-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Per Sjoholm wrote: > On CentOS 5.2 > # ypcat -k auto.home > * asen20:/export/Server/homes/& > > yp seems to be working for clients. BUT > > Feb 24 14:32:54 dox ypserv[5353]: refused connect from 192.168.1.23:661 > to procedure ypproc_match (oasen,auto_home;-4) > > dox and asen20 is same machine (asen20 is a service IPaddress) > cd /var/yp; make does not > yp]# make > gmake[1]: Entering directory `/var/yp/oasen' > Updating passwd.byname... > failed to send 'clear' to local ypserv: RPC: Timed outUpdating passwd.byuid > ..... > > [root@dox yp]# service ypbind restart > Shutting down NIS services: [ OK ] > Turning off allow_ypbind SELinux boolean > Turning on allow_ypbind SELinux boolean > Binding to the NIS domain: [ OK ] > Listening for an NIS domain server.. > > var log messages > Feb 24 14:12:49 dox setsebool: The allow_ypbind policy boolean was > changed to 0 by root > Feb 24 14:12:51 dox setsebool: The allow_ypbind policy boolean was > changed to 1 by root > Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon > (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete > SELinux messages. run sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf > Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon > (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete > SELinux messages. run sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e > Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon > (semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete > SELinux messages. run sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2 > Feb 24 14:12:52 dox ypbind: bound to NIS server asen20.oasen.dyndns.org > > # sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf > Summary: > SELinux is preventing genhomedircon (semanage_t) "node_bind" to <Unknown> > (inaddr_any_node_t). > > Detailed Description: > SELinux denied access requested by genhomedircon. It is not expected > that this > access is required by genhomedircon and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration > of the > application is causing it to require additional access. > > Allowing Access: > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > Source Context root:system_r:semanage_t > Target Context system_u:object_r:inaddr_any_node_t > Target Objects None [ tcp_socket ] > Source genhomedircon > Source Path /usr/bin/python > Port <Unknown> > Host dox.oasen.dyndns.org > Source RPM Packages python-2.4.3-21.el5 > Target RPM Packages Policy RPM > selinux-policy-2.4.6-137.1.el5 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name dox.oasen.dyndns.org > Platform Linux dox.oasen.dyndns.org > 2.6.18-92.1.22.el5 #1 > SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 > Alert Count 2 > First Seen Tue Feb 24 14:08:17 2009 > Last Seen Tue Feb 24 14:12:48 2009 > Local ID 70aadaea-686d-45b6-a10e-f4d5909b49bf > Line Numbers > Raw Audit Messages > host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.486:50364): > avc: denied { node_bind } for pid=5378 comm="genhomedircon" > scontext=root:system_r:semanage_t:s0 > tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket > > host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.486:50364): > arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1eb0 a2=10 > a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon" > exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null) > > # sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e > Summary: > SELinux is preventing genhomedircon (semanage_t) "name_bind" to <Unknown> > (hi_reserved_port_t). > > Detailed Description: > SELinux denied access requested by genhomedircon. It is not expected > that this > access is required by genhomedircon and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration > of the > application is causing it to require additional access. > > Allowing Access: > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > Source Context root:system_r:semanage_t > Target Context system_u:object_r:hi_reserved_port_t > Target Objects None [ tcp_socket ] > Source genhomedircon > Source Path /usr/bin/python > Port 890 > Host dox.oasen.dyndns.org > Source RPM Packages python-2.4.3-21.el5 > Target RPM Packages Policy RPM > selinux-policy-2.4.6-137.1.el5 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name dox.oasen.dyndns.org > Platform Linux dox.oasen.dyndns.org > 2.6.18-92.1.22.el5 #1 > SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 > Alert Count 2 > First Seen Tue Feb 24 14:08:17 2009 > Last Seen Tue Feb 24 14:12:48 2009 > Local ID 4c554775-348e-41b7-aa4b-74216b06e26e > Line Numbers > Raw Audit Messages > host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.488:50365): > avc: denied { name_bind } for pid=5378 comm="genhomedircon" src=890 > scontext=root:system_r:semanage_t:s0 > tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket > > host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.488:50365): > arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1de0 a2=10 > a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon" > exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null) > > # sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2 > Summary: > SELinux is preventing genhomedircon (semanage_t) "name_connect" to > <Unknown> > (portmap_port_t). > > Detailed Description: > SELinux denied access requested by genhomedircon. It is not expected > that this > access is required by genhomedircon and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration > of the > application is causing it to require additional access. > > Allowing Access: > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > Source Context root:system_r:semanage_t > Target Context system_u:object_r:portmap_port_t > Target Objects None [ tcp_socket ] > Source genhomedircon > Source Path /usr/bin/python > Port 111 > Host dox.oasen.dyndns.org > Source RPM Packages python-2.4.3-21.el5 > Target RPM Packages Policy RPM > selinux-policy-2.4.6-137.1.el5 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name dox.oasen.dyndns.org > Platform Linux dox.oasen.dyndns.org > 2.6.18-92.1.22.el5 #1 > SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 > Alert Count 2 > First Seen Tue Feb 24 14:08:17 2009 > Last Seen Tue Feb 24 14:12:48 2009 > Local ID 3ee7b441-b219-4684-8a42-1448513cd5b2 > Line Numbers > Raw Audit Messages > host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.490:50366): > avc: denied { name_connect } for pid=5378 comm="genhomedircon" > dest=111 scontext=root:system_r:semanage_t:s0 > tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket > > host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.490:50366): > arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffff31e2040 a2=10 > a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon" > exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null) > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list There is a bug in the ypbind script that is causing this problem. I believe there is a fix available in 5.3, But I am not sure. If you edit the /etc/init.d/ypbind script there is a bug when turning on or off the service. I believe there is a random "1" character in there. Removing this character will cause the AVC to dissapear. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmkM+sACgkQrlYvE4MpobMx0QCeJT7vpNJwehH/RTz3hzyM3fP7 510AoI71enVc/62gfByCPKhi1E67I4e0 =Rg5H -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
