Bug 874339

Summary:

SELinux is preventing /usr/sbin/ypbind from 'search' accesses on the directory systemd.

Product:

[Fedora] Fedora

Reporter:

David Daney <ddaney>

Component:

selinux-policy

Assignee:

Miroslav Grepl <mgrepl>

Status:

CLOSED ERRATA

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

CC:

dominick.grift, dwalsh, fheub, mgrepl

Target Milestone:

---

Target Release:

---

Hardware:

x86_64

OS:

Unspecified

Whiteboard:

abrt_hash:c034ad93ab463c723011e43af87ae5bf282192ee8bc7123422be9c7c087b1194

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2013-07-04 13:54:31 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
File: type	none
File: hashmarkername	none

Description David Daney 2012-11-08 00:08:34 UTC

Description of problem:
As root I run:  systemctl restart ypbind.service and it fails due to SELinux being fubar.

Additional info:
libreport version: 2.0.18
kernel:         3.6.3-1.fc17.x86_64

description:
:SELinux is preventing /usr/sbin/ypbind from 'search' accesses on the directory systemd.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that ypbind should be allowed search access on the systemd directory by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep ypbind /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:ypbind_t:s0
:Target Context                system_u:object_r:init_var_run_t:s0
:Target Objects                systemd [ dir ]
:Source                        ypbind
:Source Path                   /usr/sbin/ypbind
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           ypbind-1.36-7.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-156.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.3-1.fc17.x86_64 #1 SMP Mon Oct
:                              22 15:32:35 UTC 2012 x86_64 x86_64
:Alert Count                   3
:First Seen                    2012-11-07 15:41:13 PST
:Last Seen                     2012-11-07 16:03:29 PST
:Local ID                      de9bb680-a931-4994-8cef-f2174dacb576
:
:Raw Audit Messages
:type=AVC msg=audit(1352333009.931:86): avc:  denied  { search } for  pid=1931 comm="ypbind" name="systemd" dev="tmpfs" ino=11633 scontext=system_u:system_r:ypbind_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir
:
:
:type=SYSCALL msg=audit(1352333009.931:86): arch=x86_64 syscall=sendmsg success=no exit=EACCES a0=8 a1=7fffe4579ca0 a2=4000 a3=7fffe4579a20 items=0 ppid=1 pid=1931 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ypbind exe=/usr/sbin/ypbind subj=system_u:system_r:ypbind_t:s0 key=(null)
:
:Hash: ypbind,ypbind_t,init_var_run_t,dir,search
:
:audit2allow
:
:#============= ypbind_t ==============
:allow ypbind_t init_var_run_t:dir search;
:
:audit2allow -R
:
:#============= ypbind_t ==============
:allow ypbind_t init_var_run_t:dir search;
:

Comment 1 David Daney 2012-11-08 00:08:38 UTC

Created attachment 640480 [details]
File: type

Comment 2 David Daney 2012-11-08 00:08:40 UTC

Created attachment 640481 [details]
File: hashmarkername

Comment 3 David Daney 2012-11-08 00:10:40 UTC

I should add that ypbind worked just fine last week.  I installed updates today and it quits working like this.

Comment 4 Miroslav Grepl 2012-11-08 09:53:09 UTC

It has been fixed in the latest F17 policy which is available from updates-testing repo.

Comment 5 fheub 2012-11-12 08:00:43 UTC

1.) Boot and log into Fedora 17:

$ sudo systemctl --failed
UNIT                        LOAD   ACTIVE SUB    JOB DESCRIPTION
systemd-...es-setup.service loaded failed failed     Recreate Volatile Files and
ypbind.service              loaded failed failed     NIS/YP (Network Information

$ sudo systemctl status ypbind.service 
ypbind.service - NIS/YP (Network Information Service) Clients to NIS Domain Binder
	  Loaded: loaded (/usr/lib/systemd/system/ypbind.service; enabled)
	  Active: failed (Result: timeout) since Mon, 12 Nov 2012 08:49:01 +0100; 2min 42s ago
	 Process: 1179 ExecStartPre=/usr/sbin/setsebool allow_ypbind=1 (code=exited, status=0/SUCCESS)
	 Process: 1148 ExecStartPre=/usr/libexec/ypbind-pre-setdomain (code=exited, status=0/SUCCESS)
	Main PID: 1210
	  CGroup: name=systemd:/system/ypbind.service

Nov 12 09:47:31 host00.example.edu ypbind[1210]: syslog: unknown facility/p...
Nov 12 09:47:31 host00.example.edu ypbind[1210]: Permission denied
# Hostname/domain changed

2. ) Try to restart failed services:

$ sudo systemctl restart ypbind.service 
Job failed. See system journal and 'systemctl status' for details.

3. ) SEAlert pops up and causes this bug report


Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)

Comment 6 Miroslav Grepl 2012-11-12 08:26:50 UTC

Please execute

# yum update selinux-policy-targeted --enablerepo=updates-testing

Comment 7 fheub 2012-11-12 11:07:38 UTC

The update (comment #6) seems to be working for me - at least when setting SELinux back to enforcing and restarting:

$ sudo systemctl restart ypbind.service 

I did not yet try a reboot, though.

Thank you for the quick fix!

Comment 8 Fedora End Of Life 2013-07-04 07:45:34 UTC

This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.