Bug 279261 - selinux prevents yppasswd from running pwupdate
selinux prevents yppasswd from running pwupdate
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
x86_64 Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-05 15:57 EDT by Thomas J. Baker
Modified: 2008-03-05 17:00 EST (History)
1 user (show)

See Also:
Fixed In Version: 5.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-05 17:00:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Thomas J. Baker 2007-09-05 15:57:58 EDT
Description of problem:

[root@blackstar yp]# sealert -l 13506dcd-791d-432a-a044-3b7a5d72b667
Summary
    SELinux is preventing /usr/sbin/rpc.yppasswdd (yppasswdd_t)
    "execute_no_trans" access to /usr/lib64/yp/pwupdate (lib_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/rpc.yppasswdd. It is not
    expected that this access is required by /usr/sbin/rpc.yppasswdd and this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /usr/lib64/yp/pwupdate,
    restorecon -v /usr/lib64/yp/pwupdate. There is currently no automatic way to
    allow this access. Instead, you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 -
    or you can disable SELinux protection entirely for the application.
    Disabling SELinux protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
    Changing the "yppasswdd_disable_trans" boolean to true will disable SELinux
    protection this application: "setsebool -P yppasswdd_disable_trans=1."

    The following command will allow this access:
    setsebool -P yppasswdd_disable_trans=1

Additional Information        

Source Context                system_u:system_r:yppasswdd_t
Target Context                system_u:object_r:lib_t
Target Objects                /usr/lib64/yp/pwupdate [ file ]
Affected RPM Packages         ypserv-2.19-3 [application]ypserv-2.19-3 [target]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.disable_trans
Host Name                     blackstar.sr.unh.edu
Platform                      Linux blackstar.sr.unh.edu 2.6.18-8.1.3.el5xen #1
                              SMP Mon Apr 16 16:19:37 EDT 2007 x86_64 x86_64
Alert Count                   15
Line Numbers                  

Raw Audit Messages            

avc: denied { execute_no_trans } for comm="rpc.yppasswdd" dev=dm-0 egid=0 euid=0
exe="/usr/sbin/rpc.yppasswdd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="pwupdate" path="/usr/lib64/yp/pwupdate" pid=26306
scontext=system_u:system_r:yppasswdd_t:s0 sgid=0
subj=system_u:system_r:yppasswdd_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=0


[root@blackstar yp]#

Version-Release number of selected component (if applicable):

ypserv-2.19-3
selinux-policy-targeted-2.4.6-30.el5

How reproducible:

Each time we change a password with yppasswdd.

Steps to Reproduce:
1. change passwd with yppasswd
2. 
3.
  
Actual results:

passwd is changed in yp source but not pushed to ypserver.

Expected results:

passwd is changed and pushed to ypserver.

Additional info:
Comment 1 Daniel Walsh 2007-09-06 09:40:46 EDT
Please apply the U1 preview policy on 

http://people.redhat.com/dwalsh/SELinux/RHEL5

Should be fixed by this policy.

selinux-policy-2.4.6-89.el5.noarch.rpm

Note You need to log in before you can comment on or make changes to this bug.