Enabling nscd with Selinux leads to AVC logs about Postfix and nscd

Solution Verified - Updated -

Issue

  • If nscd is started with Selinux enabled, some AVC errors will appear:

    type=MMAP msg=audit(1573121827.671:504): fd=9 flags=0x1
    type=SYSCALL msg=audit(1573121827.671:504): arch=c000003e syscall=9 success=yes exit=139970810851328 a0=0 a1=34fc8 a2=1 a3=1 items=0 ppid=1458 pid=11370 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=system_u:system_r:postfix_cleanup_t:s0 key=(null)
    type=AVC msg=audit(1573121827.671:504): avc:  denied  { map } for  pid=11370 comm="cleanup" path="/var/db/nscd/hosts" dev="dm-3" ino=2113217 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=1
    
    type=MMAP msg=audit(1573127709.632:479): fd=5 flags=0x1
    type=SYSCALL msg=audit(1573127709.632:479): arch=c000003e syscall=9 success=yes exit=140258057723904 a0=0 a1=34fc8 a2=1 a3=1 items=0 ppid=89285 pid=89286 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="chronyc" exe="/usr/bin/chronyc" subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null)
    type=AVC msg=audit(1573127709.632:479): avc:  denied  { map } for  pid=89286 comm="chronyc" path="/var/db/nscd/hosts" dev="dm-3" ino=2113217 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=1
    

Environment

  • Red Hat Enterprise Linux 7 and later
  • nscd
  • selinux

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content