I'm using kerberos/GSSAPI authentication for nss-ldap, and the default selinux policy produces the message: SELinux is preventing nscd (nscd_t) "getattr" to /etc/krb5.conf (krb5_conf_t). changing the type form krb5_conf_t to etc_t is enough to avoid the message
Setting the SElinux enforcing mode to permisive does also works, but produces plenty of similar messages coming for different applications and source contexts: polkit-read-aut, restorecond, pam_console_app.
You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-52.fc9.noarch
I've performed a new install, to get the minimal required policy, and now I get some issues that seems more related to nscd itself. Is there any way to load the text file generated by audit2allow? I pretend to enable them on the kickstart postinstall.
As the intially reported problem is actually solved, I'll close this ticket, leaving the remaing problems for bug 446482, which I believe is the proper place.
The bug pointed on previous note was 446499. Besides nscd_t, I've got similar messages, where the acces is denied for semanage_t and setroubleshootd_t going for krb5_conf_t
Ok so I guess you have setup a situation where every confined application that needs to use nsswitch now needs to read the kerberos configuration. I will make this change in policy. Fixed in selinux-policy-3.3.1-53.fc9.noarch
Can I download the updated package, to check that no more friends come to this party?
Should be available shortly in koji. I will be releasing it to updates-testing tomorrow.