Re: service ypbind restart, denied access requested by genhomedircon

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Per Sjoholm wrote:
> On CentOS 5.2
> # ypcat -k auto.home
> * asen20:/export/Server/homes/&
> 
> yp seems to be working for clients. BUT
> 
> Feb 24 14:32:54 dox ypserv[5353]: refused connect from 192.168.1.23:661
> to procedure ypproc_match (oasen,auto_home;-4)
> 
> dox and asen20 is same machine (asen20 is a service IPaddress)
> cd /var/yp; make does not
> yp]# make
> gmake[1]: Entering directory `/var/yp/oasen'
> Updating passwd.byname...
> failed to send 'clear' to local ypserv: RPC: Timed outUpdating passwd.byuid
> .....
> 
> [root@dox yp]# service ypbind  restart
> Shutting down NIS services:                                [  OK  ]
> Turning off allow_ypbind SELinux boolean
> Turning on allow_ypbind SELinux boolean
> Binding to the NIS domain:                                 [  OK  ]
> Listening for an NIS domain server..
> 
> var log messages
> Feb 24 14:12:49 dox setsebool: The allow_ypbind policy boolean was
> changed to 0 by root
> Feb 24 14:12:51 dox setsebool: The allow_ypbind policy boolean was
> changed to 1 by root
> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
> (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete
> SELinux messages. run sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf
> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
> (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete
> SELinux messages. run sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e
> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
> (semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete
> SELinux messages. run sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2
> Feb 24 14:12:52 dox ypbind: bound to NIS server asen20.oasen.dyndns.org
> 
> # sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf
> Summary:
> SELinux is preventing genhomedircon (semanage_t) "node_bind" to <Unknown>
> (inaddr_any_node_t).
> 
> Detailed Description:
> SELinux denied access requested by genhomedircon. It is not expected
> that this
> access is required by genhomedircon and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration
> of the
> application is causing it to require additional access.
> 
> Allowing Access:
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> Source Context                root:system_r:semanage_t
> Target Context                system_u:object_r:inaddr_any_node_t
> Target Objects                None [ tcp_socket ]
> Source                        genhomedircon
> Source Path                   /usr/bin/python
> Port                          <Unknown>
> Host                          dox.oasen.dyndns.org
> Source RPM Packages           python-2.4.3-21.el5
> Target RPM Packages          Policy RPM                   
> selinux-policy-2.4.6-137.1.el5
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     dox.oasen.dyndns.org
> Platform                      Linux dox.oasen.dyndns.org
> 2.6.18-92.1.22.el5 #1
>                              SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count                   2
> First Seen                    Tue Feb 24 14:08:17 2009
> Last Seen                     Tue Feb 24 14:12:48 2009
> Local ID                      70aadaea-686d-45b6-a10e-f4d5909b49bf
> Line Numbers                
> Raw Audit Messages          
> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.486:50364):
> avc:  denied  { node_bind } for  pid=5378 comm="genhomedircon"
> scontext=root:system_r:semanage_t:s0
> tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket
> 
> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.486:50364):
> arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1eb0 a2=10
> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
> 
> # sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e
> Summary:
> SELinux is preventing genhomedircon (semanage_t) "name_bind" to <Unknown>
> (hi_reserved_port_t).
> 
> Detailed Description:
> SELinux denied access requested by genhomedircon. It is not expected
> that this
> access is required by genhomedircon and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration
> of the
> application is causing it to require additional access.
> 
> Allowing Access:
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> Source Context                root:system_r:semanage_t
> Target Context                system_u:object_r:hi_reserved_port_t
> Target Objects                None [ tcp_socket ]
> Source                        genhomedircon
> Source Path                   /usr/bin/python
> Port                          890
> Host                          dox.oasen.dyndns.org
> Source RPM Packages           python-2.4.3-21.el5
> Target RPM Packages          Policy RPM                   
> selinux-policy-2.4.6-137.1.el5
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     dox.oasen.dyndns.org
> Platform                      Linux dox.oasen.dyndns.org
> 2.6.18-92.1.22.el5 #1
>                              SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count                   2
> First Seen                    Tue Feb 24 14:08:17 2009
> Last Seen                     Tue Feb 24 14:12:48 2009
> Local ID                      4c554775-348e-41b7-aa4b-74216b06e26e
> Line Numbers                
> Raw Audit Messages          
> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.488:50365):
> avc:  denied  { name_bind } for  pid=5378 comm="genhomedircon" src=890
> scontext=root:system_r:semanage_t:s0
> tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
> 
> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.488:50365):
> arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1de0 a2=10
> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
> 
> # sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2
> Summary:
> SELinux is preventing genhomedircon (semanage_t) "name_connect" to
> <Unknown>
> (portmap_port_t).
> 
> Detailed Description:
> SELinux denied access requested by genhomedircon. It is not expected
> that this
> access is required by genhomedircon and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration
> of the
> application is causing it to require additional access.
> 
> Allowing Access:
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> Source Context                root:system_r:semanage_t
> Target Context                system_u:object_r:portmap_port_t
> Target Objects                None [ tcp_socket ]
> Source                        genhomedircon
> Source Path                   /usr/bin/python
> Port                          111
> Host                          dox.oasen.dyndns.org
> Source RPM Packages           python-2.4.3-21.el5
> Target RPM Packages          Policy RPM                   
> selinux-policy-2.4.6-137.1.el5
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     dox.oasen.dyndns.org
> Platform                      Linux dox.oasen.dyndns.org
> 2.6.18-92.1.22.el5 #1
>                              SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count                   2
> First Seen                    Tue Feb 24 14:08:17 2009
> Last Seen                     Tue Feb 24 14:12:48 2009
> Local ID                      3ee7b441-b219-4684-8a42-1448513cd5b2
> Line Numbers                
> Raw Audit Messages          
> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.490:50366):
> avc:  denied  { name_connect } for  pid=5378 comm="genhomedircon"
> dest=111 scontext=root:system_r:semanage_t:s0
> tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
> 
> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.490:50366):
> arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffff31e2040 a2=10
> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
> 
> 
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
There is a bug in the ypbind script that is causing this problem.

I believe there is a fix available in 5.3, But I am not sure.

If you edit the /etc/init.d/ypbind script there is a bug when turning on
or off the service.  I believe there is a random "1" character in there.
 Removing this character will cause the AVC to dissapear.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmkM+sACgkQrlYvE4MpobMx0QCeJT7vpNJwehH/RTz3hzyM3fP7
510AoI71enVc/62gfByCPKhi1E67I4e0
=Rg5H
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux