Bug 741646

Summary: RFE: authconfig should turn on allow_ypbind SELinux boolean
Product: [Fedora] Fedora Reporter: Honza Horak <hhorak>
Component: authconfigAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: tmraz
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: authconfig-6.2.3-1.fc18 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-08 11:46:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Honza Horak 2011-09-27 13:59:33 UTC 
Description of problem:
At the present time ypbind init script (or systemd unit file in F16+) turns on allow_ypbind SELinux boolean before starting the ypbind binary. So, this variable is changed every-time when ypbind is started.

It seems to be more correct if this variable is turned on only once -- by authconfig during configuring NIS or by user explicitly. 

Version-Release number of selected component (if applicable):
authconfig-6.1.16-1

Steps to Reproduce:
1. su -c 'authconfig-tui'
2. set NIS client
3. allow_ypbind should be turned on before starting ypbind client
  
Actual results:
allow_ypbind is not changed

Expected results:
allow_ypbind is turned on
Comment 1 Tomas Mraz 2011-09-27 14:10:02 UTC 
What if the user starts the ypbind manually without using authconfig?
Why not first test the boolean and then enable it if it is not yet enabled if you do not want to enable it multiple times unnecessarily?
Comment 2 Honza Horak 2011-09-27 14:28:00 UTC 
(In reply to comment #1)
> What if the user starts the ypbind manually without using authconfig?

Then the user also have to configure it manually (which means edit configure files and turning the boolean on permanently).

> Why not first test the boolean and then enable it if it is not yet enabled if
> you do not want to enable it multiple times unnecessarily?

Well, I don't see any difference between this solution and the present one, while allow_ypbind is turned on after this no matter what was its value before. Or do I miss something?
Comment 3 Tomas Mraz 2011-09-27 14:40:20 UTC 
If the user starts the daemon he probably wants to have the selinux boolean enabled. What would be the sense in starting the daemon then?
Comment 4 Honza Horak 2011-09-29 11:30:46 UTC 
It seems this is only my feeling that enabling selinux boolean is a configuration step and as such it should be done during configuring the service. 

But I don't have any strong argument for that and have no problem if turning on stays in systemd unit file.