Bug 1534245

Summary: SELinux is preventing ypserv from write access on the {sock_file rpcbind.sock/tcp_socket port None}
Product: [Fedora] Fedora Reporter: Paweł Sikora <pawel_sikora>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: dwalsh, lvrabec, mgrepl, plautrba, pmoore
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-283.24.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-06 15:31:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Paweł Sikora 2018-01-14 13:25:18 UTC
Hi,

on the fresh fedora-27 workstation the 'systemctl start ypserv' ends with an errors. is there any special selinux steps required for ypserv@fedora?


Jan 14 13:54:31 adminonly.alatek.krakow.pl setroubleshoot[2035]: SELinux is preventing ypserv from write access on the sock_file rpcbind.sock. For complete SELinux messages run: sealert -l bc7b78ad-4167-4066-b35
Jan 14 13:54:31 adminonly.alatek.krakow.pl python3[2035]: SELinux is preventing ypserv from write access on the sock_file rpcbind.sock.
                                                          
                                                          *****  Plugin catchall (100. confidence) suggests   **************************
                                                          
                                                          If you believe that ypserv should be allowed write access on the rpcbind.sock sock_file by default.
                                                          Then you should report this as a bug.
                                                          You can generate a local policy module to allow this access.
                                                          Do
                                                          allow this access for now by executing:
                                                          # ausearch -c 'ypserv' --raw | audit2allow -M my-ypserv
                                                          # semodule -X 300 -i my-ypserv.pp
                                                          
Jan 14 13:54:31 adminonly.alatek.krakow.pl setroubleshoot[2035]: SELinux is preventing ypserv from connect access on the tcp_socket port None. For complete SELinux messages run: sealert -l 20a5f398-1fd5-442f-88f
Jan 14 13:54:31 adminonly.alatek.krakow.pl python3[2035]: SELinux is preventing ypserv from connect access on the tcp_socket port None.
                                                          
                                                          *****  Plugin catchall (100. confidence) suggests   **************************
                                                          
                                                          If you believe that ypserv should be allowed connect access on the port None tcp_socket by default.
                                                          Then you should report this as a bug.
                                                          You can generate a local policy module to allow this access.
                                                          Do
                                                          allow this access for now by executing:
                                                          # ausearch -c 'ypserv' --raw | audit2allow -M my-ypserv
                                                          # semodule -X 300 -i my-ypserv.pp




# sealert -l 20a5f398-1fd5-442f-88f5-a5bd284dd7a9
SELinux is preventing ypserv from connect access on the tcp_socket port None.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ypserv should be allowed connect access on the port None tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ypserv' --raw | audit2allow -M my-ypserv
# semodule -X 300 -i my-ypserv.pp


Additional Information:
Source Context                system_u:system_r:ypserv_t:s0
Target Context                system_u:system_r:ypserv_t:s0
Target Objects                port None [ tcp_socket ]
Source                        ypserv
Source Path                   ypserv
Port                          <Unknown>
Host                          adminonly.alatek.krakow.pl
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.21.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     adminonly.alatek.krakow.pl
Platform                      Linux adminonly.alatek.krakow.pl
                              4.14.13-300.fc27.x86_64 #1 SMP Thu Jan 11 04:00:01
                              UTC 2018 x86_64 x86_64
Alert Count                   10
First Seen                    2018-01-14 13:54:25 CET
Last Seen                     2018-01-14 13:54:25 CET
Local ID                      20a5f398-1fd5-442f-88f5-a5bd284dd7a9

Raw Audit Messages
type=AVC msg=audit(1515934465.350:296): avc:  denied  { connect } for  pid=2152 comm="ypserv" lport=632 scontext=system_u:system_r:ypserv_t:s0 tcontext=system_u:system_r:ypserv_t:s0 tclass=tcp_socket permissive=0


Hash: ypserv,ypserv_t,ypserv_t,tcp_socket,connect

Comment 1 Fedora Update System 2018-01-30 16:40:51 UTC
selinux-policy-3.13.1-283.24.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8

Comment 2 Fedora Update System 2018-01-31 22:44:45 UTC
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8

Comment 3 Paweł Sikora 2018-02-02 11:20:19 UTC
i can't signup on FAS (why blacklisted email?) so i'll provide feedback here. new selinux policy fixes previous problems but shows a new one:

lut 02 10:43:44 dragon setroubleshoot[1598]: failed to retrieve rpm info for /var/yp/alatek.krakow.pl/group.byname
lut 02 10:43:44 dragon setroubleshoot[1598]: SELinux is preventing ypserv from map access on the file /var/yp/alatek.krakow.pl/group.byname. For complete SELinux messages run: sealert -l 2cc07d43-fca2-4d25-802d-
lut 02 10:43:44 dragon python3[1598]: SELinux is preventing ypserv from map access on the file /var/yp/alatek.krakow.pl/group.byname.
                                      
                                      *****  Plugin catchall (100. confidence) suggests   **************************
                                      
                                      If you believe that ypserv should be allowed map access on the group.byname file by default.
                                      Then you should report this as a bug.
                                      You can generate a local policy module to allow this access.
                                      Do
                                      allow this access for now by executing:
                                      # ausearch -c 'ypserv' --raw | audit2allow -M my-ypserv
                                      # semodule -X 300 -i my-ypserv.pp

Comment 4 Fedora Update System 2018-02-06 15:31:16 UTC
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.