Bug 1534245
| Summary: | SELinux is preventing ypserv from write access on the {sock_file rpcbind.sock/tcp_socket port None} | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Paweł Sikora <pawel_sikora> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 27 | CC: | dwalsh, lvrabec, mgrepl, plautrba, pmoore |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-283.24.fc27 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-02-06 15:31:16 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
selinux-policy-3.13.1-283.24.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8 selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8 i can't signup on FAS (why blacklisted email?) so i'll provide feedback here. new selinux policy fixes previous problems but shows a new one:
lut 02 10:43:44 dragon setroubleshoot[1598]: failed to retrieve rpm info for /var/yp/alatek.krakow.pl/group.byname
lut 02 10:43:44 dragon setroubleshoot[1598]: SELinux is preventing ypserv from map access on the file /var/yp/alatek.krakow.pl/group.byname. For complete SELinux messages run: sealert -l 2cc07d43-fca2-4d25-802d-
lut 02 10:43:44 dragon python3[1598]: SELinux is preventing ypserv from map access on the file /var/yp/alatek.krakow.pl/group.byname.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that ypserv should be allowed map access on the group.byname file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ypserv' --raw | audit2allow -M my-ypserv
# semodule -X 300 -i my-ypserv.pp
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |
Hi, on the fresh fedora-27 workstation the 'systemctl start ypserv' ends with an errors. is there any special selinux steps required for ypserv@fedora? Jan 14 13:54:31 adminonly.alatek.krakow.pl setroubleshoot[2035]: SELinux is preventing ypserv from write access on the sock_file rpcbind.sock. For complete SELinux messages run: sealert -l bc7b78ad-4167-4066-b35 Jan 14 13:54:31 adminonly.alatek.krakow.pl python3[2035]: SELinux is preventing ypserv from write access on the sock_file rpcbind.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ypserv should be allowed write access on the rpcbind.sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ypserv' --raw | audit2allow -M my-ypserv # semodule -X 300 -i my-ypserv.pp Jan 14 13:54:31 adminonly.alatek.krakow.pl setroubleshoot[2035]: SELinux is preventing ypserv from connect access on the tcp_socket port None. For complete SELinux messages run: sealert -l 20a5f398-1fd5-442f-88f Jan 14 13:54:31 adminonly.alatek.krakow.pl python3[2035]: SELinux is preventing ypserv from connect access on the tcp_socket port None. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ypserv should be allowed connect access on the port None tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ypserv' --raw | audit2allow -M my-ypserv # semodule -X 300 -i my-ypserv.pp # sealert -l 20a5f398-1fd5-442f-88f5-a5bd284dd7a9 SELinux is preventing ypserv from connect access on the tcp_socket port None. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ypserv should be allowed connect access on the port None tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ypserv' --raw | audit2allow -M my-ypserv # semodule -X 300 -i my-ypserv.pp Additional Information: Source Context system_u:system_r:ypserv_t:s0 Target Context system_u:system_r:ypserv_t:s0 Target Objects port None [ tcp_socket ] Source ypserv Source Path ypserv Port <Unknown> Host adminonly.alatek.krakow.pl Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.21.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name adminonly.alatek.krakow.pl Platform Linux adminonly.alatek.krakow.pl 4.14.13-300.fc27.x86_64 #1 SMP Thu Jan 11 04:00:01 UTC 2018 x86_64 x86_64 Alert Count 10 First Seen 2018-01-14 13:54:25 CET Last Seen 2018-01-14 13:54:25 CET Local ID 20a5f398-1fd5-442f-88f5-a5bd284dd7a9 Raw Audit Messages type=AVC msg=audit(1515934465.350:296): avc: denied { connect } for pid=2152 comm="ypserv" lport=632 scontext=system_u:system_r:ypserv_t:s0 tcontext=system_u:system_r:ypserv_t:s0 tclass=tcp_socket permissive=0 Hash: ypserv,ypserv_t,ypserv_t,tcp_socket,connect