Hi, on the fresh fedora-27 workstation the 'systemctl start ypserv' ends with an errors. is there any special selinux steps required for ypserv@fedora? Jan 14 13:54:31 adminonly.alatek.krakow.pl setroubleshoot[2035]: SELinux is preventing ypserv from write access on the sock_file rpcbind.sock. For complete SELinux messages run: sealert -l bc7b78ad-4167-4066-b35 Jan 14 13:54:31 adminonly.alatek.krakow.pl python3[2035]: SELinux is preventing ypserv from write access on the sock_file rpcbind.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ypserv should be allowed write access on the rpcbind.sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ypserv' --raw | audit2allow -M my-ypserv # semodule -X 300 -i my-ypserv.pp Jan 14 13:54:31 adminonly.alatek.krakow.pl setroubleshoot[2035]: SELinux is preventing ypserv from connect access on the tcp_socket port None. For complete SELinux messages run: sealert -l 20a5f398-1fd5-442f-88f Jan 14 13:54:31 adminonly.alatek.krakow.pl python3[2035]: SELinux is preventing ypserv from connect access on the tcp_socket port None. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ypserv should be allowed connect access on the port None tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ypserv' --raw | audit2allow -M my-ypserv # semodule -X 300 -i my-ypserv.pp # sealert -l 20a5f398-1fd5-442f-88f5-a5bd284dd7a9 SELinux is preventing ypserv from connect access on the tcp_socket port None. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ypserv should be allowed connect access on the port None tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ypserv' --raw | audit2allow -M my-ypserv # semodule -X 300 -i my-ypserv.pp Additional Information: Source Context system_u:system_r:ypserv_t:s0 Target Context system_u:system_r:ypserv_t:s0 Target Objects port None [ tcp_socket ] Source ypserv Source Path ypserv Port <Unknown> Host adminonly.alatek.krakow.pl Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.21.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name adminonly.alatek.krakow.pl Platform Linux adminonly.alatek.krakow.pl 4.14.13-300.fc27.x86_64 #1 SMP Thu Jan 11 04:00:01 UTC 2018 x86_64 x86_64 Alert Count 10 First Seen 2018-01-14 13:54:25 CET Last Seen 2018-01-14 13:54:25 CET Local ID 20a5f398-1fd5-442f-88f5-a5bd284dd7a9 Raw Audit Messages type=AVC msg=audit(1515934465.350:296): avc: denied { connect } for pid=2152 comm="ypserv" lport=632 scontext=system_u:system_r:ypserv_t:s0 tcontext=system_u:system_r:ypserv_t:s0 tclass=tcp_socket permissive=0 Hash: ypserv,ypserv_t,ypserv_t,tcp_socket,connect
selinux-policy-3.13.1-283.24.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
i can't signup on FAS (why blacklisted email?) so i'll provide feedback here. new selinux policy fixes previous problems but shows a new one: lut 02 10:43:44 dragon setroubleshoot[1598]: failed to retrieve rpm info for /var/yp/alatek.krakow.pl/group.byname lut 02 10:43:44 dragon setroubleshoot[1598]: SELinux is preventing ypserv from map access on the file /var/yp/alatek.krakow.pl/group.byname. For complete SELinux messages run: sealert -l 2cc07d43-fca2-4d25-802d- lut 02 10:43:44 dragon python3[1598]: SELinux is preventing ypserv from map access on the file /var/yp/alatek.krakow.pl/group.byname. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ypserv should be allowed map access on the group.byname file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ypserv' --raw | audit2allow -M my-ypserv # semodule -X 300 -i my-ypserv.pp
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.