Bug 839404

Summary: SELinux issues when enabling NIS
Product: Red Hat Enterprise Linux 6 Reporter: John W. Lockhart <lockhart>
Component: authconfigAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: abourne, mgrepl, tmraz
Target Milestone: rcKeywords: SELinux
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-11 11:07:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John W. Lockhart 2012-07-11 21:14:58 UTC 
Description of problem:

When authconfig is used to enable NIS via anaconda/kickstart, the SELinux context on /etc/yp.conf is incorrect.  Although NIS winds up enabled, the SELinux policy is not updated to allow use of NIS.

Version-Release number of selected component (if applicable):
authconfig-6.1.12-10.el6

How reproducible:
(Substitute your own servers for the Example entries below)
Create a Kickstart with the following:

authconfig --enablemd5 --enableshadow --enablenis --nisdomain example.com --nisserver nis.example.com --enablekrb5 --krb5realm EXAMPLE.COM

Steps to Reproduce:
1. Install a box via kickstart with an authconfig command similar to the above.
2. Ensure that SELinux is Enforcing and that auditd is installed and enabled
3. ssh into the resulting system
4. Check /var/log/messages and ls -lZ /etc/yp.conf
  
Actual results:
yp.conf has context: system_u:object_r:etc_t:s0
Lots of AVC messages involving sshd and dbus attempting to use bind/named_sockets.


Expected results:
yp.conf has context: system_u:object_r:net_conf_t:s0
No AVC messages.

Additional info:
This can be fixed or worked around by:
  restorecon /etc/yp.conf
  setsebool -P allow_ypbind 1
Comment 4 Tomas Mraz 2012-07-11 21:52:02 UTC 
The boolean is supposed to be set by the init script of ypbind.

Not sure about the context on yp.conf - running restorecon from authconfig doesn't seem to me as a the best way.
Comment 5 John W. Lockhart 2012-07-11 22:05:21 UTC 
In this case, ypbind wasn't actually started; thus setsebool wasn't executed.

authconfig does manipulate yp.conf, in /usr/share/authconfig/authinfo.py.  If that manipulation is causing a change of SELinux context, there's likely a fix to be made there.  Since authconfig is being called from kickstart here, I haven't been able to check what the original context of the file was.
Comment 6 Miroslav Grepl 2012-07-12 10:04:58 UTC 
This is a problem on RHEL6.3 without filename transition. Could we run the restorecon also in the init script?
Comment 7 Honza Horak 2012-07-12 13:30:13 UTC 
There is another bug #681134 similar to this one. John, can you confirm that the SELinux messages are the same and are emitted by dhclient-script?

There is also a patch attached to bug #681134, if you could reproduce this failure, does the patch fixes it?
Comment 8 John W. Lockhart 2012-07-12 17:00:42 UTC 
The messages I'm seeing are a result of not having started ypbind (and thus having setsebool run):

SELinux is preventing /bin/dbus-daemon from name_bind access on the tcp_socket
SELinux is preventing /bin/dbus-daemon from name_connect access on the tcp_socket
SELinux is preventing /usr/sbin/ntpdate from name_bind access on the tcp_socket
SELinux is preventing /usr/sbin/ntpdate from name_connect access on the tcp_socket
SELinux is preventing /usr/bin/procmail from name_bind access on the tcp_socket
SELinux is preventing /usr/bin/procmail from name_connect access on the tcp_socket

Not sure which fix (restorecon or setsebool) got rid of this one:
SELinux is preventing /usr/sbin/sshd from search access on the directory /var/yp

I'm not seeing any avc messages about dhclient in the logs, although /sbin/dhclient has been running just fine both before and after the restorecon/setsebool changes.

I did confirm that the ypbind rpm creates a yp.conf file with the correct context, by:
# rpm --nodeps --root /test_ypconf -ivh ypbind-1.20.4-29.el6.x86_64.rpm
and checking the ensuing /test_ypconf/etc/yp.conf file.

So something else is changing the context someplace.

From what I see in the logs, the sequence was:
  - Fresh 6.3 install
  - in %post, Configure RHN, run updates, install additional packages
  - reboot
  - observe AVC messages only after the reboot

But note that ypbind wasn't actually chkconfig'd to start on boot.  (That's on the list of things to address in the next revision of the %post for this machine.)
Comment 9 Honza Horak 2012-07-16 18:08:56 UTC 
(In reply to comment #6)
> This is a problem on RHEL6.3 without filename transition. Could we run the
> restorecon also in the init script?

We probably could, but if the messages appear even before ypbind is started, it should be called from authinfo.py script as John suggests, probably together with setsebool call. Is this a problem to do in authconfig for some reason?
Comment 10 Honza Horak 2012-07-17 14:08:58 UTC 
(In reply to comment #8)
> Not sure which fix (restorecon or setsebool) got rid of this one:
> SELinux is preventing /usr/sbin/sshd from search access on the directory
> /var/yp

I reproduced this with a kickstart containing authconfig command as mentioned above and then tried to use "setsebool -P allow_ypbind on" and "restorecon /etc/yp.conf" in %post section of the kickstart. Using setsebool is enough to get rid of all messages, so I'd say that wrong context is a different issue (btw. already reported separately in bug #681134, now we have even a reproducer for it).

Thinking a bit more about it, it doesn't make sense to have NIS configured using authconfig and not have allow_ypbind on. A bug proposing turning on it in authconfig already exists (bug #741646), but was closed as wontfix. Without that we can't get rid of such AVC messages before ypbind is started, so re-assigning back to authconfig, since I don't see a solution that can be made in ypbind.
Comment 11 Tomas Mraz 2012-07-19 13:31:19 UTC 
I just want to verify it again, just doing setsebool -P allow_ypbind 1 fixes the avcs for you?
Comment 12 RHEL Program Management 2012-09-07 05:26:01 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 14 RHEL Program Management 2013-10-14 00:34:17 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 15 Miroslav Grepl 2014-11-07 10:48:45 UTC 
(In reply to Honza Horak from comment #9)
> (In reply to comment #6)
> > This is a problem on RHEL6.3 without filename transition. Could we run the
> > restorecon also in the init script?
> 
> We probably could, but if the messages appear even before ypbind is started,
> it should be called from authinfo.py script as John suggests, probably
> together with setsebool call. Is this a problem to do in authconfig for some
> reason?

authconfig is unconfined domain.
Comment 16 Tomas Mraz 2016-08-11 11:07:03 UTC 
I am sorry but we are not going to fix this issue in RHEL-6.