Bug 241621 - ypserv cannot exec ypxfr on x86_64
ypserv cannot exec ypxfr on x86_64
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
x86_64 Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
: OtherQA
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-28 21:55 EDT by Suzuki Takashi
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 11:39:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Suzuki Takashi 2007-05-28 21:55:27 EDT
Description of problem:
When NIS maps are updated on the master server and they are yppush'ed,
the master server cannot hear from an EL5 x86_64 NIS slave server.
This problem causes an EL5 x86_64 server to be unusable
as a NIS slave server without any workarounds.
Details are shown below.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-30.el5

How reproducible:
Always.

Steps to Reproduce:
On the NIS master server,
1. touch /var/yp/ypservers
2. make -C /var/yp

Actual results:
On the master server:
# make -C /var/yp
gmake[1]: Entering directory `/var/yp/dom'
Updating ypservers...
ypservers->slave: Callback timed out
gmake[1]: Leaving directory `/var/yp/dom'
gmake[1]: Entering directory `/var/yp/dom'
gmake[1]: Nothing to be done for `all'.
gmake[1]: Leaving directory `/var/yp/dom'

On the slave server:
May 15 11:17:40 slave ypserv[6142]: ypxfr execl(): Permission denied
May 15 11:17:42 slave setroubleshoot: SELinux is preventing /usr/sbin/ypserv
(ypserv_t) "execute_no_trans" access to /usr/lib64/yp/ypxfr (lib_t). For
complete SELinux messages. run sealert -l 3414333d-27a6-4a72-abf1-eb1e6767811a

Expected results:
No errors are reported from make on the master server and
no syslog entries are logged on the slave server.

Additional info:
I found /usr/lib64/yp/* are mis-labelled as lib_t.
/usr/lib64/yp/ypxfr must be labbeled as system_u:object_r:ypxfr_exec_t and
/usr/lib64/yp/* should be labelled as system_u:object_r:bin_t.

So, there should be
/usr/lib64/yp/ypxfr     --      gen_context(system_u:object_r:ypxfr_exec_t,s0)
in serefpolicy-2.4.6/modules/services/nis.fc and 
/usr/lib64/yp/.+                --      gen_context(system_u:object_r:bin_t,s0)
in serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc.

After labelling them manually by
# chcon system_u:object_r:bin_t /usr/lib64/yp/*
# chcon system_u:object_r:ypxfr_exec_t /usr/lib64/yp/ypxfr
selinux-policy-targeted-2.4.6-30.el5 didn't work because of some socket audits
but selinux-policy-targeted-2.4.6-71.el5 worked without errors.
Comment 1 Daniel Walsh 2007-05-29 11:43:41 EDT
Fixed in selinux-policy 2.4.6-74
Comment 2 RHEL Product and Program Management 2007-05-29 11:44:29 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 4 Suzuki Takashi 2007-05-31 09:32:42 EDT
Thank you for your action.

Could you upload the version containing the fix somewhere, if it won't be
officially released soon?
Comment 5 Daniel Walsh 2007-05-31 15:43:54 EDT
Packages are available on 

http://people.redhat.com/dwalsh/SELinux/RHEL5
Comment 7 Eduard Benes 2007-08-22 09:45:25 EDT
Suzuki, could you try the new policy available at the link below and reply 
whether the new packages solve your problem. 

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 8 Suzuki Takashi 2007-08-27 01:02:43 EDT
Sorry for the late.

Both of
selinux-policy-targeted-2.4.6-79.el5.noarch.rpm
selinux-policy-targeted-2.4.6-83.el5.noarch.rpm
works.
/usr/lib64/yp/* were relabelled on the upgrade to 2.4.6-79.

For double-checking, I tried
# chcon system_u:object_r:lib_t /usr/lib64/yp/*
# restorecon /usr/lib64/yp/*
and /usr/lib64/yp/* were relabelled correctly.

Thank you.
Comment 11 errata-xmlrpc 2007-11-07 11:39:50 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html

Note You need to log in before you can comment on or make changes to this bug.