Description of problem: The default SELinux policy for FC4 breaks use of rsh with netgroups. We run NIS. All our workstations are part of netgroup 'shfj': $ ypcat -k netgroup [...] shfj [...] (foobar,,) [...] [...] $ cat /etc/hosts.equiv #localhost +@shfj We also have a special account (let's call this account 'special') and a netgroup of users called 'special_users': $ ypcat -k netgroup [...] special_users (,dimitri,) [...] [...] Members of this 'special_users' group may log into account 'special' without password: special@localhost $ cat ~/.rhosts +@special_users +@special_users We have enabled rsh on our FC4 workstations and added 'promiscuous' so that netgroups can be taken into account: $ cat /etc/xinetd.d/rsh [...] # disable = yes [...] $ cat /etc/pam.d/rsh [...] auth required pam_rhosts_auth.so promiscuous [...] When not in enforcing mode rsh works as expected, it doesn't ask for a password when trying to rsh as user 'special': # setenforce 0 dimitri@foobar $ rsh localhost -l special special@foobar $ It does prompt for the 'special' account password in enforcing mode: # setenforce 1 dimitri@foobar $ rsh localhost -l special Password: Users shouldn't be prompted for a password. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.27.1-2.14 How reproducible: Always
Created attachment 121759 [details] /var/log/messages in permissive mode
Created attachment 121760 [details] /var/log/messages in enforcing mode
Could you attach /var/log/audit/audit.log avc messages?
Created attachment 121965 [details] relevant part of /var/log/audit/audit.log For what it's worth, note that /usr/local (hence /usr/local/.rhosts) is not a local filesystem. /usr/local is exported by an IRIX NFS server and NFS-mounted.