Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Per Sjoholm wrote:
On CentOS 5.2
# ypcat -k auto.home
* asen20:/export/Server/homes/&
yp seems to be working for clients. BUT
Feb 24 14:32:54 dox ypserv[5353]: refused connect from 192.168.1.23:661
to procedure ypproc_match (oasen,auto_home;-4)
dox and asen20 is same machine (asen20 is a service IPaddress)
cd /var/yp; make does not
yp]# make
gmake[1]: Entering directory `/var/yp/oasen'
Updating passwd.byname...
failed to send 'clear' to local ypserv: RPC: Timed outUpdating passwd.byuid
.....
[root@dox yp]# service ypbind restart
Shutting down NIS services: [ OK ]
Turning off allow_ypbind SELinux boolean
Turning on allow_ypbind SELinux boolean
Binding to the NIS domain: [ OK ]
Listening for an NIS domain server..
var log messages
Feb 24 14:12:49 dox setsebool: The allow_ypbind policy boolean was
changed to 0 by root
Feb 24 14:12:51 dox setsebool: The allow_ypbind policy boolean was
changed to 1 by root
Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
(semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete
SELinux messages. run sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf
Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
(semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete
SELinux messages. run sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e
Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
(semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete
SELinux messages. run sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2
Feb 24 14:12:52 dox ypbind: bound to NIS server asen20.oasen.dyndns.org
# sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf
Summary:
SELinux is preventing genhomedircon (semanage_t) "node_bind" to <Unknown>
(inaddr_any_node_t).
Detailed Description:
SELinux denied access requested by genhomedircon. It is not expected
that this
access is required by genhomedircon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context root:system_r:semanage_t
Target Context system_u:object_r:inaddr_any_node_t
Target Objects None [ tcp_socket ]
Source genhomedircon
Source Path /usr/bin/python
Port <Unknown>
Host dox.oasen.dyndns.org
Source RPM Packages python-2.4.3-21.el5
Target RPM Packages Policy RPM
selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name dox.oasen.dyndns.org
Platform Linux dox.oasen.dyndns.org
2.6.18-92.1.22.el5 #1
SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
Alert Count 2
First Seen Tue Feb 24 14:08:17 2009
Last Seen Tue Feb 24 14:12:48 2009
Local ID 70aadaea-686d-45b6-a10e-f4d5909b49bf
Line Numbers
Raw Audit Messages
host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.486:50364):
avc: denied { node_bind } for pid=5378 comm="genhomedircon"
scontext=root:system_r:semanage_t:s0
tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket
host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.486:50364):
arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1eb0 a2=10
a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
# sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e
Summary:
SELinux is preventing genhomedircon (semanage_t) "name_bind" to <Unknown>
(hi_reserved_port_t).
Detailed Description:
SELinux denied access requested by genhomedircon. It is not expected
that this
access is required by genhomedircon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context root:system_r:semanage_t
Target Context system_u:object_r:hi_reserved_port_t
Target Objects None [ tcp_socket ]
Source genhomedircon
Source Path /usr/bin/python
Port 890
Host dox.oasen.dyndns.org
Source RPM Packages python-2.4.3-21.el5
Target RPM Packages Policy RPM
selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name dox.oasen.dyndns.org
Platform Linux dox.oasen.dyndns.org
2.6.18-92.1.22.el5 #1
SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
Alert Count 2
First Seen Tue Feb 24 14:08:17 2009
Last Seen Tue Feb 24 14:12:48 2009
Local ID 4c554775-348e-41b7-aa4b-74216b06e26e
Line Numbers
Raw Audit Messages
host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.488:50365):
avc: denied { name_bind } for pid=5378 comm="genhomedircon" src=890
scontext=root:system_r:semanage_t:s0
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.488:50365):
arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1de0 a2=10
a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
# sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2
Summary:
SELinux is preventing genhomedircon (semanage_t) "name_connect" to
<Unknown>
(portmap_port_t).
Detailed Description:
SELinux denied access requested by genhomedircon. It is not expected
that this
access is required by genhomedircon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context root:system_r:semanage_t
Target Context system_u:object_r:portmap_port_t
Target Objects None [ tcp_socket ]
Source genhomedircon
Source Path /usr/bin/python
Port 111
Host dox.oasen.dyndns.org
Source RPM Packages python-2.4.3-21.el5
Target RPM Packages Policy RPM
selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name dox.oasen.dyndns.org
Platform Linux dox.oasen.dyndns.org
2.6.18-92.1.22.el5 #1
SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
Alert Count 2
First Seen Tue Feb 24 14:08:17 2009
Last Seen Tue Feb 24 14:12:48 2009
Local ID 3ee7b441-b219-4684-8a42-1448513cd5b2
Line Numbers
Raw Audit Messages
host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.490:50366):
avc: denied { name_connect } for pid=5378 comm="genhomedircon"
dest=111 scontext=root:system_r:semanage_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.490:50366):
arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffff31e2040 a2=10
a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
There is a bug in the ypbind script that is causing this problem.
I believe there is a fix available in 5.3, But I am not sure.
If you edit the /etc/init.d/ypbind script there is a bug when turning on
or off the service. I believe there is a random "1" character in there.
Removing this character will cause the AVC to dissapear.
Line 40
if [ -e /etc/selinux/${SELINUXTYPE}/modules1/active/booleans.local .....
if [ -e /etc/selinux/${SELINUXTYPE}/modules/active/booleans.local .....
did not help
Feb 24 20:52:01 dox setsebool: The allow_ypbind policy boolean was
changed to 0 by root
Feb 24 20:52:03 dox setsebool: The allow_ypbind policy boolean was
changed to 1 by root
Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon
(semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete
SELinux messages. run sealert -l 84e4cd91-8298-40e2-9171-785c940ac32f
Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon
(semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete
SELinux messages. run sealert -l 7263a1a9-5e01-4d17-a0f4-206e32486ac2
Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon
(semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete
SELinux messages. run sealert -l 65a80a67-fd9a-488c-b426-a447b5aa0d39
Feb 24 20:52:04 dox ypbind: bound to NIS server asen20.oasen.dyndns.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmkM+sACgkQrlYvE4MpobMx0QCeJT7vpNJwehH/RTz3hzyM3fP7
510AoI71enVc/62gfByCPKhi1E67I4e0
=Rg5H
-----END PGP SIGNATURE-----
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
