf 3.restart nscd 4.clean nscd cache (/usr/sbin/nscd -i hosts) 5.ping somelocalhost.local Actual results: failed to lookup Expected results: resolving succeeds Additional info:
Added to auth_use_nsswitch() Which most domains use. Fixed in selinux-policy-2.4.6-1
Some more changes are neded. The code also needs allow nscd_t avahi_var_run_t:dir_search (well, the generic non-nscd specific form).
That is in the 2.4.6-1 policy.
I have the 2.4.6-1 policy installed, even relabeled everything, and still get this message from nscd. Are you sure you added search permission to the directory and not only access to the socket?
I looked at the 2.4.6-1.fc6 sources and the changes are there. But despite having the policy loaded and rebooting and relabeling I continue to get the message. Is for some reason the avahi part not included in your policy? I don't know exactly how the 'optional_policy' macro works.
Fixed in selinux-policy-2.4.6-4
Seems to be fixed.