Bug 242179
Summary: | rpc.ypasswdd not allowed to bind to privileged port | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Habig, Alec <ahabig> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 6 | Keywords: | Reopened |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-08-22 14:12:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Habig, Alec
2007-06-01 23:58:05 UTC
Fixed in selinux-policy-2.4.6-75 Been checking the fedora-updates-testing repository religiously for the last ten days, but no go. Could you please push the fixed policy rpms? I'll happily test them out. Thanks! Having some infrastructure problems. You can grab the packages from http://people.redhat.com/dwalsh/SELinux/FC6 I will try to push it to testing today. Great - I can confirm that this does fix it on my server, thanks! Ok I got it pushed to fc6 testing. I hate to re-open this, but there are still bad interactions between selinux and rpc.yppasswd. When I tested that things worked with selinux-policy-2.4.6-75, I must have only checked that the port binding issue was resolved, rather than pushing through a complete cycle of password changing. The client can talk to the yppasswd server ok, but when the server daemon actually tries to update the passwd files, it fails: Jun 27 15:38:15 lepton rpc.yppasswdd[4936]: update xxxx (uid=505) from host 192.168.1.1 failed Jun 27 15:38:15 lepton rpc.yppasswdd[4936]: Can't open /etc/passwd.tmp: Permission denied This time there's an AVC denial: type=AVC msg=audit(1182976695.209:198): avc: denied { dac_override } for pid=4936 comm="rpc.yppasswdd" capability=1 scontext=user_u:system_r:yppasswdd_t:s0 tcontext=user_u:system_r:yppasswdd_t:s0 tclass=capability type=SYSCALL msg=audit(1182976695.209:198): arch=40000003 syscall=5 success=no exit=-13 a0=8011f038 a1=242 a2=1b6 a3=80123b48 items=0 ppid=1 pid=4936 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rpc.yppasswdd" exe="/usr/sbin/rpc.yppasswdd" subj=user_u:system_r:yppasswdd_t:s0 key=(null) An earlier attempt also had problems with another temp passwd file: Jun 27 15:25:52 lepton rpc.yppasswdd[2754]: Cannot create backup file /etc/shado w.OLD: File exists that one got an audit message of: type=AVC msg=audit(1182975952.065:145): avc: denied { unlink } for pid=2754 c omm="rpc.yppasswdd" name="shadow.OLD" dev=sda1 ino=1997849 scontext=system_u:sys tem_r:yppasswdd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=SYSCALL msg=audit(1182975952.065:145): arch=40000003 syscall=10 success=no exit=-13 a0=801f2050 a1=1 a2=80006428 a3=1 items=0 ppid=1 pid=2754 auid=42949672 95 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rpc. yppasswdd" exe="/usr/sbin/rpc.yppasswdd" subj=system_u:system_r:yppasswdd_t:s0 k ey=(null) Not sure why this error doesn't happen all the time. Ok I will add the dac_override, but the /etc/shadow.OLD has the wrong context on it. It should be labeled shadow_t not etc_runtime_t. Did some init script create the file? Something other than yppasswd? I'm really not sure about shadow.OLD, since it only threw that error once once and I couldn't duplicate it. A WHAG: I suspect it's a relic left around from something unrelated, perhaps running pwconv by hand long ago, which yppasswd (which presumably needs to run pwconv on its own to propagate its changes) collided with. Fixed in selinux-policy-2.6.4-24 Is selinux-policy-2.6.4-24 the f7 version? My test system is fc6, running your first test version selinux-policy-2.4.6-75 from comment #1. Will be able to test it if it gets backported, but it'll be a while before my NIS servers get upgraded to the bleeding edge (they're production machines). Fixed in current release |