Re: service ypbind restart, denied access requested by genhomedircon

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Per Sjoholm wrote:
> 
> 
> Daniel J Walsh wrote:
> Per Sjoholm wrote:
>  
>>>> On CentOS 5.2
>>>> # ypcat -k auto.home
>>>> * asen20:/export/Server/homes/&
>>>>
>>>> yp seems to be working for clients. BUT
>>>>
>>>> Feb 24 14:32:54 dox ypserv[5353]: refused connect from 192.168.1.23:661
>>>> to procedure ypproc_match (oasen,auto_home;-4)
>>>>
>>>> dox and asen20 is same machine (asen20 is a service IPaddress)
>>>> cd /var/yp; make does not
>>>> yp]# make
>>>> gmake[1]: Entering directory `/var/yp/oasen'
>>>> Updating passwd.byname...
>>>> failed to send 'clear' to local ypserv: RPC: Timed outUpdating
>>>> passwd.byuid
>>>> .....
>>>>
>>>> [root@dox yp]# service ypbind  restart
>>>> Shutting down NIS services:                                [  OK  ]
>>>> Turning off allow_ypbind SELinux boolean
>>>> Turning on allow_ypbind SELinux boolean
>>>> Binding to the NIS domain:                                 [  OK  ]
>>>> Listening for an NIS domain server..
>>>>
>>>> var log messages
>>>> Feb 24 14:12:49 dox setsebool: The allow_ypbind policy boolean was
>>>> changed to 0 by root
>>>> Feb 24 14:12:51 dox setsebool: The allow_ypbind policy boolean was
>>>> changed to 1 by root
>>>> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
>>>> (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete
>>>> SELinux messages. run sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf
>>>> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
>>>> (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete
>>>> SELinux messages. run sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e
>>>> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
>>>> (semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete
>>>> SELinux messages. run sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2
>>>> Feb 24 14:12:52 dox ypbind: bound to NIS server asen20.oasen.dyndns.org
>>>>
>>>> # sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf
>>>> Summary:
>>>> SELinux is preventing genhomedircon (semanage_t) "node_bind" to
>>>> <Unknown>
>>>> (inaddr_any_node_t).
>>>>
>>>> Detailed Description:
>>>> SELinux denied access requested by genhomedircon. It is not expected
>>>> that this
>>>> access is required by genhomedircon and this access may signal an
>>>> intrusion
>>>> attempt. It is also possible that the specific version or configuration
>>>> of the
>>>> application is causing it to require additional access.
>>>>
>>>> Allowing Access:
>>>> You can generate a local policy module to allow this access - see FAQ
>>>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>>>> disable
>>>> SELinux protection altogether. Disabling SELinux protection is not
>>>> recommended.
>>>> Please file a bug report
>>>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>>>> against this package.
>>>>
>>>> Additional Information:
>>>> Source Context                root:system_r:semanage_t
>>>> Target Context                system_u:object_r:inaddr_any_node_t
>>>> Target Objects                None [ tcp_socket ]
>>>> Source                        genhomedircon
>>>> Source Path                   /usr/bin/python
>>>> Port                          <Unknown>
>>>> Host                          dox.oasen.dyndns.org
>>>> Source RPM Packages           python-2.4.3-21.el5
>>>> Target RPM Packages          Policy RPM                  
>>>> selinux-policy-2.4.6-137.1.el5
>>>> Selinux Enabled               True
>>>> Policy Type                   targeted
>>>> MLS Enabled                   True
>>>> Enforcing Mode                Enforcing
>>>> Plugin Name                   catchall
>>>> Host Name                     dox.oasen.dyndns.org
>>>> Platform                      Linux dox.oasen.dyndns.org
>>>> 2.6.18-92.1.22.el5 #1
>>>>                              SMP Tue Dec 16 11:57:43 EST 2008 x86_64
>>>> x86_64
>>>> Alert Count                   2
>>>> First Seen                    Tue Feb 24 14:08:17 2009
>>>> Last Seen                     Tue Feb 24 14:12:48 2009
>>>> Local ID                      70aadaea-686d-45b6-a10e-f4d5909b49bf
>>>> Line Numbers                Raw Audit Messages         
>>>> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.486:50364):
