From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20060202 Fedora/1.0.7-1.2.fc4 Firefox/1.0.7 Description of problem: This appears to be a clone of 172374 except that 172374 is closed and supposedly fixed in the latest version however I'm still seeing it on a new FC4 install with all current updates. running yppush on the master server gets this on the FC4 slave: type=AVC msg=audit(1141612015.023:13967): avc: denied { create } for pid=11773 comm="ypxfr" scontext=root:system_r:ypserv_t tcontext=root:system_r:ypserv_t tclass=unix_stream_socket type=SYSCALL msg=audit(1141612015.023:13967): arch=40000003 syscall=102 success=yes exit=3 a0=1 a1=bf930ac8 a2=8cdff4 a3=ffffffe0 items=0 pid=11773 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ypxfr" exe="/usr/lib/yp/ypxfr" type=SOCKETCALL msg=audit(1141612015.023:13967): nargs=3 a0=1 a1=1 a2=0 type=AVC msg=audit(1141612015.023:13968): avc: denied { connect } for pid=11773 comm="ypxfr" scontext=root:system_r:ypserv_t tcontext=root:system_r:ypserv_t tclass=unix_stream_socket type=SYSCALL msg=audit(1141612015.023:13968): arch=40000003 syscall=102 success=no exit=-2 a0=3 a1=bf930ac8 a2=8cdff4 a3=8c2af9 items=0 pid=11773 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ypxfr" exe="/usr/lib/yp/ypxfr" type=SOCKADDR msg=audit(1141612015.023:13968): saddr=01002F7661722F72756E2F6E7363642F736F636B657400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SOCKETCALL msg=audit(1141612015.023:13968): nargs=3 a0=3 a1=bf930ada a2=6e type=AVC msg=audit(1141612015.023:13969): avc: denied { read } for pid=11773 comm="ypxfr" name="nsswitch.conf" dev=md0 ino=112563 scontext=root:system_r:ypserv_t tcontext=system_u:object_r:etc_t tclass=file type=SYSCALL msg=audit(1141612015.023:13969): arch=40000003 syscall=5 success=yes exit=3 a0=8c23f8 a1=0 a2=1b6 a3=9f1b410 items=1 pid=11773 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ypxfr" exe="/usr/lib/yp/ypxfr" type=CWD msg=audit(1141612015.023:13969): cwd="/var/yp" type=PATH msg=audit(1141612015.023:13969): item=0 name="/etc/nsswitch.conf" flags=101 inode=112563 dev=09:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1141612015.023:13970): avc: denied { getattr } for pid=11773 comm="ypxfr" name="nsswitch.conf" dev=md0 ino=112563 scontext=root:system_r:ypserv_t tcontext=system_u:object_r:etc_t tclass=file type=SYSCALL msg=audit(1141612015.023:13970): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bf930c68 a2=8cdff4 a3=3 items=0 pid=11773 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ypxfr" exe="/usr/lib/yp/ypxfr"type=AVC_PATH msg=audit(1141612015.023:13970): path="/etc/nsswitch.conf" and the transfer fails. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.27.1-2.22 How reproducible: Always Steps to Reproduce: 1. Configure a FC4 NIS slave server 2. set selinux to enforcing 3. run yppush on the master server to push a map to the slave Actual Results: The push fails with: Transfer not done: RPC failure talking to server Expected Results: ypxfr on the slave should've been invoked to copy the map from the master. Additional info: ypxfr run manually on the slave works fine. With selinux in permissive mode it all works as expected. I added this as a comment to bug 172374 but since that has status CLOSED CURRENTRELEASE, I'm worried it won't be noticed.
This is fixed in FC5, but will not be back ported to FC5. Please disable protection for ypserv, and you should be able to run. setsebool -P ypserv_disable_trans=1