Bug 186223 - selinux errors after bind update
selinux errors after bind update
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
All Linux
medium Severity high
: ---
: ---
Assigned To: Russell Coker
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-22 06:23 EST by Chris Jones
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-04-29 17:15:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Jones 2006-03-22 06:23:22 EST
Description of problem:
After yesterdays named update i've had selinux errors

Version-Release number of selected component (if applicable):
selinux-policy-targeted 2.2.23-15
bind 30:9.3.2-10.FC5

How reproducible:
Not tried, suspect always

Steps to Reproduce:
1. Have yum installed and selinux enabled,
2. Update to latest versions
3. Wait
4. Note Selinux errors
  
Actual results:
audit(1143025106.799:2): avc:  denied  { search } for  pid=3213 comm="perl"
name="yp" dev=sda3 ino=12537932 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
audit(1143025106.799:3): avc:  denied  { name_connect } for  pid=3213
comm="perl" dest=111 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
audit(1143025106.803:4): avc:  denied  { name_bind } for  pid=3213 comm="perl"
src=845 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
audit(1143025106.803:5): avc:  denied  { name_connect } for  pid=3213
comm="perl" dest=111 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
audit(1143025106.803:6): avc:  denied  { name_connect } for  pid=3213
comm="perl" dest=111 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
audit(1143025106.803:7): avc:  denied  { name_bind } for  pid=3213 comm="perl"
src=846 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
audit(1143025106.803:8): avc:  denied  { name_connect } for  pid=3213
comm="perl" dest=111 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
audit(1143025106.819:9): avc:  denied  { search } for  pid=3213 comm="perl"
name="yp" dev=sda3 ino=12537932 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
audit(1143025106.819:10): avc:  denied  { name_connect } for  pid=3213
comm="perl" dest=111 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
audit(1143025106.819:11): avc:  denied  { name_bind } for  pid=3213 comm="perl"
src=847 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:dhcpd_port_t:s0 tclass=tcp_socket
audit(1143025106.819:12): avc:  denied  { name_connect } for  pid=3213
comm="perl" dest=111 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
audit(1143025106.819:13): avc:  denied  { name_connect } for  pid=3213
comm="perl" dest=111 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
audit(1143025106.819:14): avc:  denied  { name_bind } for  pid=3213 comm="perl"
src=848 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
audit(1143025106.819:15): avc:  denied  { name_connect } for  pid=3213
comm="perl" dest=111 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket


Expected results:
No selinux errors

Additional info
Comment 1 Daniel Walsh 2006-04-03 12:25:36 EDT
setsebool -P allow_ypbind=1

You look like you are running nis?
Comment 2 Chris Jones 2006-04-03 12:34:47 EDT
We are indeed, is it not set by system-config-authentication?
Comment 3 Daniel Walsh 2006-04-03 13:29:49 EDT
It should have been set by that tool.

Testing on my machines shows the boolean gets turned on.

Comment 4 Chris Jones 2006-04-29 17:15:39 EDT
Well the selinux errors seem to have gone away since setting the bool, its odd that it dident get set in the 
first place mind, given system-config-authentication was used to configure yp on this system.

Note You need to log in before you can comment on or make changes to this bug.