Bug 241621 - ypserv cannot exec ypxfr on x86_64
Summary: ypserv cannot exec ypxfr on x86_64
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy   
(Show other bugs)
Version: 5.0
Hardware: x86_64
OS: Linux
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
Keywords: OtherQA
Depends On:
TreeView+ depends on / blocked
Reported: 2007-05-29 01:55 UTC by Suzuki Takashi
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-07 16:39:50 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0544 normal SHIPPED_LIVE selinux-policy bug fix update 2007-11-08 14:16:49 UTC

Description Suzuki Takashi 2007-05-29 01:55:27 UTC
Description of problem:
When NIS maps are updated on the master server and they are yppush'ed,
the master server cannot hear from an EL5 x86_64 NIS slave server.
This problem causes an EL5 x86_64 server to be unusable
as a NIS slave server without any workarounds.
Details are shown below.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
On the NIS master server,
1. touch /var/yp/ypservers
2. make -C /var/yp

Actual results:
On the master server:
# make -C /var/yp
gmake[1]: Entering directory `/var/yp/dom'
Updating ypservers...
ypservers->slave: Callback timed out
gmake[1]: Leaving directory `/var/yp/dom'
gmake[1]: Entering directory `/var/yp/dom'
gmake[1]: Nothing to be done for `all'.
gmake[1]: Leaving directory `/var/yp/dom'

On the slave server:
May 15 11:17:40 slave ypserv[6142]: ypxfr execl(): Permission denied
May 15 11:17:42 slave setroubleshoot: SELinux is preventing /usr/sbin/ypserv
(ypserv_t) "execute_no_trans" access to /usr/lib64/yp/ypxfr (lib_t). For
complete SELinux messages. run sealert -l 3414333d-27a6-4a72-abf1-eb1e6767811a

Expected results:
No errors are reported from make on the master server and
no syslog entries are logged on the slave server.

Additional info:
I found /usr/lib64/yp/* are mis-labelled as lib_t.
/usr/lib64/yp/ypxfr must be labbeled as system_u:object_r:ypxfr_exec_t and
/usr/lib64/yp/* should be labelled as system_u:object_r:bin_t.

So, there should be
/usr/lib64/yp/ypxfr     --      gen_context(system_u:object_r:ypxfr_exec_t,s0)
in serefpolicy-2.4.6/modules/services/nis.fc and 
/usr/lib64/yp/.+                --      gen_context(system_u:object_r:bin_t,s0)
in serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc.

After labelling them manually by
# chcon system_u:object_r:bin_t /usr/lib64/yp/*
# chcon system_u:object_r:ypxfr_exec_t /usr/lib64/yp/ypxfr
selinux-policy-targeted-2.4.6-30.el5 didn't work because of some socket audits
but selinux-policy-targeted-2.4.6-71.el5 worked without errors.

Comment 1 Daniel Walsh 2007-05-29 15:43:41 UTC
Fixed in selinux-policy 2.4.6-74

Comment 2 RHEL Product and Program Management 2007-05-29 15:44:29 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 4 Suzuki Takashi 2007-05-31 13:32:42 UTC
Thank you for your action.

Could you upload the version containing the fix somewhere, if it won't be
officially released soon?

Comment 5 Daniel Walsh 2007-05-31 19:43:54 UTC
Packages are available on 


Comment 7 Eduard Benes 2007-08-22 13:45:25 UTC
Suzuki, could you try the new policy available at the link below and reply 
whether the new packages solve your problem. 


Comment 8 Suzuki Takashi 2007-08-27 05:02:43 UTC
Sorry for the late.

Both of
/usr/lib64/yp/* were relabelled on the upgrade to 2.4.6-79.

For double-checking, I tried
# chcon system_u:object_r:lib_t /usr/lib64/yp/*
# restorecon /usr/lib64/yp/*
and /usr/lib64/yp/* were relabelled correctly.

Thank you.

Comment 11 errata-xmlrpc 2007-11-07 16:39:50 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.