Bug 186223 - selinux errors after bind update
Summary: selinux errors after bind update
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 5
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Russell Coker
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-03-22 11:23 UTC by Chris Jones
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2006-04-29 21:15:39 UTC


Attachments (Terms of Use)

Description Chris Jones 2006-03-22 11:23:22 UTC
Description of problem:
After yesterdays named update i've had selinux errors

Version-Release number of selected component (if applicable):
selinux-policy-targeted 2.2.23-15
bind 30:9.3.2-10.FC5

How reproducible:
Not tried, suspect always

Steps to Reproduce:
1. Have yum installed and selinux enabled,
2. Update to latest versions
3. Wait
4. Note Selinux errors
  
Actual results:
audit(1143025106.799:2): avc:  denied  { search } for  pid=3213 comm="perl"
name="yp" dev=sda3 ino=12537932 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
audit(1143025106.799:3): avc:  denied  { name_connect } for  pid=3213
comm="perl" dest=111 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
audit(1143025106.803:4): avc:  denied  { name_bind } for  pid=3213 comm="perl"
src=845 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
audit(1143025106.803:5): avc:  denied  { name_connect } for  pid=3213
comm="perl" dest=111 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
audit(1143025106.803:6): avc:  denied  { name_connect } for  pid=3213
comm="perl" dest=111 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
audit(1143025106.803:7): avc:  denied  { name_bind } for  pid=3213 comm="perl"
src=846 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
audit(1143025106.803:8): avc:  denied  { name_connect } for  pid=3213
comm="perl" dest=111 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
audit(1143025106.819:9): avc:  denied  { search } for  pid=3213 comm="perl"
name="yp" dev=sda3 ino=12537932 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
audit(1143025106.819:10): avc:  denied  { name_connect } for  pid=3213
comm="perl" dest=111 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
audit(1143025106.819:11): avc:  denied  { name_bind } for  pid=3213 comm="perl"
src=847 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:dhcpd_port_t:s0 tclass=tcp_socket
audit(1143025106.819:12): avc:  denied  { name_connect } for  pid=3213
comm="perl" dest=111 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
audit(1143025106.819:13): avc:  denied  { name_connect } for  pid=3213
comm="perl" dest=111 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
audit(1143025106.819:14): avc:  denied  { name_bind } for  pid=3213 comm="perl"
src=848 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
audit(1143025106.819:15): avc:  denied  { name_connect } for  pid=3213
comm="perl" dest=111 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket


Expected results:
No selinux errors

Additional info

Comment 1 Daniel Walsh 2006-04-03 16:25:36 UTC
setsebool -P allow_ypbind=1

You look like you are running nis?

Comment 2 Chris Jones 2006-04-03 16:34:47 UTC
We are indeed, is it not set by system-config-authentication?

Comment 3 Daniel Walsh 2006-04-03 17:29:49 UTC
It should have been set by that tool.

Testing on my machines shows the boolean gets turned on.



Comment 4 Chris Jones 2006-04-29 21:15:39 UTC
Well the selinux errors seem to have gone away since setting the bool, its odd that it dident get set in the 
first place mind, given system-config-authentication was used to configure yp on this system.


Note You need to log in before you can comment on or make changes to this bug.