I have just created some rules for nscd (the name service caching daemon).

In domains/system/initrc.te I put the following: domain_auto_trans(initrc_t, nscd_exec_t, nscd_t)

I put the following in file_contexts:

/usr/sbin/nscd                  system_u:object_r:nscd_exec_t

I have attached my nscd.te file.

I believe that the recent versions of nscd (and the matching library code in libc6) doesn't attempt to cache /etc/shadow data. If this isn't the case then it's a security issue which would have to be corrected on an SE system (or else nscd should not be run). I have to check this (don't have access to the source right now).

In a typical setup of nscd you will have a somewhat slow source of password data (LDAP or a SQL database) and the nscd will cache lookups so that "ls -l /tmp" doesn't take all day.

-- 
Signatures >4 lines are rude.  If you send email to me or to a mailing list
that I am subscribed to which has >4 lines of legalistic junk at the end
then you are specifically authorizing me to do whatever I wish with the
message (the sig won't be read).



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.



text/plain attachment: nscd.te