Bug 503595 - selinux denies read access to nssitch.conf for ypbind
selinux denies read access to nssitch.conf for ypbind
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
: 503596 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2009-06-01 16:01 EDT by Jeff Moyer
Modified: 2009-06-02 16:55 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-06-02 08:32:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Comment 1 Daniel Walsh 2009-06-02 08:32:01 EDT
nsswitch.conf is mislabeled.  Run restorecon on it to fix its context.  

If this file is created in an init script the initscript needs to make sure the file is labeled correctly just like it would need to make sure it has the right ownership and permissions.

So if this is a test it is a test bug, if it is a shipping initscript then the initscript needs to be fixed.

But this is not an SELinux bug.
Comment 2 Daniel Walsh 2009-06-02 08:32:40 EDT
*** Bug 503596 has been marked as a duplicate of this bug. ***
Comment 3 Jeff Moyer 2009-06-02 09:39:56 EDT
I don't doubt that you are right, but I do have one further question.  The script does the following:

cp -f /etc/nsswitch.conf /etc/nsswitch.conf.orig
cp -f /testdir/nsswitch.conf /etc/nsswitch.conf

Can you just confirm that this sequence of commands is supposed to change the label of /etc/nsswitch.conf?

Thanks, Dan!
Comment 4 Daniel Walsh 2009-06-02 16:55:03 EDT
If /etc/nsswitch.conf exist it should stay the same label as it was originally labeled.

So if it is labeled etc_t at the beginning, it should stay etc_t.

Note You need to log in before you can comment on or make changes to this bug.