Bug 1492892 - rpc.yppasswdd not able to update password when selinux is disabled, not using /etc/ and MERGE_PASSWD is set to true
Summary: rpc.yppasswdd not able to update password when selinux is disabled, not using...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ypserv
Version: 7.3
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Petr Kubat
QA Contact: Vaclav Danek
Jaroslav Klech
Depends On:
Blocks: 1549615
TreeView+ depends on / blocked
Reported: 2017-09-18 22:05 UTC by Eugene Keck
Modified: 2020-12-14 10:06 UTC (History)
15 users (show)

Fixed In Version: ypserv-2.31-11.el7
Doc Type: Bug Fix
Doc Text:
`rpc.yppasswdd` now updates passwords also with *SELinux* disabled Previously, when the *SELinux* security module was disabled on the system, the `rpc.yppasswdd` update function failed to perform the update action. As a consequence, `rpc.yppasswdd` was unable to update the user password. With this update, `rpc.yppasswdd` checks whether *SELinux* is enabled on the system before detecting the *SELinux* context type for the `passwd` files. As a result, `rpc.yppasswdd` now correctly updates passwords in the described scenario.
Clone Of:
Last Closed: 2018-10-30 07:56:35 UTC
Target Upstream Version:

Attachments (Terms of Use)
proposed patch (6.07 KB, patch)
2018-01-09 08:07 UTC, Petr Kubat
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3047 0 None None None 2018-10-30 07:56:47 UTC

Description Eugene Keck 2017-09-18 22:05:04 UTC
Description of problem:
rpc.yppasswdd was not able to update the user password when selinux is disabled and passwd and shadow moved to a directory other than /etc/ and merged.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Disable SELinux 
2. Change the maps from /etc/ to /var/yp/files/
3. set MERGE_PASSWD=true

Actual results:
update local (uid=1000) from host failed
Can't get selinux context /var/yp/files/passwd: No data available
Error while changing the NIS password.

Expected results:
update local (uid=1000) from host successful.

Additional info:
If I use the default location of /etc/ or not merge passwd and shadow I was not able to reproduce this selinux check. It was only when I move them out of /etc/ and set MERGE_PASSWD to true that triggered this. This also works if I set selinux to permissive

Comment 3 Joe Pruett 2017-09-25 16:27:03 UTC
seems to be broken with MERGE_PASSWD=false as well.

Comment 4 holger.berger 2017-10-02 14:05:10 UTC
there is a #ifdef check with the latest patch for SELINUX, which is always true in a normal build. I think like that you compile code that relies on enabled SElinux, calling stuff not working when SElinux is disabled at runtime.

Comment 5 Wayne Trzyna 2017-10-06 16:47:36 UTC
Note:  This bug was introduced in ypserv-2.31-10.el7.
A workaround is to replace rpc.yppasswdd with the previous
version from ypserv-2.31-9.el7_3.

Comment 8 Petr Kubat 2018-01-09 08:07:30 UTC
Created attachment 1378915 [details]
proposed patch

Comment 9 Petr Kubat 2018-01-09 08:08:13 UTC
yppasswdd was checking the selinux context of passwd and shadow files even when selinux was disabled and failed because of it.

I have added a check for enabled selinux into the original patch introduced in ypserv-2.31-10 so that this failure will no longer happen.

Matej, can you take a quick look at the attached patch?

Comment 10 Matej Mužila 2018-01-23 11:18:39 UTC
Hi, I'll look at it.

Comment 12 Bill Kanawyer 2018-02-22 18:35:56 UTC
This is still a problem as of 2018-02-22 on RHEL 7.4 and I've just had to downgrade from ypserv 2.31-10.el7 

Getting this patch corrected is mission critical for us as we depend on NIS functionality for several hundred users.

Comment 13 Aish Pushpangadan 2018-02-27 21:25:18 UTC
Please let us know on the status change on this bug as we have this same issue.

Comment 19 Matej Mužila 2018-05-09 09:38:13 UTC
Hi Petr,

I'm going to add it to Fedora 28, where the new (with ipv6 support) NIS is present.

Comment 20 Jaroslav Klech 2018-05-24 09:52:25 UTC
Hello Petr,

could you, please, check the doc_text and tell me whether it is still correct content-wise?

thank you


Comment 21 Petr Kubat 2018-05-24 10:09:12 UTC
Looks good to me

Comment 22 David Sanner 2018-06-20 18:57:23 UTC
I was able to find a work around by setting the selinux contex of yp's passwd and shadow files.

chcon -h system_u:object_r:bin_t:s0  /etc/yp/{shadow,passwd}

Note the location of my NIS files under /etc/yp, your location may vary.

This works with: MERGE_PASSWD=true, RHEL 7.5 and ypserv-2.31-10.el7.x86_64

Workaround only, bug still outstanding for ypserv-2.31-10.el7.x86_64.

Comment 26 errata-xmlrpc 2018-10-30 07:56:35 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.