Bug 241621

Summary:	ypserv cannot exec ypxfr on x86_64
Product:	Red Hat Enterprise Linux 5	Reporter:	Suzuki Takashi <suzuki-t>
Component:	selinux-policy	Assignee:	Daniel Walsh <dwalsh>
Status:	CLOSED ERRATA	QA Contact:
Severity:	high	Docs Contact:
Priority:	medium
Version:	5.0	CC:	ebenes
Target Milestone:	---	Keywords:	OtherQA
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	RHBA-2007-0544	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2007-11-07 16:39:50 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Suzuki Takashi 2007-05-29 01:55:27 UTC

Description of problem:
When NIS maps are updated on the master server and they are yppush'ed,
the master server cannot hear from an EL5 x86_64 NIS slave server.
This problem causes an EL5 x86_64 server to be unusable
as a NIS slave server without any workarounds.
Details are shown below.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-30.el5

How reproducible:
Always.

Steps to Reproduce:
On the NIS master server,
1. touch /var/yp/ypservers
2. make -C /var/yp

Actual results:
On the master server:
# make -C /var/yp
gmake[1]: Entering directory `/var/yp/dom'
Updating ypservers...
ypservers->slave: Callback timed out
gmake[1]: Leaving directory `/var/yp/dom'
gmake[1]: Entering directory `/var/yp/dom'
gmake[1]: Nothing to be done for `all'.
gmake[1]: Leaving directory `/var/yp/dom'

On the slave server:
May 15 11:17:40 slave ypserv[6142]: ypxfr execl(): Permission denied
May 15 11:17:42 slave setroubleshoot: SELinux is preventing /usr/sbin/ypserv
(ypserv_t) "execute_no_trans" access to /usr/lib64/yp/ypxfr (lib_t). For
complete SELinux messages. run sealert -l 3414333d-27a6-4a72-abf1-eb1e6767811a

Expected results:
No errors are reported from make on the master server and
no syslog entries are logged on the slave server.

Additional info:
I found /usr/lib64/yp/* are mis-labelled as lib_t.
/usr/lib64/yp/ypxfr must be labbeled as system_u:object_r:ypxfr_exec_t and
/usr/lib64/yp/* should be labelled as system_u:object_r:bin_t.

So, there should be
/usr/lib64/yp/ypxfr     --      gen_context(system_u:object_r:ypxfr_exec_t,s0)
in serefpolicy-2.4.6/modules/services/nis.fc and 
/usr/lib64/yp/.+                --      gen_context(system_u:object_r:bin_t,s0)
in serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc.

After labelling them manually by
# chcon system_u:object_r:bin_t /usr/lib64/yp/*
# chcon system_u:object_r:ypxfr_exec_t /usr/lib64/yp/ypxfr
selinux-policy-targeted-2.4.6-30.el5 didn't work because of some socket audits
but selinux-policy-targeted-2.4.6-71.el5 worked without errors.

Comment 1 Daniel Walsh 2007-05-29 15:43:41 UTC

Fixed in selinux-policy 2.4.6-74

Comment 2 RHEL Program Management 2007-05-29 15:44:29 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 4 Suzuki Takashi 2007-05-31 13:32:42 UTC

Thank you for your action.

Could you upload the version containing the fix somewhere, if it won't be
officially released soon?

Comment 5 Daniel Walsh 2007-05-31 19:43:54 UTC

Packages are available on 

http://people.redhat.com/dwalsh/SELinux/RHEL5

Comment 7 Eduard Benes 2007-08-22 13:45:25 UTC

Suzuki, could you try the new policy available at the link below and reply 
whether the new packages solve your problem. 

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/

Comment 8 Suzuki Takashi 2007-08-27 05:02:43 UTC

Sorry for the late.

Both of
selinux-policy-targeted-2.4.6-79.el5.noarch.rpm
selinux-policy-targeted-2.4.6-83.el5.noarch.rpm
works.
/usr/lib64/yp/* were relabelled on the upgrade to 2.4.6-79.

For double-checking, I tried
# chcon system_u:object_r:lib_t /usr/lib64/yp/*
# restorecon /usr/lib64/yp/*
and /usr/lib64/yp/* were relabelled correctly.

Thank you.

Comment 11 errata-xmlrpc 2007-11-07 16:39:50 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html