Bug 503595 - selinux denies read access to nssitch.conf for ypbind
Summary: selinux denies read access to nssitch.conf for ypbind
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.4
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE
URL:
Whiteboard:
: 503596 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-06-01 20:01 UTC by Jeff Moyer
Modified: 2009-06-02 20:55 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-06-02 12:32:01 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Comment 1 Daniel Walsh 2009-06-02 12:32:01 UTC 
nsswitch.conf is mislabeled.  Run restorecon on it to fix its context.  

If this file is created in an init script the initscript needs to make sure the file is labeled correctly just like it would need to make sure it has the right ownership and permissions.


So if this is a test it is a test bug, if it is a shipping initscript then the initscript needs to be fixed.

But this is not an SELinux bug.
Comment 2 Daniel Walsh 2009-06-02 12:32:40 UTC 
*** Bug 503596 has been marked as a duplicate of this bug. ***
Comment 3 Jeff Moyer 2009-06-02 13:39:56 UTC 
I don't doubt that you are right, but I do have one further question.  The script does the following:

cp -f /etc/nsswitch.conf /etc/nsswitch.conf.orig
cp -f /testdir/nsswitch.conf /etc/nsswitch.conf

Can you just confirm that this sequence of commands is supposed to change the label of /etc/nsswitch.conf?

Thanks, Dan!
Comment 4 Daniel Walsh 2009-06-02 20:55:03 UTC 
If /etc/nsswitch.conf exist it should stay the same label as it was originally labeled.

So if it is labeled etc_t at the beginning, it should stay etc_t.
Note You need to log in before you can comment on or make changes to this bug.