Bug 741141

Summary: Selinux bool allow_ypbind gets turned off on reboot
Product: [Fedora] Fedora Reporter: David Highley <david.m.highley>
Component: ypbindAssignee: Honza Horak <hhorak>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 16CC: dwalsh, harald, hhorak, johannbg, kay, kklic, lpoetter, metherid, mschmidt, notting, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ypbind-1.33-7.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-04 21:13:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Highley 2011-09-26 00:54:24 UTC 
Description of problem:
The selinux bool allow_ypbind is getting turned off during a reboot.

Version-Release number of selected component (if applicable):
systemd-35-1.fc16.x86_64

How reproducible:
Everytime

Steps to Reproduce:
1. setsebool -P allow_ypbind on
2. reboot or init 6
3. getsebool allow_ypbind
  
Actual results:


Expected results:


Additional info:
Comment 1 Michal Schmidt 2011-09-26 08:11:43 UTC 
systemd does not do that.
ypbind.service fiddles with it. Reassigning.
Comment 2 Fedora Update System 2011-09-26 12:45:11 UTC 
ypbind-1.33-7.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/ypbind-1.33-7.fc16
Comment 3 Fedora Update System 2011-09-26 16:48:22 UTC 
Package ypbind-1.33-7.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ypbind-1.33-7.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/ypbind-1.33-7.fc16
then log in and leave karma (feedback).
Comment 4 Daniel Walsh 2011-09-26 17:30:04 UTC 
I think we should just remove this functionality.

This never worked that well in the init script, users should just turn on the boolean or move to sssd for resolution which is the real secure way to do this.
Comment 5 Honza Horak 2011-09-27 07:04:42 UTC 
(In reply to comment #4)
> I think we should just remove this functionality.
> 
> This never worked that well in the init script, users should just turn on the
> boolean or move to sssd for resolution which is the real secure way to do this.

Oh, I haven't leave a comment here, but turning off allow_ypbind is now removed at all, since it isn't used in F15 or F14. 

OTOH, turning on allow_ypbind is still used, in the same way as in F15 and F14. Do you think this should be removed too? 

Personally, I think many users would be confused if we do that, since authconfig doesn't turn the boolean on (and is probably widely used to configure NIS) and IMHO shouldn't do that.
Comment 6 Daniel Walsh 2011-09-27 13:27:04 UTC 
The problem with turning this boolean on in the ypbind init script or systemctl is that it is too late.  authconfig is where it should be turned on.
Comment 7 Honza Horak 2011-09-27 14:01:52 UTC 
(In reply to comment #6)
> The problem with turning this boolean on in the ypbind init script or systemctl
> is that it is too late.  authconfig is where it should be turned on.

Sounds reasonable. I've reported this RFE as a bug #741646 and will let this bug closed.
Comment 8 Fedora Update System 2011-10-04 21:13:12 UTC 
ypbind-1.33-7.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.