Bug 621365
Summary: | oddjob-mkhomedir does not create homedir w/ NIS password | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Rik van Riel <riel> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 6.0 | CC: | borgan, dwalsh, mmalik, nalin, syeghiay |
Target Milestone: | rc | Keywords: | RHELNAK |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-36.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-11-10 21:36:00 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 625455 | ||
Bug Blocks: |
Description
Rik van Riel
2010-08-04 20:38:19 UTC
# ypmatch riel passwd riel:<snip>:500:500:Rik van Riel:/home/riel:/bin/bash A privileged NIS client is expected to issue requests from a source port below 1024 as a way of letting an NIS server know that it's privileged. This can be used for access control at the server. Dan, based on our out-of-band conversation, I think we need to be letting confined processes which are allowed to be NIS clients bind to ports in this range (and connect to them, as that's usually where the servers are). For reference, the dontaudit denials I get when I turn on logging for them: type=AVC msg=audit(1280954860.258:50): avc: denied { name_connect } for pid=7464 comm="mkhomedir" dest=700 scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1280954860.255:49): avc: denied { name_bind } for pid=7464 comm="mkhomedir" src=856 scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket Just to avoid misunderstandings, NIS can use either UDP or TCP, so I think we need to allow this for both UDP and TCP. This issue has been proposed when we are only considering blocker issues in the current Red Hat Enterprise Linux release. ** If you would still like this issue considered for the current release, ask your support representative to file as a blocker on your behalf. Otherwise ask that it be considered for the next Red Hat Enterprise Linux release. ** I have confirmed that this is indeed an selinux problem. Running "setenforce 0" and then logging in causes my home directory to be created. Miroslav grab the `nis_use_ypbind_uncond' from rawhide. Fixed in selinux-policy-3.7.19-36.el6.noarch. Red Hat Enterprise Linux 6.0 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |