Red Hat Bugzilla – Bug 235024
nscd now needs setcap permission
Last modified: 2007-11-16 20:14:55 EST
+++ This bug was initially created as a clone of Bug #234920 +++ Description of problem: After we finally managed to fix up nscd to use the libcap codeadded a year ago nscd now needs more permissions: audit(1175545373.669:111): avc: denied { setcap } for pid=30769 comm="nscd" scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=process libcap was added for SELinux purposes. The patch was initially written by James Antill. Version-Release number of selected component (if applicable): selinux-policy-2.5.10-2.fc7.noarch How reproducible: always Steps to Reproduce: 1.get glibc-2.5.90-20 or later 2.(re)start nscd 3. Actual results: above audit message Expected results: no such message Additional info: Simply adding allow nscd_t self:process setcap; should do. This also much go into RHEL5.1 and perhaps even RHEL4.6 (but here I defer to Jakub to say whether he has t hat code in RHEL4's glibc). -- Additional comment from dwalsh@redhat.com on 2007-04-02 17:11 EST -- Fixed in selinux-policy-2.5.11-2 -- Additional comment from jakub@redhat.com on 2007-04-03 01:12 EST -- It is needed for RHEL5.1 and RHEL4.6 too (the latter is where it actually has been found - when QA was testing the backport).
Fixed in selinux-policy-targeted-1.17.30-2.144
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0171.html