Bug 538992

Summary: SELinux prevented abrtd from using NIS (yp).
Product: [Fedora] Fedora Reporter: Bernd Bartmann <bernd.bartmann>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:207a98de269ec41fd1cce5040e29b7cc1eee0808f8e50d3e2a542e6c43d7f616
Fixed In Version: 3.6.32-49.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-01 16:40:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bernd Bartmann 2009-11-19 16:21:15 UTC 
Zusammenfassung:

SELinux prevented abrtd from using NIS (yp).

Detaillierte Beschreibung:

[abrtd hat einen toleranten Typ (abrt_t). Dieser Zugriff wurde nicht
verweigert.]

SELinux prevented abrtd from using NIS (yp) for authentication. If you have
configured the system to use NIS this access is expected but is not currently
allowed by SELinux. Otherwise this access may signal an intrusion.

Zugriff erlauben:

Changing the "allow_ypbind" boolean to true will allow this access: "setsebool
-P allow_ypbind=1."

Fixer Befehl:

setsebool -P allow_ypbind=1

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:abrt_t:s0
Zielkontext                   system_u:object_r:var_yp_t:s0
Zielobjekte                   ncc1701d.2 [ file ]
Quelle                        abrtd
Quellen-Pfad                  /usr/sbin/abrtd
Port                          <Unbekannt>
Host                          (removed)
Quellen-RPM-Pakete            abrt-0.0.11-2.fc12
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.6.32-41.fc12
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Enforcing
Plugin-Name                   allow_ypbind
Hostname                      (removed)
Plattform                     Linux (removed)
                              2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7
                              21:25:57 EST 2009 i686 i686
Anzahl der Alarme             2
Zuerst gesehen                Mi 18 Nov 2009 20:16:11 CET
Zuletzt gesehen               Mi 18 Nov 2009 20:16:11 CET
Lokale ID                     3ed36108-9ee6-4e50-ad3a-928917d483e1
Zeilennummern                 

Raw-Audit-Meldungen           

node=(removed) type=AVC msg=audit(1258571771.118:26): avc:  denied  { read } for  pid=1291 comm="abrtd" name="ncc1701d.2" dev=sda5 ino=151611 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1258571771.118:26): avc:  denied  { open } for  pid=1291 comm="abrtd" name="ncc1701d.2" dev=sda5 ino=151611 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1258571771.118:26): arch=40000003 syscall=5 success=yes exit=9 a0=bf8cb810 a1=0 a2=a9bb75 a3=bf8cb810 items=0 ppid=1 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe="/usr/sbin/abrtd" subj=system_u:system_r:abrt_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-41.fc12,allow_ypbind,abrtd,abrt_t,var_yp_t,file,read
audit2allow suggests:

#============= abrt_t ==============
allow abrt_t var_yp_t:file { read open };
Comment 1 Daniel Walsh 2009-11-19 18:53:14 UTC 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.32-48.fc12.noarch
Comment 2 Fedora Update System 2009-11-23 23:37:29 UTC 
selinux-policy-3.6.32-49.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-49.fc12
Comment 3 Fedora Update System 2009-11-25 15:20:27 UTC 
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12131
Comment 4 Fedora Update System 2009-12-02 04:32:00 UTC 
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.