Red Hat Bugzilla – Bug 247814
Need new nscd permissions
Last modified: 2013-11-01 05:16:04 EDT
+++ This bug was initially created as a clone of Bug #222716 +++ Description of problem: We have support for caching new databases in nscd in the upstream CVS and also want to backport the changes to RHEL4.6 and 5.1 (see bug 217381). For this to happen we need new nscd classes. In all_perms.spt add getserv shmemserv to the existing list in the all_nscd_perms definition. There are likely some more databases supported in future, stay tuned. I'll update this bug if necessary. Version-Release number of selected component (if applicable): all selinux versions, RHEL4, RHEL5, FC6, FC7 How reproducible: Steps to Reproduce: 1.grep NSCD__GETSERV /usr/include/selinux/av_permissions.h 2.grep NSCD__SHMEMSERV /usr/include/selinux/av_permissions.h 3. Actual results: no output Expected results: /usr/include/selinux/av_permissions.h:#define NSCD__GETSERV 0x00000100UL /usr/include/selinux/av_permissions.h:#define NSCD__SHMEMGRP 0x00000200UL Additional info: Please make the header available in libselinux-devel ASAP. -- Additional comment from dwalsh@redhat.com on 2007-01-15 16:32 EST -- libselinux-1.33.4-3.fc7 has the define statements. Does this need to get into RHEL5 now? Do we need additional policy changes. -- Additional comment from drepper@redhat.com on 2007-01-15 16:50 EST -- (In reply to comment #1) > libselinux-1.33.4-3.fc7 has the define statements. But aren't the defines generated? > Does this need to get into RHEL5 now? Do we need additional policy changes. It can wait for RHEL4.6 and RHEL5.1. But please put it ASAP in FC6/7 so we can test it. -- Additional comment from dwalsh@redhat.com on 2007-07-10 09:53 EST -- This one has dropped between the cracks. Do we still need to do something with this? If so what do I need to do to update the av_perm_to_string.h in libselinux? I suppose we need to update the policy also? -- Additional comment from sds@tycho.nsa.gov on 2007-07-10 10:04 EST -- To add new permissions to SELinux, you first update the policy, e.g. $ cd refpolicy/policy/flask $ vi access_vectors (edit the class and add your permissions to the end of it) $ make clean all (generates two sets of headers, one for the kernel and one for userspace) $ make LIBSELINUX_D=/path/to/libselinux tolib (installs userspace headers to libselinux) Until you submit a patch to policy upstream, the permissions aren't reserved and could be reused by others, so you want to do that ASAP. Not too likely in this case, of course, given that no one else is likely to be adding permissions to nscd ;) -- Additional comment from sds@tycho.nsa.gov on 2007-07-10 10:14 EST -- Oh, and of course the above only defines the permissions - you still have to allow them in the policy too. all_nscd_perms (and friends) are now automatically generated in the upstream refpolicy, but I don't know about the RHEL5 policy or others. -- Additional comment from drepper@redhat.com on 2007-07-10 10:28 EST -- We still need all this, yes. -- Additional comment from dwalsh@redhat.com on 2007-07-11 11:24 EST -- Fixed in libselinux-2.0.14-3.fc7 libselinux-2.0.23-3.fc8 libselinux-1.33.4-5.el5
QE ack for RHEL5.2.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0404.html