217725 – yp transfers via ypxfr don't work

Bug 217725 - yp transfers via ypxfr don't work

Summary: yp transfers via ypxfr don't work

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	6
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-11-29 16:49 UTC by Orion Poplawski
Modified:	2007-11-30 22:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:	2.4.6-31
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-05-09 16:17:48 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Orion Poplawski 2006-11-29 16:49:14 UTC

Description of problem:

On the master:

Updating auto.home...
wind.cora.nwra.com: RPC failure talking to server
earth.cora.nwra.com: Master's version not newer

on the slave server:

Nov 29 09:45:56 wind kernel: audit(1164818756.021:21): avc:  denied  { read }
for  pid=23119 comm="ypxfr" name="nsswitch.conf" dev=dm-0 ino=133281
scontext=root:system_r:ypserv_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
Nov 29 09:45:56 wind kernel: audit(1164818756.021:22): avc:  denied  { read }
for  pid=23119 comm="ypxfr" name="host.conf" dev=dm-0 ino=131101
scontext=root:system_r:ypserv_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
Nov 29 09:45:56 wind kernel: audit(1164818756.029:23): avc:  denied  { connect }
for  pid=23119 comm="ypxfr" lport=32909 scontext=root:system_r:ypserv_t:s0
tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket
Nov 29 09:45:56 wind kernel: audit(1164818756.030:24): avc:  denied  { connect }
for  pid=23119 comm="ypxfr" lport=825 scontext=root:system_r:ypserv_t:s0
tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket
Nov 29 09:45:56 wind kernel: audit(1164818756.066:25): avc:  denied  { connect }
for  pid=23119 comm="ypxfr" lport=50061 scontext=root:system_r:ypserv_t:s0
tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket
Nov 29 09:45:56 wind kernel: audit(1164818756.066:26): avc:  denied  { connect }
for  pid=23119 comm="ypxfr" lport=826 scontext=root:system_r:ypserv_t:s0
tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket
Nov 29 09:45:56 wind ypxfr[23119]: ypxfr: RPC failure talking to server
Nov 29 09:45:56 wind kernel: audit(1164818756.156:27): avc:  denied  { read }
for  pid=23120 comm="ypxfr" name="nsswitch.conf" dev=dm-0 ino=133281
scontext=root:system_r:ypserv_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
Nov 29 09:45:56 wind kernel: audit(1164818756.157:28): avc:  denied  { read }
for  pid=23120 comm="ypxfr" name="host.conf" dev=dm-0 ino=131101
scontext=root:system_r:ypserv_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
Nov 29 09:45:56 wind kernel: audit(1164818756.164:29): avc:  denied  { connect }
for  pid=23120 comm="ypxfr" lport=36839 scontext=root:system_r:ypserv_t:s0
tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket
Nov 29 09:45:56 wind kernel: audit(1164818756.164:30): avc:  denied  { connect }
for  pid=23120 comm="ypxfr" lport=826 scontext=root:system_r:ypserv_t:s0
tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket
Nov 29 09:45:56 wind kernel: audit(1164818756.206:31): avc:  denied  { connect }
for  pid=23120 comm="ypxfr" lport=37399 scontext=root:system_r:ypserv_t:s0
tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket
Nov 29 09:45:56 wind kernel: audit(1164818756.206:32): avc:  denied  { connect }
for  pid=23120 comm="ypxfr" lport=827 scontext=root:system_r:ypserv_t:s0
tcontext=root:system_r:ypserv_t:s0 tclass=tcp_socket
Nov 29 09:45:56 wind ypxfr[23120]: ypxfr: RPC failure talking to server

[root@wind yp]# getsebool -a | grep yp
allow_ypbind --> on
ypbind_disable_trans --> off
yppasswdd_disable_trans --> off
ypserv_disable_trans --> off
ypxfr_disable_trans --> off

Version-Release number of selected component (if applicable):
selinux-policy-2.4.5-3.fc6

How reproducible:
every time

Comment 1 Daniel Walsh 2006-11-29 18:06:12 UTC

Could you try 

chcon -t ypxfr_exec_t /usr/lib/yp/ypxfr

And then try it again in permissive mode to collect any avc messages.

This is a problem in labeling which I will fix in 2.4.6-1

But I want to see if there are other problems.

