Red Hat Bugzilla – Bug 446482
selinux policy prevens nscd to use krb5.conf
Last modified: 2008-05-19 20:30:07 EDT
I'm using kerberos/GSSAPI authentication for nss-ldap, and the default selinux
policy produces the message:
SELinux is preventing nscd (nscd_t) "getattr" to /etc/krb5.conf (krb5_conf_t).
changing the type form krb5_conf_t to etc_t is enough to avoid the message
Setting the SElinux enforcing mode to permisive does also works, but produces
plenty of similar messages coming for different applications and source
contexts: polkit-read-aut, restorecond, pam_console_app.
You can allow this for now.
# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp
Fixed in selinux-policy-3.3.1-52.fc9.noarch
I've performed a new install, to get the minimal required policy, and now I get
some issues that seems more related to nscd itself.
Is there any way to load the text file generated by audit2allow? I pretend to
enable them on the kickstart postinstall.
As the intially reported problem is actually solved, I'll close this ticket,
leaving the remaing problems for bug 446482, which I believe is the proper place.
The bug pointed on previous note was 446499.
Besides nscd_t, I've got similar messages, where the acces is denied for
semanage_t and setroubleshootd_t going for krb5_conf_t
Ok so I guess you have setup a situation where every confined application that
needs to use nsswitch now needs to read the kerberos configuration.
I will make this change in policy.
Fixed in selinux-policy-3.3.1-53.fc9.noarch
Can I download the updated package, to check that no more friends come to this
Should be available shortly in koji. I will be releasing it to updates-testing