nis+ and selinux targeted (nscd/ntpd problems)
Daniel J Walsh
dwalsh at redhat.com
Mon Mar 7 15:58:25 UTC 2005
Niki Waibel wrote:
>if you run FC3 and nis-utils-1.4.1 it is necessary to
>add the following in
> /etc/selinux/targeted/src/policy/domains/misc/custom.te
>to make nscd running properly:
>
>
This looks like you have a labeling problem. Have file_t files around
means that
you ran with SELinux disabled at some point. So you probably need to
relabel the
system.
touch /.autorelabel
reboot
will relabel.
The directories under /var/db could be relabeled via
restorecon -R -v /var/db
>===
>allow nscd_t file_t:file { read write };
> #EXE=/usr/sbin/nscd NAME=passwd : read write
>allow nscd_t file_t:file getattr;
> #EXE=/usr/sbin/nscd PATH=/var/db/nscd/passwd : getattr
> #EXE=/usr/sbin/nscd PATH=/var/db/nscd/group : getattr
> #EXE=/usr/sbin/nscd PATH=/var/db/nscd/hosts : getattr
>allow nscd_t var_t:file { getattr read };
> #EXE=/usr/sbin/nscd NAME=NIS_COLD_START : read
> #EXE=/usr/sbin/nscd PATH=/var/nis/NIS_COLD_START : getattr
>allow nscd_t var_run_t:sock_file write;
> #EXE=/usr/sbin/nscd NAME=keyservsock : write
>allow nscd_t unconfined_t:unix_stream_socket connectto;
> #EXE=/usr/sbin/nscd PATH=/var/run/keyservsock : connectto
>===
>
>i dont know if
>===
>allow nscd_t file_t:file { read write };
>allow nscd_t file_t:file getattr;
>allow nscd_t var_t:file { getattr read };
>===
>are really a good choice ...
>
>nscd (if you have nisplus in /etc/nsswitch.conf) accesses
>the files in /var/db/nscd (getattr, read, write) and /var/nis.
>maybe there should be sthg like var_nis_t and var_db_nscd_t?
>
>i am not sure if /etc/{passwd,group,hosts} are accessed as well...
>
>using nis+ i've also figured out that ntpd needs some add rules:
>===
>allow ntpd_t var_t:file { getattr read };
> #EXE=/usr/sbin/ntpd NAME=NIS_COLD_START : read
> #EXE=/usr/sbin/ntpd PATH=/var/nis/NIS_COLD_START : getattr
>allow ntpd_t var_run_t:sock_file write;
> #EXE=/usr/sbin/ntpd NAME=keyservsock : write
>allow ntpd_t unconfined_t:unix_stream_socket connectto;
> #EXE=/usr/sbin/ntpd PATH=/var/run/keyservsock : connectto
>===
>
>can this be integrated into the std targeted policy?
>
>
More information about the fedora-selinux-list
mailing list