>>>> avc:  denied  { node_bind } for  pid=5378 comm="genhomedircon"
>>>> scontext=root:system_r:semanage_t:s0
>>>> tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket
>>>>
>>>> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.486:50364):
>>>> arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1eb0 a2=10
>>>> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
>>>> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
>>>> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
>>>>
>>>> # sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e
>>>> Summary:
>>>> SELinux is preventing genhomedircon (semanage_t) "name_bind" to
>>>> <Unknown>
>>>> (hi_reserved_port_t).
>>>>
>>>> Detailed Description:
>>>> SELinux denied access requested by genhomedircon. It is not expected
>>>> that this
>>>> access is required by genhomedircon and this access may signal an
>>>> intrusion
>>>> attempt. It is also possible that the specific version or configuration
>>>> of the
>>>> application is causing it to require additional access.
>>>>
>>>> Allowing Access:
>>>> You can generate a local policy module to allow this access - see FAQ
>>>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>>>> disable
>>>> SELinux protection altogether. Disabling SELinux protection is not
>>>> recommended.
>>>> Please file a bug report
>>>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>>>> against this package.
>>>>
>>>> Additional Information:
>>>> Source Context                root:system_r:semanage_t
>>>> Target Context                system_u:object_r:hi_reserved_port_t
>>>> Target Objects                None [ tcp_socket ]
>>>> Source                        genhomedircon
>>>> Source Path                   /usr/bin/python
>>>> Port                          890
>>>> Host                          dox.oasen.dyndns.org
>>>> Source RPM Packages           python-2.4.3-21.el5
>>>> Target RPM Packages          Policy RPM                  
>>>> selinux-policy-2.4.6-137.1.el5
>>>> Selinux Enabled               True
>>>> Policy Type                   targeted
>>>> MLS Enabled                   True
>>>> Enforcing Mode                Enforcing
>>>> Plugin Name                   catchall
>>>> Host Name                     dox.oasen.dyndns.org
>>>> Platform                      Linux dox.oasen.dyndns.org
>>>> 2.6.18-92.1.22.el5 #1
>>>>                              SMP Tue Dec 16 11:57:43 EST 2008 x86_64
>>>> x86_64
>>>> Alert Count                   2
>>>> First Seen                    Tue Feb 24 14:08:17 2009
>>>> Last Seen                     Tue Feb 24 14:12:48 2009
>>>> Local ID                      4c554775-348e-41b7-aa4b-74216b06e26e
>>>> Line Numbers                Raw Audit Messages         
>>>> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.488:50365):
>>>> avc:  denied  { name_bind } for  pid=5378 comm="genhomedircon" src=890
>>>> scontext=root:system_r:semanage_t:s0
>>>> tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
>>>>
>>>> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.488:50365):
>>>> arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1de0 a2=10
>>>> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
>>>> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
>>>> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
>>>>
>>>> # sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2
>>>> Summary:
>>>> SELinux is preventing genhomedircon (semanage_t) "name_connect" to
>>>> <Unknown>
>>>> (portmap_port_t).
>>>>
>>>> Detailed Description:
>>>> SELinux denied access requested by genhomedircon. It is not expected
>>>> that this
>>>> access is required by genhomedircon and this access may signal an
>>>> intrusion
>>>> attempt. It is also possible that the specific version or configuration
>>>> of the
>>>> application is causing it to require additional access.
>>>>
>>>> Allowing Access:
>>>> You can generate a local policy module to allow this access - see FAQ
>>>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>>>> disable
>>>> SELinux protection altogether. Disabling SELinux protection is not
>>>> recommended.
>>>> Please file a bug report
>>>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>>>> against this package.
>>>>
>>>> Additional Information:
