Bug 217725 - yp transfers via ypxfr don't work
yp transfers via ypxfr don't work
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-29 11:49 EST by Orion Poplawski
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 2.4.6-31
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-09 12:17:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2006-11-29 11:49:14 EST
Description of problem:

On the master:

Updating auto.home...
wind.cora.nwra.com: RPC failure talking to server
earth.cora.nwra.com: Master's version not newer

on the slave server:

Nov 29 09:45:56 wind kernel: audit(1164818756.021:21): avc:  denied  { read }
for  pid=23119 comm="ypxfr" name="nsswitch.conf" dev=dm-0 ino=133281
scontext=root:system_r:ypserv_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
Nov 29 09:45:56 wind kernel: audit(1164818756.021:22): avc:  denied  { read }
for  pid=23119 comm="ypxfr" name="host.conf" dev=dm-0 ino=131101
scontext=root:system_r:ypserv_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
Nov 29 09:45:56 wind kernel: audit(1164818756.029:23): avc:  denied  { connect }
for  pid=23119 comm="ypxfr" lport=32909 scontext=root:system_r:ypserv_t:s0
tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket
Nov 29 09:45:56 wind kernel: audit(1164818756.030:24): avc:  denied  { connect }
for  pid=23119 comm="ypxfr" lport=825 scontext=root:system_r:ypserv_t:s0
tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket
Nov 29 09:45:56 wind kernel: audit(1164818756.066:25): avc:  denied  { connect }
for  pid=23119 comm="ypxfr" lport=50061 scontext=root:system_r:ypserv_t:s0
tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket
Nov 29 09:45:56 wind kernel: audit(1164818756.066:26): avc:  denied  { connect }
for  pid=23119 comm="ypxfr" lport=826 scontext=root:system_r:ypserv_t:s0
tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket
Nov 29 09:45:56 wind ypxfr[23119]: ypxfr: RPC failure talking to server
Nov 29 09:45:56 wind kernel: audit(1164818756.156:27): avc:  denied  { read }
for  pid=23120 comm="ypxfr" name="nsswitch.conf" dev=dm-0 ino=133281
scontext=root:system_r:ypserv_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
Nov 29 09:45:56 wind kernel: audit(1164818756.157:28): avc:  denied  { read }
for  pid=23120 comm="ypxfr" name="host.conf" dev=dm-0 ino=131101
scontext=root:system_r:ypserv_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
Nov 29 09:45:56 wind kernel: audit(1164818756.164:29): avc:  denied  { connect }
for  pid=23120 comm="ypxfr" lport=36839 scontext=root:system_r:ypserv_t:s0
tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket
Nov 29 09:45:56 wind kernel: audit(1164818756.164:30): avc:  denied  { connect }
for  pid=23120 comm="ypxfr" lport=826 scontext=root:system_r:ypserv_t:s0
tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket
Nov 29 09:45:56 wind kernel: audit(1164818756.206:31): avc:  denied  { connect }
for  pid=23120 comm="ypxfr" lport=37399 scontext=root:system_r:ypserv_t:s0
tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket
Nov 29 09:45:56 wind kernel: audit(1164818756.206:32): avc:  denied  { connect }
for  pid=23120 comm="ypxfr" lport=827 scontext=root:system_r:ypserv_t:s0
tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket
Nov 29 09:45:56 wind ypxfr[23120]: ypxfr: RPC failure talking to server

[root@wind yp]# getsebool -a | grep yp
allow_ypbind --> on
ypbind_disable_trans --> off
yppasswdd_disable_trans --> off
ypserv_disable_trans --> off
ypxfr_disable_trans --> off

Version-Release number of selected component (if applicable):
selinux-policy-2.4.5-3.fc6

How reproducible:
every time
Comment 1 Daniel Walsh 2006-11-29 13:06:12 EST
Could you try 

chcon -t ypxfr_exec_t /usr/lib/yp/ypxfr

And then try it again in permissive mode to collect any avc messages.

