Bug 247814 - Need new nscd permissions
Need new nscd permissions
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: libselinux (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: FutureFeature
Depends On: 222716
  Show dependency treegraph
Reported: 2007-07-11 11:26 EDT by Daniel Walsh
Modified: 2013-11-01 05:16 EDT (History)
3 users (show)

See Also:
Fixed In Version: RHBA-2008-0404
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-21 12:53:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2007-07-11 11:26:04 EDT
+++ This bug was initially created as a clone of Bug #222716 +++

Description of problem:
We have support for caching new databases in nscd in the upstream CVS and also
want to backport the changes to RHEL4.6 and 5.1 (see bug 217381).  For this to
happen we need new nscd classes.  In all_perms.spt add

  getserv shmemserv

to the existing list in the all_nscd_perms definition.

There are likely some more databases supported in future, stay tuned.  I'll
update this bug if necessary.

Version-Release number of selected component (if applicable):
all selinux versions, RHEL4, RHEL5, FC6, FC7

How reproducible:

Steps to Reproduce:
1.grep NSCD__GETSERV /usr/include/selinux/av_permissions.h
2.grep NSCD__SHMEMSERV /usr/include/selinux/av_permissions.h
Actual results:
no output

Expected results:
/usr/include/selinux/av_permissions.h:#define NSCD__GETSERV                    
/usr/include/selinux/av_permissions.h:#define NSCD__SHMEMGRP                   

Additional info:
Please make the header available in libselinux-devel ASAP.

-- Additional comment from dwalsh@redhat.com on 2007-01-15 16:32 EST --
libselinux-1.33.4-3.fc7 has the define statements.

Does this need to get into RHEL5 now?  Do we need additional policy changes.

-- Additional comment from drepper@redhat.com on 2007-01-15 16:50 EST --
(In reply to comment #1)
> libselinux-1.33.4-3.fc7 has the define statements.

But aren't the defines generated?

> Does this need to get into RHEL5 now?  Do we need additional policy changes.

It can wait for RHEL4.6 and RHEL5.1.  But please put it ASAP in FC6/7 so we can
test it.

-- Additional comment from dwalsh@redhat.com on 2007-07-10 09:53 EST --
This one has dropped between the cracks.  Do we still need to do something with
this?  If so what do I need to do to update the av_perm_to_string.h in
libselinux?  I suppose we need to update the policy also?

-- Additional comment from sds@tycho.nsa.gov on 2007-07-10 10:04 EST --
To add new permissions to SELinux, you first update the policy, e.g.
$ cd refpolicy/policy/flask
$ vi access_vectors
(edit the class and add your permissions to the end of it)
$ make clean all
(generates two sets of headers, one for the kernel and one for userspace)
$ make LIBSELINUX_D=/path/to/libselinux tolib
(installs userspace headers to libselinux)

Until you submit a patch to policy upstream, the permissions aren't reserved and
could be reused by others, so you want to do that ASAP.  Not too likely in this
case, of course, given that no one else is likely to be adding permissions to
nscd ;)

-- Additional comment from sds@tycho.nsa.gov on 2007-07-10 10:14 EST --
Oh, and of course the above only defines the permissions - you still have to
allow them in the policy too.
all_nscd_perms (and friends) are now automatically generated in the upstream
refpolicy, but I don't know about the RHEL5 policy or others.

-- Additional comment from drepper@redhat.com on 2007-07-10 10:28 EST --
We still need all this, yes.

-- Additional comment from dwalsh@redhat.com on 2007-07-11 11:24 EST --
Fixed in 
Comment 1 Jay Turner 2007-11-30 01:59:56 EST
QE ack for RHEL5.2.
Comment 6 errata-xmlrpc 2008-05-21 12:53:17 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.