Bug 247814 - Need new nscd permissions
Summary: Need new nscd permissions
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: libselinux
Version: 5.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On: 222716
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-07-11 15:26 UTC by Daniel Walsh
Modified: 2013-11-01 09:16 UTC (History)
3 users (show)

Fixed In Version: RHBA-2008-0404
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-21 16:53:17 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0404 0 normal SHIPPED_LIVE libselinux bug fix update 2008-05-19 22:30:49 UTC

Description Daniel Walsh 2007-07-11 15:26:04 UTC
+++ This bug was initially created as a clone of Bug #222716 +++

Description of problem:
We have support for caching new databases in nscd in the upstream CVS and also
want to backport the changes to RHEL4.6 and 5.1 (see bug 217381).  For this to
happen we need new nscd classes.  In all_perms.spt add

  getserv shmemserv

to the existing list in the all_nscd_perms definition.

There are likely some more databases supported in future, stay tuned.  I'll
update this bug if necessary.


Version-Release number of selected component (if applicable):
all selinux versions, RHEL4, RHEL5, FC6, FC7

How reproducible:


Steps to Reproduce:
1.grep NSCD__GETSERV /usr/include/selinux/av_permissions.h
2.grep NSCD__SHMEMSERV /usr/include/selinux/av_permissions.h
3.
  
Actual results:
no output

Expected results:
/usr/include/selinux/av_permissions.h:#define NSCD__GETSERV                    
       0x00000100UL
/usr/include/selinux/av_permissions.h:#define NSCD__SHMEMGRP                   
        0x00000200UL


Additional info:
Please make the header available in libselinux-devel ASAP.

-- Additional comment from dwalsh on 2007-01-15 16:32 EST --
libselinux-1.33.4-3.fc7 has the define statements.

Does this need to get into RHEL5 now?  Do we need additional policy changes.

-- Additional comment from drepper on 2007-01-15 16:50 EST --
(In reply to comment #1)
> libselinux-1.33.4-3.fc7 has the define statements.

But aren't the defines generated?


> Does this need to get into RHEL5 now?  Do we need additional policy changes.

It can wait for RHEL4.6 and RHEL5.1.  But please put it ASAP in FC6/7 so we can
test it.

-- Additional comment from dwalsh on 2007-07-10 09:53 EST --
This one has dropped between the cracks.  Do we still need to do something with
this?  If so what do I need to do to update the av_perm_to_string.h in
libselinux?  I suppose we need to update the policy also?

-- Additional comment from sds.gov on 2007-07-10 10:04 EST --
To add new permissions to SELinux, you first update the policy, e.g.
$ cd refpolicy/policy/flask
$ vi access_vectors
(edit the class and add your permissions to the end of it)
$ make clean all
(generates two sets of headers, one for the kernel and one for userspace)
$ make LIBSELINUX_D=/path/to/libselinux tolib
(installs userspace headers to libselinux)

Until you submit a patch to policy upstream, the permissions aren't reserved and
could be reused by others, so you want to do that ASAP.  Not too likely in this
case, of course, given that no one else is likely to be adding permissions to
nscd ;)



-- Additional comment from sds.gov on 2007-07-10 10:14 EST --
Oh, and of course the above only defines the permissions - you still have to
allow them in the policy too.
all_nscd_perms (and friends) are now automatically generated in the upstream
refpolicy, but I don't know about the RHEL5 policy or others.


-- Additional comment from drepper on 2007-07-10 10:28 EST --
We still need all this, yes.

-- Additional comment from dwalsh on 2007-07-11 11:24 EST --
Fixed in 
libselinux-2.0.14-3.fc7
libselinux-2.0.23-3.fc8
libselinux-1.33.4-5.el5

Comment 1 Jay Turner 2007-11-30 06:59:56 UTC
QE ack for RHEL5.2.

Comment 6 errata-xmlrpc 2008-05-21 16:53:17 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0404.html



Note You need to log in before you can comment on or make changes to this bug.