lists.arthurdejong.org
RSS feed

Re: nslcd issue with selinux in enforcing mode

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd issue with selinux in enforcing mode



On Fri, 2011-08-19 at 13:14 +0200, Moisés Barba Pérez wrote:
> When I try to login with a ldap user fails. In the dmesg log I obtain
> several errors like this:
> 
> #> dmesg | grep -i nscd
> audit(1313582752.782:29): avc:  denied  { write } for  pid=2943
> comm="nscd" name="socket" dev=dm-0 ino=1409048
> scontext=user_u:system_r:nscd_t tcontext=user_u:object_r:var_run_t
> tclass=sock_file

The socket file /var/run/nslcd/socket is used to communicate between the
NSS module and PAM modules on one end and the nslcd daemon on the other.

> That solve the initial problem but after reboot the system y get
> 
> audit(1313713619.413:2): avc:  denied  { connectto } for  pid=2948
> comm="nscd" name="socket" scontext=user_u:system_r:nscd_t
> tcontext=user_u:system_r:initrc_t tclass=unix_stream_socket
> 
> Have you got any idea what would be happening or have I to allow this
> access in selinux directly?????

Every time nslcd starts a new socket is created (this is how named
sockets work).

I don't have much direct experience with SELinux but some similar policy
should already be in place for nscd so I guess some SELinux
configuration is missing for nslcd. Actually the NSS and PAM modules
need to be allowed to write to the socket. In the logs above it is the
nscd process that has loaded the nss_ldap module which tries to open a
connection to nslcd.

Hope this clarifies some things.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users