Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...
|
RE: nis+ support f nscd in targeted pol: msg#00169
|
Subject: |
RE: nis+ support f nscd in targeted pol |
the audit2allow prg has helped me to generate this file:
===
allow nscd_t unconfined_t:unix_stream_socket connectto;
#EXE=/usr/sbin/nscd PATH=/var/run/keyservsock : connectto
#EXE=/usr/sbin/nscd PATH=/var/run/keyservsock : connectto
allow nscd_t var_run_t:sock_file write;
#EXE=/usr/sbin/nscd NAME=keyservsock : write
#EXE=/usr/sbin/nscd NAME=keyservsock : write
#EXE=/usr/sbin/nscd NAME=keyservsock : write
allow nscd_t var_t:file { getattr read };
#EXE=/usr/sbin/nscd NAME=NIS_COLD_START : read
#EXE=/usr/sbin/nscd NAME=NIS_COLD_START : read
#EXE=/usr/sbin/nscd PATH=/var/nis/NIS_COLD_START : getattr
#EXE=/usr/sbin/nscd PATH=/var/nis/NIS_COLD_START : getattr
===
using that nscd starts without trouble!
it still cannot get any nis+ data it seems.
no audit errors are produced...
i'll check that tomorrow.
niki
On 24-Feb-2005 Niki Waibel wrote:
> hi, i am new to selinux.
>
> i usually extend redhat/fedora linux by nis-utils-1.4.1
> to access the NIS+ environment.
>
> i've just found out that this is not configured in selinux
> of fc3 for nscd:
> ===
> Feb 23 18:35:14 pcxeon-1 kernel: audit(1109180114.178:0):
> avc: denied { read } for pid=20078 exe=/usr/sbin/nscd
> name=NIS_COLD_START dev=sda1 ino=737383 scontext=root:system_r:nscd_t
> tcontext=root:object_r:var_t tclass=file
> ===
> so i guess that the /var/nis/NIS_COLD_START file has to be made
> available to the nscd command.
>
> i tried the following (cheers russell coker):
> ===
> cd /etc/selinux/targeted/src/policy
> echo "allow nscd_t var_t:file { getattr read };" >> domains/misc/custom.te
> make load
> ===
> but now i get:
> ===
> Feb 24 18:03:14 pcxeon-1 kernel: audit(1109264594.241:0):
> avc: denied { write } for pid=8888 exe=/usr/sbin/nscd
> name=keyservsock dev=sda1 ino=737436 scontext=root:system_r:nscd_t
> tcontext=user_u:object_r:var_run_t tclass=sock_file
> ===
>
> i think that the /var/nis (NIS+) dir should be integrated
> into the targeted policy like the /var/yp (NIS) dir...
>
> i've tried to add
> /var/nis(/.*)? system_u:object_r:var_nis_t
> at several places, without success. (i am simply too new
> to all this selinux stuff...).
>
> anyway, using >>allow nscd_t var_t:file { getattr read };<< now nscd
> seems to contact the keyserv program of the portmapper:
> ===
># rpcinfo -p
> program vers proto port
> 100000 2 tcp 111 portmapper
> 100000 2 udp 111 portmapper
> 100029 1 udp 980 keyserv
> 100029 2 udp 980 keyserv
> 100024 1 udp 32772 status
> 100024 1 tcp 32776 status
> 100021 1 udp 32778 nlockmgr
> 100021 3 udp 32778 nlockmgr
> 100021 4 udp 32778 nlockmgr
> 100021 1 tcp 33060 nlockmgr
> 100021 3 tcp 33060 nlockmgr
> 100021 4 tcp 33060 nlockmgr
> ===
>
> which seems to have an open socket at:
># ls -la /var/run/keyservsock
> srw-rw-rw- 1 root root 0 Feb 24 04:58 /var/run/keyservsock
>
> niki
> --
> niki w. waibel - system administrator @ newlogic technologies ag
|
| |