Comment 2 Orion Poplawski 2006-11-29 18:29:58 UTC

Yeah, still more after that change:

Nov 29 11:26:32 wind kernel: audit(1164824792.340:85): avc:  denied  { read
write } for  pid=24816 comm="ypxfr" name="[171487]" dev=sockfs ino=171487
scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypserv_t:s0
tclass=udp_socket
Nov 29 11:26:32 wind kernel: audit(1164824792.340:86): avc:  denied  { read
write } for  pid=24816 comm="ypxfr" name="[171492]" dev=sockfs ino=171492
scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypserv_t:s0
tclass=tcp_socket
Nov 29 11:26:32 wind kernel: audit(1164824792.340:87): avc:  denied  { read }
for  pid=24816 comm="ypxfr" name="mounts.byname" dev=dm-4 ino=65599
scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0 tclass=file
Nov 29 11:26:32 wind kernel: audit(1164824792.341:88): avc:  denied  { read }
for  pid=24816 comm="ypxfr" name="ld.so.cache" dev=dm-0 ino=131260
scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:ld_so_cache_t:s0
tclass=file
Nov 29 11:26:32 wind kernel: audit(1164824792.341:89): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.341:90): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.341:91): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.342:92): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.342:93): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.342:94): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.342:95): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.342:96): avc:  denied  { getattr }
for  pid=24816 comm="ypxfr" name="lib" dev=dm-0 ino=98310
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.343:97): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.343:98): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.343:99): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.343:100): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.343:101): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.344:102): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.344:103): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
Nov 29 11:26:32 wind kernel: audit(1164824792.344:104): avc:  denied  { search }
for  pid=24816 comm="ypxfr" name="/" dev=dm-3 ino=2
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir

Comment 3 Orion Poplawski 2006-12-21 15:52:44 UTC

With selinux-policy-2.4.6-13.fc6 still seeing:

Dec 20 15:02:52 wind kernel: audit(1166652172.157:7): avc:  denied  { read } for
 pid=6015 comm="ypxfr" name="ld.so.cache" dev=dm-0 ino=131571
scontext=system_u:system_r:ypxfr_t:s0 tcontext=root:object_r:ld_so_cache_t:s0
tclass=file
Dec 20 15:02:52 wind kernel: audit(1166652172.158:8): avc:  denied  { read } for
 pid=6015 comm="ypxfr" name="ld-2.5.so" dev=dm-0 ino=100182
scontext=system_u:system_r:ypxfr_t:s0 tcontext=system_u:object_r:ld_so_t:s0
tclass=file

And the transfers still don't work.

