Description of problem: On the master: Updating auto.home... wind.cora.nwra.com: RPC failure talking to server earth.cora.nwra.com: Master's version not newer on the slave server: Nov 29 09:45:56 wind kernel: audit(1164818756.021:21): avc: denied { read } for pid=23119 comm="ypxfr" name="nsswitch.conf" dev=dm-0 ino=133281 scontext=root:system_r:ypserv_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file Nov 29 09:45:56 wind kernel: audit(1164818756.021:22): avc: denied { read } for pid=23119 comm="ypxfr" name="host.conf" dev=dm-0 ino=131101 scontext=root:system_r:ypserv_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file Nov 29 09:45:56 wind kernel: audit(1164818756.029:23): avc: denied { connect } for pid=23119 comm="ypxfr" lport=32909 scontext=root:system_r:ypserv_t:s0 tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket Nov 29 09:45:56 wind kernel: audit(1164818756.030:24): avc: denied { connect } for pid=23119 comm="ypxfr" lport=825 scontext=root:system_r:ypserv_t:s0 tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket Nov 29 09:45:56 wind kernel: audit(1164818756.066:25): avc: denied { connect } for pid=23119 comm="ypxfr" lport=50061 scontext=root:system_r:ypserv_t:s0 tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket Nov 29 09:45:56 wind kernel: audit(1164818756.066:26): avc: denied { connect } for pid=23119 comm="ypxfr" lport=826 scontext=root:system_r:ypserv_t:s0 tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket Nov 29 09:45:56 wind ypxfr[23119]: ypxfr: RPC failure talking to server Nov 29 09:45:56 wind kernel: audit(1164818756.156:27): avc: denied { read } for pid=23120 comm="ypxfr" name="nsswitch.conf" dev=dm-0 ino=133281 scontext=root:system_r:ypserv_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file Nov 29 09:45:56 wind kernel: audit(1164818756.157:28): avc: denied { read } for pid=23120 comm="ypxfr" name="host.conf" dev=dm-0 ino=131101 scontext=root:system_r:ypserv_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file Nov 29 09:45:56 wind kernel: audit(1164818756.164:29): avc: denied { connect } for pid=23120 comm="ypxfr" lport=36839 scontext=root:system_r:ypserv_t:s0 tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket Nov 29 09:45:56 wind kernel: audit(1164818756.164:30): avc: denied { connect } for pid=23120 comm="ypxfr" lport=826 scontext=root:system_r:ypserv_t:s0 tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket Nov 29 09:45:56 wind kernel: audit(1164818756.206:31): avc: denied { connect } for pid=23120 comm="ypxfr" lport=37399 scontext=root:system_r:ypserv_t:s0 tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket Nov 29 09:45:56 wind kernel: audit(1164818756.206:32): avc: denied { connect } for pid=23120 comm="ypxfr" lport=827 scontext=root:system_r:ypserv_t:s0 tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket Nov 29 09:45:56 wind ypxfr[23120]: ypxfr: RPC failure talking to server [root@wind yp]# getsebool -a | grep yp allow_ypbind --> on ypbind_disable_trans --> off yppasswdd_disable_trans --> off ypserv_disable_trans --> off ypxfr_disable_trans --> off Version-Release number of selected component (if applicable): selinux-policy-2.4.5-3.fc6 How reproducible: every time
Could you try chcon -t ypxfr_exec_t /usr/lib/yp/ypxfr And then try it again in permissive mode to collect any avc messages. This is a problem in labeling which I will fix in 2.4.6-1 But I want to see if there are other problems.