This is a problem in labeling which I will fix in 2.4.6-1

But I want to see if there are other problems.
Comment 2 Orion Poplawski 2006-11-29 13:29:58 EST
Yeah, still more after that change:

Nov 29 11:26:32 wind kernel: audit(1164824792.340:85): avc:  denied  { read
write } for  pid=24816 comm="ypxfr" name="[171487]" dev=sockfs ino=171487
scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypserv_t:s0
tclass=udp_socket
Nov 29 11:26:32 wind kernel: audit(1164824792.340:86): avc:  denied  { read
write } for  pid=24816 comm="ypxfr" name="[171492]" dev=sockfs ino=171492
scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypserv_t:s0
tclass=tcp_socket
Nov 29 11:26:32 wind kernel: audit(1164824792.340:87): avc:  denied  { read }
for  pid=24816 comm="ypxfr" name="mounts.byname" dev=dm-4 ino=65599
scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0 tclass=file
Nov 29 11:26:32 wind kernel: audit(1164824792.341:88): avc:  denied  { read }
for  pid=24816 comm="ypxfr" name="ld.so.cache" dev=dm-0 ino=131260
scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:ld_so_cache_t:s0
tclass=file
Nov 29 11:26:32 wind kernel: audit(1164824792.341:89): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.341:90): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.341:91): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.342:92): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.342:93): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.342:94): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.342:95): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.342:96): avc:  denied  { getattr }
for  pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.343:97): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.343:98): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.343:99): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.343:100): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.343:101): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.344:102): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.344:103): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.344:104): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
Comment 3 Orion Poplawski 2006-12-21 10:52:44 EST
With selinux-policy-2.4.6-13.fc6 still seeing:

Dec 20 15:02:52 wind kernel: audit(1166652172.157:7): avc:  denied  { read } for
 pid=6015 comm="ypxfr" name="ld.so.cache" dev=dm-0 ino=131571
scontext=system_u:system_r:ypxfr_t:s0 tcontext=root:object_r:ld_so_cache_t:s0
tclass=file
Dec 20 15:02:52 wind kernel: audit(1166652172.158:8): avc:  denied  { read } for
 pid=6015 comm="ypxfr" name="ld-2.5.so" dev=dm-0 ino=100182
scontext=system_u:system_r:ypxfr_t:s0 tcontext=system_u:object_r:ld_so_t:s0
tclass=file

And the transfers still don't work.
Comment 4 Daniel Walsh 2006-12-21 14:01:57 EST
Can you setenforce 0
try it and then send all the avc messages,