Comment 4 Daniel Walsh 2006-12-21 19:01:57 UTC

Can you setenforce 0
try it and then send all the avc messages,

Thanks.,

Comment 5 Orion Poplawski 2006-12-21 19:18:51 UTC

Dec 21 12:15:49 wind kernel: audit(1166728549.053:20): avc:  denied  { read }
for  pid=29082 comm="ypxfr" name="ld.so.cache" dev=dm-0 ino=131571
scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:ld_so_cache_t:s0
tclass=file
Dec 21 12:15:49 wind kernel: audit(1166728549.053:21): avc:  denied  { getattr }
for  pid=29082 comm="ypxfr" name="ld.so.cache" dev=dm-0 ino=131571
scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:ld_so_cache_t:s0
tclass=file
Dec 21 12:15:49 wind kernel: audit(1166728549.054:22): avc:  denied  { read }
for  pid=29082 comm="ypxfr" name="ld-2.5.so" dev=dm-0 ino=100182
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file
Dec 21 12:15:49 wind kernel: audit(1166728549.055:23): avc:  denied  { read }
for  pid=29082 comm="ypxfr" name="resolv.conf" dev=dm-0 ino=131090
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:net_conf_t:s0
tclass=file
Dec 21 12:15:49 wind kernel: audit(1166728549.055:24): avc:  denied  { getattr }
for  pid=29082 comm="ypxfr" name="resolv.conf" dev=dm-0 ino=131090
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:net_conf_t:s0
tclass=file
Dec 21 12:15:49 wind kernel: audit(1166728549.057:25): avc:  denied  { create }
for  pid=29082 comm="ypxfr" scontext=root:system_r:ypxfr_t:s0
tcontext=root:system_r:ypxfr_t:s0 tclass=udp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.057:26): avc:  denied  { connect }
for  pid=29082 comm="ypxfr" scontext=root:system_r:ypxfr_t:s0
tcontext=root:system_r:ypxfr_t:s0 tclass=udp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.057:27): avc:  denied  { write }
for  pid=29082 comm="ypxfr" laddr=192.168.0.9 lport=36052 faddr=192.168.0.8
fport=53 scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0
tclass=udp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.059:28): avc:  denied  { getattr }
for  pid=29082 comm="ypxfr" name="[312735]" dev=sockfs ino=312735
scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0
tclass=udp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.060:29): avc:  denied  { read }
for  pid=29082 comm="ypxfr" laddr=192.168.0.9 lport=36052 faddr=192.168.0.8
fport=53 scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0
tclass=udp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.060:30): avc:  denied  { bind }
for  pid=29082 comm="ypxfr" scontext=root:system_r:ypxfr_t:s0
tcontext=root:system_r:ypxfr_t:s0 tclass=udp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.060:31): avc:  denied  { setopt }
for  pid=29082 comm="ypxfr" lport=850 scontext=root:system_r:ypxfr_t:s0
tcontext=root:system_r:ypxfr_t:s0 tclass=udp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.066:32): avc:  denied  { create }
for  pid=29082 comm="ypxfr" scontext=root:system_r:ypxfr_t:s0
tcontext=root:system_r:ypxfr_t:s0 tclass=tcp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.066:33): avc:  denied  { bind }
for  pid=29082 comm="ypxfr" scontext=root:system_r:ypxfr_t:s0
tcontext=root:system_r:ypxfr_t:s0 tclass=tcp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.067:34): avc:  denied  { connect }
for  pid=29082 comm="ypxfr" lport=42282 scontext=root:system_r:ypxfr_t:s0
tcontext=root:system_r:ypxfr_t:s0 tclass=tcp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.067:35): avc:  denied  { write }
for  pid=29082 comm="ypxfr" name="[312739]" dev=sockfs ino=312739
scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0
tclass=tcp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.068:36): avc:  denied  { read }
for  pid=29082 comm="ypxfr" name="[312739]" dev=sockfs ino=312739
scontext=root:system_r:ypxfr_t:s0 tcontext=root:system_r:ypxfr_t:s0
tclass=tcp_socket
Dec 21 12:15:49 wind kernel: audit(1166728549.075:37): avc:  denied  { write }
for  pid=29082 comm="ypxfr" name="yp.colorado-research.com" dev=dm-4 ino=65585
scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0 tclass=dir
Dec 21 12:15:49 wind kernel: audit(1166728549.076:38): avc:  denied  { add_name
} for  pid=29082 comm="ypxfr" name="passwd.byname~"
scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0 tclass=dir
Dec 21 12:15:49 wind kernel: audit(1166728549.076:39): avc:  denied  { create }
for  pid=29082 comm="ypxfr" name="passwd.byname~"
scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0 tclass=file
Dec 21 12:15:49 wind kernel: audit(1166728549.115:40): avc:  denied  { write }
for  pid=29082 comm="ypxfr" name="passwd.byname~" dev=dm-4 ino=65583
scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0 tclass=file
Dec 21 12:15:49 wind kernel: audit(1166728549.127:41): avc:  denied  {
remove_name } for  pid=29082 comm="ypxfr" name="passwd.byname~" dev=dm-4
ino=65583 scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0
tclass=dir
Dec 21 12:15:49 wind kernel: audit(1166728549.128:42): avc:  denied  { rename }
for  pid=29082 comm="ypxfr" name="passwd.byname~" dev=dm-4 ino=65583
scontext=root:system_r:ypxfr_t:s0 tcontext=root:object_r:var_yp_t:s0 tclass=file
Dec 21 12:15:49 wind kernel: audit(1166728549.128:43): avc:  denied  { unlink }
for  pid=29082 comm="ypxfr" name="passwd.byname" dev=dm-4 ino=65574
scontext=root:system_r:ypxfr_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file

Comment 6 Orion Poplawski 2006-12-21 20:45:12 UTC

Also see this on the FC5 NIS master:


type=AVC msg=audit(1166728549.156:792591): avc:  denied  { getattr } for 
pid=13296 comm="ypxfr" name="nsswitch.conf" dev=dm-0 ino=17918
scontext=system_u:system_r:ypserv_t:s0 tcontext=system_u:object_r:etc_t:s0
tclass=file

Running in permissive mode and with selinux-policy-2.4.5-4.fc5

Comment 7 Orion Poplawski 2007-01-25 16:38:25 UTC

With selinux-policy-2.4.6-27.fc6 in permissive mode I still see:

Jan 24 10:03:45 wind kernel: audit(1169658225.210:64): avc:  denied  { connect }
for  pid=13958 comm="ypxfr" lport=48172 scontext=system_u:system_r:ypxfr_t:s0
tcontext=system_u:system_r:ypxfr_t:s0 tclass=tcp_socket

Comment 8 Daniel Walsh 2007-01-25 19:20:16 UTC

Fixed in selinux-policy-2.4.6-31

Comment 9 Orion Poplawski 2007-05-09 16:17:48 UTC

Confirmed fixed.

Note You need to log in before you can comment on or make changes to this bug.