nis+ support f nscd in targeted pol

Niki Waibel niki.waibel at newlogic.com
Thu Feb 24 17:59:38 UTC 2005 

the audit2allow prg has helped me to generate this file:
===
allow nscd_t unconfined_t:unix_stream_socket connectto;
        #EXE=/usr/sbin/nscd  PATH=/var/run/keyservsock   :  connectto
        #EXE=/usr/sbin/nscd  PATH=/var/run/keyservsock   :  connectto

allow nscd_t var_run_t:sock_file write;
        #EXE=/usr/sbin/nscd  NAME=keyservsock   :  write
        #EXE=/usr/sbin/nscd  NAME=keyservsock   :  write
        #EXE=/usr/sbin/nscd  NAME=keyservsock   :  write

allow nscd_t var_t:file { getattr read };
        #EXE=/usr/sbin/nscd  NAME=NIS_COLD_START   :  read
        #EXE=/usr/sbin/nscd  NAME=NIS_COLD_START   :  read
        #EXE=/usr/sbin/nscd  PATH=/var/nis/NIS_COLD_START   :  getattr
        #EXE=/usr/sbin/nscd  PATH=/var/nis/NIS_COLD_START   :  getattr
===
using that nscd starts without trouble!

it still cannot get any nis+ data it seems.
no audit errors are produced...

i'll check that tomorrow.

niki

On 24-Feb-2005 Niki Waibel wrote:
> hi, i am new to selinux.
> 
> i usually extend redhat/fedora linux by nis-utils-1.4.1
> to access the NIS+ environment.
> 
> i've just found out that this is not configured in selinux
> of fc3 for nscd:
> ===
> Feb 23 18:35:14 pcxeon-1 kernel: audit(1109180114.178:0):
>         avc:  denied  { read } for  pid=20078 exe=/usr/sbin/nscd
>         name=NIS_COLD_START dev=sda1 ino=737383 scontext=root:system_r:nscd_t
>         tcontext=root:object_r:var_t tclass=file
> ===
> so i guess that the /var/nis/NIS_COLD_START file has to be made
> available to the nscd command.
> 
> i tried the following (cheers russell coker):
> ===
> cd /etc/selinux/targeted/src/policy
> echo "allow nscd_t var_t:file { getattr read };" >> domains/misc/custom.te
> make load
> ===
> but now i get:
> ===
> Feb 24 18:03:14 pcxeon-1 kernel: audit(1109264594.241:0):
>         avc:  denied  { write } for  pid=8888 exe=/usr/sbin/nscd
>         name=keyservsock dev=sda1 ino=737436 scontext=root:system_r:nscd_t
>         tcontext=user_u:object_r:var_run_t tclass=sock_file
> ===
> 
> i think that the /var/nis (NIS+) dir should be integrated
> into the targeted policy like the /var/yp (NIS) dir...
> 
> i've tried to add
>         /var/nis(/.*)? system_u:object_r:var_nis_t
> at several places, without success. (i am simply too new
> to all this selinux stuff...).
> 
> anyway, using >>allow nscd_t var_t:file { getattr read };<< now nscd
> seems to contact the keyserv program of the portmapper:
> ===
># rpcinfo -p
>    program vers proto   port
>     100000    2   tcp    111  portmapper
>     100000    2   udp    111  portmapper
>     100029    1   udp    980  keyserv
>     100029    2   udp    980  keyserv
>     100024    1   udp  32772  status
>     100024    1   tcp  32776  status
>     100021    1   udp  32778  nlockmgr
>     100021    3   udp  32778  nlockmgr
>     100021    4   udp  32778  nlockmgr
>     100021    1   tcp  33060  nlockmgr
>     100021    3   tcp  33060  nlockmgr
>     100021    4   tcp  33060  nlockmgr
> ===
> 
> which seems to have an open socket at:
># ls -la /var/run/keyservsock
> srw-rw-rw-  1 root root 0 Feb 24 04:58 /var/run/keyservsock
> 
> niki
> -- 
> niki w. waibel - system administrator @ newlogic technologies ag

More information about the fedora-selinux-list mailing list