Thanks.,
Comment 5 Orion Poplawski 2006-12-21 14:18:51 EST
Dec 21 12:15:49 wind kernel: audit(1166728549.053:20): avc:  denied  { read }
for  pid=29082 comm="ypxfr" name="ld.so.cache" dev=dm-0 ino=131571
scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:ld_so_cache_t:s0
tclass=file
Dec 21 12:15:49 wind kernel: audit(1166728549.053:21): avc:  denied  { getattr }
for  pid=29082 comm="ypxfr" name="ld.so.cache" dev=dm-0 ino=131571
scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:ld_so_cache_t:s0
tclass=file
Dec 21 12:15:49 wind kernel: audit(1166728549.054:22): avc:  denied  { read }
for  pid=29082 comm="ypxfr" name="ld-2.5.so" dev=dm-0 ino=100182
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file
Dec 21 12:15:49 wind kernel: audit(1166728549.055:23): avc:  denied  { read }
for  pid=29082 comm="ypxfr" name="resolv.conf" dev=dm-0 ino=131090
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:net_conf_t:s0
tclass=file
Dec 21 12:15:49 wind kernel: audit(1166728549.055:24): avc:  denied  { getattr }
for  pid=29082 comm="ypxfr" name="resolv.conf" dev=dm-0 ino=131090
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:net_conf_t:s0
tclass=file
Dec 21 12:15:49 wind kernel: audit(1166728549.057:25): avc:  denied  { create }
for  pid=29082 comm="ypxfr" scontext=root:system_r:ypxfr_t:s0
tcontext=root:system_r:ypxfr_t:s0 tclass=udp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.057:26): avc:  denied  { connect }
for  pid=29082 comm="ypxfr" scontext=root:system_r:ypxfr_t:s0
tcontext=root:system_r:ypxfr_t:s0 tclass=udp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.057:27): avc:  denied  { write }
for  pid=29082 comm="ypxfr" laddr=192.168.0.9 lport=36052 faddr=192.168.0.8
fport=53 scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0
tclass=udp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.059:28): avc:  denied  { getattr }
for  pid=29082 comm="ypxfr" name="[312735]" dev=sockfs ino=312735
scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0
tclass=udp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.060:29): avc:  denied  { read }
for  pid=29082 comm="ypxfr" laddr=192.168.0.9 lport=36052 faddr=192.168.0.8
fport=53 scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0
tclass=udp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.060:30): avc:  denied  { bind }
for  pid=29082 comm="ypxfr" scontext=root:system_r:ypxfr_t:s0
tcontext=root:system_r:ypxfr_t:s0 tclass=udp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.060:31): avc:  denied  { setopt }
for  pid=29082 comm="ypxfr" lport=850 scontext=root:system_r:ypxfr_t:s0
tcontext=root:system_r:ypxfr_t:s0 tclass=udp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.066:32): avc:  denied  { create }
for  pid=29082 comm="ypxfr" scontext=root:system_r:ypxfr_t:s0
tcontext=root:system_r:ypxfr_t:s0 tclass=tcp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.066:33): avc:  denied  { bind }
for  pid=29082 comm="ypxfr" scontext=root:system_r:ypxfr_t:s0
tcontext=root:system_r:ypxfr_t:s0 tclass=tcp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.067:34): avc:  denied  { connect }
for  pid=29082 comm="ypxfr" lport=42282 scontext=root:system_r:ypxfr_t:s0
tcontext=root:system_r:ypxfr_t:s0 tclass=tcp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.067:35): avc:  denied  { write }
for  pid=29082 comm="ypxfr" name="[312739]" dev=sockfs ino=312739
scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0
tclass=tcp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.068:36): avc:  denied  { read }
for  pid=29082 comm="ypxfr" name="[312739]" dev=sockfs ino=312739
scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0
tclass=tcp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.075:37): avc:  denied  { write }
for  pid=29082 comm="ypxfr" name="yp.colorado-research.com" dev=dm-4 ino=65585
scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0 tclass=dir
Dec 21 12:15:49 wind kernel: audit(1166728549.076:38): avc:  denied  { add_name
} for  pid=29082 comm="ypxfr" name="passwd.byname~"
scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0 tclass=dir
Dec 21 12:15:49 wind kernel: audit(1166728549.076:39): avc:  denied  { create }
for  pid=29082 comm="ypxfr" name="passwd.byname~"
scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0 tclass=file
Dec 21 12:15:49 wind kernel: audit(1166728549.115:40): avc:  denied  { write }
for  pid=29082 comm="ypxfr" name="passwd.byname~" dev=dm-4 ino=65583
scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0 tclass=file
Dec 21 12:15:49 wind kernel: audit(1166728549.127:41): avc:  denied  {
remove_name } for  pid=29082 comm="ypxfr" name="passwd.byname~" dev=dm-4
ino=65583 scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0
tclass=dir
Dec 21 12:15:49 wind kernel: audit(1166728549.128:42): avc:  denied  { rename }
for  pid=29082 comm="ypxfr" name="passwd.byname~" dev=dm-4 ino=65583
scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0 tclass=file
Dec 21 12:15:49 wind kernel: audit(1166728549.128:43): avc:  denied  { unlink }
for  pid=29082 comm="ypxfr" name="passwd.byname" dev=dm-4 ino=65574
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file
Comment 6 Orion Poplawski 2006-12-21 15:45:12 EST
Also see this on the FC5 NIS master:


type=AVC msg=audit(1166728549.156:792591): avc:  denied  { getattr } for 
pid=13296 comm="ypxfr" name="nsswitch.conf" dev=dm-0 ino=17918
scontext=system_u:system_r:ypserv_t:s0 tcontext=system_u:object_r:etc_t:s0
tclass=file

Running in permissive mode and with selinux-policy-2.4.5-4.fc5
Comment 7 Orion Poplawski 2007-01-25 11:38:25 EST
With selinux-policy-2.4.6-27.fc6 in permissive mode I still see:

Jan 24 10:03:45 wind kernel: audit(1169658225.210:64): avc:  denied  { connect }
for  pid=13958 comm="ypxfr" lport=48172 scontext=system_u:system_r:ypxfr_t:s0
tcontext=system_u:system_r:ypxfr_t:s0 tclass=tcp_socket
Comment 8 Daniel Walsh 2007-01-25 14:20:16 EST
Fixed in selinux-policy-2.4.6-31
Comment 9 Orion Poplawski 2007-05-09 12:17:48 EDT
Confirmed fixed.

Note You need to log in before you can comment on or make changes to this bug.