nslcd issue with selinux in enforcing mode

[Moisés Barba Pérez <mbarperoi [at] gmail.com>]

Hi, 

   I have created the package nss-pam-ldapd for RHEL4.5, instaled and configured fine. The package work correctly showing the users and groups from my LDAP without problems. Everything looks wonderful.

   Whats the problem?? I need to use nss-pam-ldapd with selinux enforcing mode and I have some problems and i would like some help.

When I try to login with a ldap user fails. In the dmesg log I obtain several errors like this:

#> dmesg | grep -i nscd
audit(1313582752.782:29): avc:  denied  { write } for  pid=2943 comm="nscd" name="socket" dev=dm-0 ino=1409048 scontext=user_u:system_r:nscd_t tcontext=user_u:object_r:var_run_t tclass=sock_file

   I looked for that inode and the label:

#> find /var/run -inum 1409048
/var/run/nslcd/socket
#> ls -alZ /var/run/nslcd/socket
srw-rw-rw-  root     root     system_u:object_r:var_run_t      socket
#> audit2allow -d | grep nscd
allow nscd_t var_run_t:sock_file write;

   I have relabeled the filesystem with "fixfiles relabel" and change the label for "/var/run/nslcd/socket"

#> restorecon -R -v /var/run/nslcd
#> chcon -R -t nscd_var_run_t /var/run/nslcd

  That solve the initial problem but after reboot the system y get

audit(1313713619.413:2): avc:  denied  { connectto } for  pid=2948 comm="nscd" name="socket" scontext=user_u:system_r:nscd_t tcontext=user_u:system_r:initrc_t tclass=unix_stream_socket

Have you got any idea what would be happening or have I to allow this access in selinux directly?????

Regards, 

Moses.

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users