nis+ and selinux targeted (nscd/ntpd problems)

Daniel J Walsh dwalsh at redhat.com
Mon Mar 7 15:58:25 UTC 2005 

Niki Waibel wrote:

>if you run FC3 and nis-utils-1.4.1 it is necessary to
>add the following in
> /etc/selinux/targeted/src/policy/domains/misc/custom.te
>to make nscd running properly:
>  
>

This looks like you have a labeling problem.  Have file_t files around 
means that
you ran with SELinux disabled at some point.  So you probably need to 
relabel the
system. 

touch /.autorelabel
reboot
will relabel.

The directories under /var/db could be relabeled via

restorecon -R -v /var/db

>===
>allow nscd_t file_t:file { read write };
>        #EXE=/usr/sbin/nscd  NAME=passwd   :  read write
>allow nscd_t file_t:file getattr;
>        #EXE=/usr/sbin/nscd  PATH=/var/db/nscd/passwd   :  getattr
>        #EXE=/usr/sbin/nscd  PATH=/var/db/nscd/group   :  getattr
>        #EXE=/usr/sbin/nscd  PATH=/var/db/nscd/hosts   :  getattr
>allow nscd_t var_t:file { getattr read };
>        #EXE=/usr/sbin/nscd  NAME=NIS_COLD_START   :  read
>        #EXE=/usr/sbin/nscd  PATH=/var/nis/NIS_COLD_START   :  getattr
>allow nscd_t var_run_t:sock_file write;
>        #EXE=/usr/sbin/nscd  NAME=keyservsock   :  write
>allow nscd_t unconfined_t:unix_stream_socket connectto;
>        #EXE=/usr/sbin/nscd  PATH=/var/run/keyservsock   :  connectto
>===
>
>i dont know if
>===
>allow nscd_t file_t:file { read write };
>allow nscd_t file_t:file getattr;
>allow nscd_t var_t:file { getattr read };
>===
>are really a good choice ...
>
>nscd (if you have nisplus in /etc/nsswitch.conf) accesses
>the files in /var/db/nscd (getattr, read, write) and /var/nis.
>maybe there should be sthg like var_nis_t and  var_db_nscd_t?
>
>i am not sure if /etc/{passwd,group,hosts} are accessed as well...
>
>using nis+ i've also figured out that ntpd needs some add rules:
>===
>allow ntpd_t var_t:file { getattr read };
>        #EXE=/usr/sbin/ntpd  NAME=NIS_COLD_START   :  read
>        #EXE=/usr/sbin/ntpd  PATH=/var/nis/NIS_COLD_START   :  getattr
>allow ntpd_t var_run_t:sock_file write;
>        #EXE=/usr/sbin/ntpd  NAME=keyservsock   :  write
>allow ntpd_t unconfined_t:unix_stream_socket connectto;
>        #EXE=/usr/sbin/ntpd  PATH=/var/run/keyservsock   :  connectto
>===
>
>can this be integrated into the std targeted policy?
>  
>

More information about the fedora-selinux-list mailing list