Yeah, still more after that change: Nov 29 11:26:32 wind kernel: audit(1164824792.340:85): avc: denied { read write } for pid=24816 comm="ypxfr" name="[171487]" dev=sockfs ino=171487 scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypserv_t:s0 tclass=udp_socket Nov 29 11:26:32 wind kernel: audit(1164824792.340:86): avc: denied { read write } for pid=24816 comm="ypxfr" name="[171492]" dev=sockfs ino=171492 scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket Nov 29 11:26:32 wind kernel: audit(1164824792.340:87): avc: denied { read } for pid=24816 comm="ypxfr" name="mounts.byname" dev=dm-4 ino=65599 scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0 tclass=file Nov 29 11:26:32 wind kernel: audit(1164824792.341:88): avc: denied { read } for pid=24816 comm="ypxfr" name="ld.so.cache" dev=dm-0 ino=131260 scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:ld_so_cache_t:s0 tclass=file Nov 29 11:26:32 wind kernel: audit(1164824792.341:89): avc: denied { search } for pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir Nov 29 11:26:32 wind kernel: audit(1164824792.341:90): avc: denied { search } for pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir Nov 29 11:26:32 wind kernel: audit(1164824792.341:91): avc: denied { search } for pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir Nov 29 11:26:32 wind kernel: audit(1164824792.342:92): avc: denied { search } for pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir Nov 29 11:26:32 wind kernel: audit(1164824792.342:93): avc: denied { search } for pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir Nov 29 11:26:32 wind kernel: audit(1164824792.342:94): avc: denied { search } for pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir Nov 29 11:26:32 wind kernel: audit(1164824792.342:95): avc: denied { search } for pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir Nov 29 11:26:32 wind kernel: audit(1164824792.342:96): avc: denied { getattr } for pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir Nov 29 11:26:32 wind kernel: audit(1164824792.343:97): avc: denied { search } for pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir Nov 29 11:26:32 wind kernel: audit(1164824792.343:98): avc: denied { search } for pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir Nov 29 11:26:32 wind kernel: audit(1164824792.343:99): avc: denied { search } for pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir Nov 29 11:26:32 wind kernel: audit(1164824792.343:100): avc: denied { search } for pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir Nov 29 11:26:32 wind kernel: audit(1164824792.343:101): avc: denied { search } for pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir Nov 29 11:26:32 wind kernel: audit(1164824792.344:102): avc: denied { search } for pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir Nov 29 11:26:32 wind kernel: audit(1164824792.344:103): avc: denied { search } for pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir Nov 29 11:26:32 wind kernel: audit(1164824792.344:104): avc: denied { search } for pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
With selinux-policy-2.4.6-13.fc6 still seeing: Dec 20 15:02:52 wind kernel: audit(1166652172.157:7): avc: denied { read } for pid=6015 comm="ypxfr" name="ld.so.cache" dev=dm-0 ino=131571 scontext=system_u:system_r:ypxfr_t:s0 tcontext=root:object_r:ld_so_cache_t:s0 tclass=file Dec 20 15:02:52 wind kernel: audit(1166652172.158:8): avc: denied { read } for pid=6015 comm="ypxfr" name="ld-2.5.so" dev=dm-0 ino=100182 scontext=system_u:system_r:ypxfr_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file And the transfers still don't work.
Can you setenforce 0 try it and then send all the avc messages, Thanks.,
Dec 21 12:15:49 wind kernel: audit(1166728549.053:20): avc: denied { read } for pid=29082 comm="ypxfr" name="ld.so.cache" dev=dm-0 ino=131571 scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:ld_so_cache_t:s0 tclass=file Dec 21 12:15:49 wind kernel: audit(1166728549.053:21): avc: denied { getattr } for pid=29082 comm="ypxfr" name="ld.so.cache" dev=dm-0 ino=131571 scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:ld_so_cache_t:s0 tclass=file Dec 21 12:15:49 wind kernel: audit(1166728549.054:22): avc: denied { read } for pid=29082 comm="ypxfr" name="ld-2.5.so" dev=dm-0 ino=100182 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file Dec 21 12:15:49 wind kernel: audit(1166728549.055:23): avc: denied { read } for pid=29082 comm="ypxfr" name="resolv.conf" dev=dm-0 ino=131090 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file Dec 21 12:15:49 wind kernel: audit(1166728549.055:24): avc: denied { getattr } for pid=29082 comm="ypxfr" name="resolv.conf" dev=dm-0 ino=131090 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file Dec 21 12:15:49 wind kernel: audit(1166728549.057:25): avc: denied { create } for pid=29082 comm="ypxfr" scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0 tclass=udp_socket Dec 21 12:15:49 wind kernel: audit(1166728549.057:26): avc: denied { connect } for pid=29082 comm="ypxfr" scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0 tclass=udp_socket Dec 21 12:15:49 wind kernel: audit(1166728549.057:27): avc: denied { write } for pid=29082 comm="ypxfr" laddr=192.168.0.9 lport=36052 faddr=192.168.0.8 fport=53 scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0 tclass=udp_socket Dec 21 12:15:49 wind kernel: audit(1166728549.059:28): avc: denied { getattr } for pid=29082 comm="ypxfr" name="[312735]" dev=sockfs ino=312735 scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0 tclass=udp_socket Dec 21 12:15:49 wind kernel: audit(1166728549.060:29): avc: denied { read } for pid=29082 comm="ypxfr" laddr=192.168.0.9 lport=36052 faddr=192.168.0.8 fport=53 scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0 tclass=udp_socket Dec 21 12:15:49 wind kernel: audit(1166728549.060:30): avc: denied { bind } for pid=29082 comm="ypxfr" scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0 tclass=udp_socket Dec 21 12:15:49 wind kernel: audit(1166728549.060:31): avc: denied { setopt } for pid=29082 comm="ypxfr" lport=850 scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0 tclass=udp_socket Dec 21 12:15:49 wind kernel: audit(1166728549.066:32): avc: denied { create } for pid=29082 comm="ypxfr" scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0 tclass=tcp_socket Dec 21 12:15:49 wind kernel: audit(1166728549.066:33): avc: denied { bind } for pid=29082 comm="ypxfr" scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0 tclass=tcp_socket Dec 21 12:15:49 wind kernel: audit(1166728549.067:34): avc: denied { connect } for pid=29082 comm="ypxfr" lport=42282 scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0 tclass=tcp_socket Dec 21 12:15:49 wind kernel: audit(1166728549.067:35): avc: denied { write } for pid=29082 comm="ypxfr" name="[312739]" dev=sockfs ino=312739 scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0 tclass=tcp_socket Dec 21 12:15:49 wind kernel: audit(1166728549.068:36): avc: denied { read } for pid=29082 comm="ypxfr" name="[312739]" dev=sockfs ino=312739 scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0 tclass=tcp_socket Dec 21 12:15:49 wind kernel: audit(1166728549.075:37): avc: denied { write } for pid=29082 comm="ypxfr" name="yp.colorado-research.com" dev=dm-4 ino=65585 scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0 tclass=dir Dec 21 12:15:49 wind kernel: audit(1166728549.076:38): avc: denied { add_name } for pid=29082 comm="ypxfr" name="passwd.byname~" scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0 tclass=dir Dec 21 12:15:49 wind kernel: audit(1166728549.076:39): avc: denied { create } for pid=29082 comm="ypxfr" name="passwd.byname~" scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0 tclass=file Dec 21 12:15:49 wind kernel: audit(1166728549.115:40): avc: denied { write } for pid=29082 comm="ypxfr" name="passwd.byname~" dev=dm-4 ino=65583 scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0 tclass=file Dec 21 12:15:49 wind kernel: audit(1166728549.127:41): avc: denied { remove_name } for pid=29082 comm="ypxfr" name="passwd.byname~" dev=dm-4 ino=65583 scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0 tclass=dir Dec 21 12:15:49 wind kernel: audit(1166728549.128:42): avc: denied { rename } for pid=29082 comm="ypxfr" name="passwd.byname~" dev=dm-4 ino=65583 scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0 tclass=file Dec 21 12:15:49 wind kernel: audit(1166728549.128:43): avc: denied { unlink } for pid=29082 comm="ypxfr" name="passwd.byname" dev=dm-4 ino=65574 scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file
Also see this on the FC5 NIS master: type=AVC msg=audit(1166728549.156:792591): avc: denied { getattr } for pid=13296 comm="ypxfr" name="nsswitch.conf" dev=dm-0 ino=17918 scontext=system_u:system_r:ypserv_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file Running in permissive mode and with selinux-policy-2.4.5-4.fc5
With selinux-policy-2.4.6-27.fc6 in permissive mode I still see: Jan 24 10:03:45 wind kernel: audit(1169658225.210:64): avc: denied { connect } for pid=13958 comm="ypxfr" lport=48172 scontext=system_u:system_r:ypxfr_t:s0 tcontext=system_u:system_r:ypxfr_t:s0 tclass=tcp_socket
Fixed in selinux-policy-2.4.6-31
Confirmed fixed.