>>>> Source Context                root:system_r:semanage_t
>>>> Target Context                system_u:object_r:portmap_port_t
>>>> Target Objects                None [ tcp_socket ]
>>>> Source                        genhomedircon
>>>> Source Path                   /usr/bin/python
>>>> Port                          111
>>>> Host                          dox.oasen.dyndns.org
>>>> Source RPM Packages           python-2.4.3-21.el5
>>>> Target RPM Packages          Policy RPM                  
>>>> selinux-policy-2.4.6-137.1.el5
>>>> Selinux Enabled               True
>>>> Policy Type                   targeted
>>>> MLS Enabled                   True
>>>> Enforcing Mode                Enforcing
>>>> Plugin Name                   catchall
>>>> Host Name                     dox.oasen.dyndns.org
>>>> Platform                      Linux dox.oasen.dyndns.org
>>>> 2.6.18-92.1.22.el5 #1
>>>>                              SMP Tue Dec 16 11:57:43 EST 2008 x86_64
>>>> x86_64
>>>> Alert Count                   2
>>>> First Seen                    Tue Feb 24 14:08:17 2009
>>>> Last Seen                     Tue Feb 24 14:12:48 2009
>>>> Local ID                      3ee7b441-b219-4684-8a42-1448513cd5b2
>>>> Line Numbers                Raw Audit Messages         
>>>> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.490:50366):
>>>> avc:  denied  { name_connect } for  pid=5378 comm="genhomedircon"
>>>> dest=111 scontext=root:system_r:semanage_t:s0
>>>> tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
>>>>
>>>> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.490:50366):
>>>> arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffff31e2040 a2=10
>>>> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
>>>> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
>>>> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
>>>>
>>>>
>>>>
>>>> -- 
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list@xxxxxxxxxx
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>     
> There is a bug in the ypbind script that is causing this problem.
> 
> I believe there is a fix available in 5.3, But I am not sure.
> 
> If you edit the /etc/init.d/ypbind script there is a bug when turning on
> or off the service.  I believe there is a random "1" character in there.
>  Removing this character will cause the AVC to dissapear.
>   
>> Line 40
>> if [ -e /etc/selinux/${SELINUXTYPE}/modules1/active/booleans.local .....
>> if [ -e /etc/selinux/${SELINUXTYPE}/modules/active/booleans.local .....
>> did not help
>> Feb 24 20:52:01 dox setsebool: The allow_ypbind policy boolean was
>> changed to 0 by root
>> Feb 24 20:52:03 dox setsebool: The allow_ypbind policy boolean was
>> changed to 1 by root
>> Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon
>> (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete
>> SELinux messages. run sealert -l 84e4cd91-8298-40e2-9171-785c940ac32f
>> Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon
>> (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete
>> SELinux messages. run sealert -l 7263a1a9-5e01-4d17-a0f4-206e32486ac2
>> Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon
>> (semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete
>> SELinux messages. run sealert -l 65a80a67-fd9a-488c-b426-a447b5aa0d39
>> Feb 24 20:52:04 dox ypbind: bound to NIS server asen20.oasen.dyndns.org
> 
>>
- --
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

What is happening is the boolean is being turned off when the machine is
still in NIS Mode.  IE The kernel is still causing all getpw* calls to
bind to random ports.

If this machine is going to run with nis, you need to execute

setsebool -P allow_ypbind=1

Then with the fix, the script will not turn off the boolean.

This will prevent the random avc messages.

The script turning the boolean on, was just trying to help in the case
the user did not set the boolean permanently.

allow_ypbind is a bad boolean to set if you are not using NIS, since it
allows lots of confined applications to setup as services on any port
they want.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmlbVsACgkQrlYvE4MpobMUeQCgm5wrIkKGDWLXyfP/YWz7bK6/
Wg0AoMeeHfnlgdoSXOzT550OrtHiNBOe
=nXR/
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux