235024 – nscd now needs setcap permission

Bug 235024 - nscd now needs setcap permission

Summary: nscd now needs setcap permission

Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	selinux-policy-targeted
Sub Component:	(Show other bugs)
Version:	4.4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Keywords:
Depends On:	234920
Blocks:
TreeView+	depends on / blocked

Reported:	2007-04-03 13:10 UTC by Daniel Walsh
Modified:	2007-11-17 01:14 UTC (History)
CC List:	2 users (show)
Fixed In Version:	RHBA-2007-0171
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2007-05-01 22:48:02 UTC
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2007:0171	normal	SHIPPED_LIVE	selinux-policy bug fix update	2007-04-27 21:16:38 UTC

Description Daniel Walsh 2007-04-03 13:10:07 UTC

+++ This bug was initially created as a clone of Bug #234920 +++

Description of problem:
After we finally managed to fix up nscd to use the libcap codeadded a year ago
nscd now needs more permissions:

audit(1175545373.669:111): avc:  denied  { setcap } for  pid=30769 comm="nscd"
scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:nscd_t:s0
tclass=process

libcap was added for SELinux  purposes.  The patch was initially written by
James Antill.


Version-Release number of selected component (if applicable):
selinux-policy-2.5.10-2.fc7.noarch


How reproducible:
always


Steps to Reproduce:
1.get glibc-2.5.90-20 or later
2.(re)start nscd
3.
  
Actual results:
above audit message

Expected results:
no such message

Additional info:
Simply adding

allow nscd_t self:process setcap;

should do.  This also much go into RHEL5.1 and perhaps even RHEL4.6 (but here I
defer to Jakub to say whether he has t hat code in RHEL4's glibc).

-- Additional comment from dwalsh@redhat.com on 2007-04-02 17:11 EST --
Fixed in selinux-policy-2.5.11-2

-- Additional comment from jakub@redhat.com on 2007-04-03 01:12 EST --
It is needed for RHEL5.1 and RHEL4.6 too (the latter is where it actually has
been found - when QA was testing the backport).

Comment 1 Daniel Walsh 2007-04-03 13:13:30 UTC

Fixed in selinux-policy-targeted-1.17.30-2.144

Comment 8 Red Hat Bugzilla 2007-05-01 22:48:02 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0171.html

Note You need to log in before you can comment on or make changes to this bug.