Bug 241621 - ypserv cannot exec ypxfr on x86_64
Summary: ypserv cannot exec ypxfr on x86_64
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy   
(Show other bugs)
Version: 5.0
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords: OtherQA
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-05-29 01:55 UTC by Suzuki Takashi
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 16:39:50 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0544 normal SHIPPED_LIVE selinux-policy bug fix update 2007-11-08 14:16:49 UTC

Description Suzuki Takashi 2007-05-29 01:55:27 UTC
Description of problem:
When NIS maps are updated on the master server and they are yppush'ed,
the master server cannot hear from an EL5 x86_64 NIS slave server.
This problem causes an EL5 x86_64 server to be unusable
as a NIS slave server without any workarounds.
Details are shown below.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-30.el5

How reproducible:
Always.

Steps to Reproduce:
On the NIS master server,
1. touch /var/yp/ypservers
2. make -C /var/yp

Actual results:
On the master server:
# make -C /var/yp
gmake[1]: Entering directory `/var/yp/dom'
Updating ypservers...
ypservers->slave: Callback timed out
gmake[1]: Leaving directory `/var/yp/dom'
gmake[1]: Entering directory `/var/yp/dom'
gmake[1]: Nothing to be done for `all'.
gmake[1]: Leaving directory `/var/yp/dom'

On the slave server:
May 15 11:17:40 slave ypserv[6142]: ypxfr execl(): Permission denied
May 15 11:17:42 slave setroubleshoot: SELinux is preventing /usr/sbin/ypserv
(ypserv_t) "execute_no_trans" access to /usr/lib64/yp/ypxfr (lib_t). For
complete SELinux messages. run sealert -l 3414333d-27a6-4a72-abf1-eb1e6767811a

Expected results:
No errors are reported from make on the master server and
no syslog entries are logged on the slave server.

Additional info:
I found /usr/lib64/yp/* are mis-labelled as lib_t.
/usr/lib64/yp/ypxfr must be labbeled as system_u:object_r:ypxfr_exec_t and
/usr/lib64/yp/* should be labelled as system_u:object_r:bin_t.

So, there should be
/usr/lib64/yp/ypxfr     --      gen_context(system_u:object_r:ypxfr_exec_t,s0)
in serefpolicy-2.4.6/modules/services/nis.fc and 
/usr/lib64/yp/.+                --      gen_context(system_u:object_r:bin_t,s0)
in serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc.

After labelling them manually by
# chcon system_u:object_r:bin_t /usr/lib64/yp/*
# chcon system_u:object_r:ypxfr_exec_t /usr/lib64/yp/ypxfr
selinux-policy-targeted-2.4.6-30.el5 didn't work because of some socket audits
but selinux-policy-targeted-2.4.6-71.el5 worked without errors.

Comment 1 Daniel Walsh 2007-05-29 15:43:41 UTC
Fixed in selinux-policy 2.4.6-74

Comment 2 RHEL Product and Program Management 2007-05-29 15:44:29 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 4 Suzuki Takashi 2007-05-31 13:32:42 UTC
Thank you for your action.

Could you upload the version containing the fix somewhere, if it won't be
officially released soon?

Comment 5 Daniel Walsh 2007-05-31 19:43:54 UTC
Packages are available on 

http://people.redhat.com/dwalsh/SELinux/RHEL5

Comment 7 Eduard Benes 2007-08-22 13:45:25 UTC
Suzuki, could you try the new policy available at the link below and reply 
whether the new packages solve your problem. 

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/

Comment 8 Suzuki Takashi 2007-08-27 05:02:43 UTC
Sorry for the late.

Both of
selinux-policy-targeted-2.4.6-79.el5.noarch.rpm
selinux-policy-targeted-2.4.6-83.el5.noarch.rpm
works.
/usr/lib64/yp/* were relabelled on the upgrade to 2.4.6-79.

For double-checking, I tried
# chcon system_u:object_r:lib_t /usr/lib64/yp/*
# restorecon /usr/lib64/yp/*
and /usr/lib64/yp/* were relabelled correctly.

Thank you.

Comment 11 errata-xmlrpc 2007-11-07 16:39:50 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html



Note You need to log in before you can comment on or make changes to this bug.