[Bug 491767] Review Request: nss-ldapd - An nsswitch module which uses directory servers

[bugzilla at redhat.com]

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=491767





--- Comment #17 from Nalin Dahyabhai <nalin at redhat.com>  2009-04-21 11:39:50 EDT ---
(In reply to comment #16)
> Well, I figured out that my problems getting this to work simply go away with
> 'setenforce 0'.  Here are the complaints I see while running in permissive
> mode:
> 
> type=1400 audit(1240256724.128:55): avc:  denied  { write } for  pid=1712
> comm="nscd" name="socket" dev=dm-4 ino=409614
> scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:var_run_t:s0
> tclass=sock_file
> 
> type=1400 audit(1240256724.134:56): avc:  denied  { connectto } for  pid=1712
> comm="nscd" path="/var/run/nslcd/socket" scontext=system_u:system_r:nscd_t:s0
> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
> 
> The daemon started fine, but it seems that nothing could talk to it.  I guess
> some policy tweaks will be needed before this gets to the point of being
> useful.

Well, it can't talk to nscd, and nscd can't talk to it.  I'm having trouble
reproducing the case where this causes things to fail completely, but
temporarily stopping nscd should take these out of the picture.  (Until we get
a policy for it, the daemon's running as initrc_t, which is effectively
unconfined, so it shouldn't have difficulties itself.  BTW which policy version
do you have installed?)

> BTW, does Simo know you're packaging this for inclusion?  I thought SSSD was
> supposed to do the same thing in a different way.  

I'm pretty sure, yes.  It's pretty clear that SSSD won't replace nss_ldap or
its successors for 100% of cases.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.