Red Hat Bugzilla – Bug 247814
Need new nscd permissions
Last modified: 2013-11-01 05:16:04 EDT
+++ This bug was initially created as a clone of Bug #222716 +++
Description of problem:
We have support for caching new databases in nscd in the upstream CVS and also
want to backport the changes to RHEL4.6 and 5.1 (see bug 217381). For this to
happen we need new nscd classes. In all_perms.spt add
to the existing list in the all_nscd_perms definition.
There are likely some more databases supported in future, stay tuned. I'll
update this bug if necessary.
Version-Release number of selected component (if applicable):
all selinux versions, RHEL4, RHEL5, FC6, FC7
Steps to Reproduce:
1.grep NSCD__GETSERV /usr/include/selinux/av_permissions.h
2.grep NSCD__SHMEMSERV /usr/include/selinux/av_permissions.h
Please make the header available in libselinux-devel ASAP.
-- Additional comment from email@example.com on 2007-01-15 16:32 EST --
libselinux-1.33.4-3.fc7 has the define statements.
Does this need to get into RHEL5 now? Do we need additional policy changes.
-- Additional comment from firstname.lastname@example.org on 2007-01-15 16:50 EST --
(In reply to comment #1)
> libselinux-1.33.4-3.fc7 has the define statements.
But aren't the defines generated?
> Does this need to get into RHEL5 now? Do we need additional policy changes.
It can wait for RHEL4.6 and RHEL5.1. But please put it ASAP in FC6/7 so we can
-- Additional comment from email@example.com on 2007-07-10 09:53 EST --
This one has dropped between the cracks. Do we still need to do something with
this? If so what do I need to do to update the av_perm_to_string.h in
libselinux? I suppose we need to update the policy also?
-- Additional comment from firstname.lastname@example.org on 2007-07-10 10:04 EST --
To add new permissions to SELinux, you first update the policy, e.g.
$ cd refpolicy/policy/flask
$ vi access_vectors
(edit the class and add your permissions to the end of it)
$ make clean all
(generates two sets of headers, one for the kernel and one for userspace)
$ make LIBSELINUX_D=/path/to/libselinux tolib
(installs userspace headers to libselinux)
Until you submit a patch to policy upstream, the permissions aren't reserved and
could be reused by others, so you want to do that ASAP. Not too likely in this
case, of course, given that no one else is likely to be adding permissions to
-- Additional comment from email@example.com on 2007-07-10 10:14 EST --
Oh, and of course the above only defines the permissions - you still have to
allow them in the policy too.
all_nscd_perms (and friends) are now automatically generated in the upstream
refpolicy, but I don't know about the RHEL5 policy or others.
-- Additional comment from firstname.lastname@example.org on 2007-07-10 10:28 EST --
We still need all this, yes.
-- Additional comment from email@example.com on 2007-07-11 11:24 EST --
QE ack for RHEL5.2.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.