Bug 279261 - selinux prevents yppasswd from running pwupdate
Summary: selinux prevents yppasswd from running pwupdate
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy   
(Show other bugs)
Version: 5.0
Hardware: x86_64
OS: Linux
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2007-09-05 19:57 UTC by Thomas J. Baker
Modified: 2008-03-05 22:00 UTC (History)
1 user (show)

Fixed In Version: 5.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-03-05 22:00:47 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Thomas J. Baker 2007-09-05 19:57:58 UTC
Description of problem:

[root@blackstar yp]# sealert -l 13506dcd-791d-432a-a044-3b7a5d72b667
    SELinux is preventing /usr/sbin/rpc.yppasswdd (yppasswdd_t)
    "execute_no_trans" access to /usr/lib64/yp/pwupdate (lib_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/rpc.yppasswdd. It is not
    expected that this access is required by /usr/sbin/rpc.yppasswdd and this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /usr/lib64/yp/pwupdate,
    restorecon -v /usr/lib64/yp/pwupdate. There is currently no automatic way to
    allow this access. Instead, you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 -
    or you can disable SELinux protection entirely for the application.
    Disabling SELinux protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
    Changing the "yppasswdd_disable_trans" boolean to true will disable SELinux
    protection this application: "setsebool -P yppasswdd_disable_trans=1."

    The following command will allow this access:
    setsebool -P yppasswdd_disable_trans=1

Additional Information        

Source Context                system_u:system_r:yppasswdd_t
Target Context                system_u:object_r:lib_t
Target Objects                /usr/lib64/yp/pwupdate [ file ]
Affected RPM Packages         ypserv-2.19-3 [application]ypserv-2.19-3 [target]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.disable_trans
Host Name                     blackstar.sr.unh.edu
Platform                      Linux blackstar.sr.unh.edu 2.6.18-8.1.3.el5xen #1
                              SMP Mon Apr 16 16:19:37 EDT 2007 x86_64 x86_64
Alert Count                   15
Line Numbers                  

Raw Audit Messages            

avc: denied { execute_no_trans } for comm="rpc.yppasswdd" dev=dm-0 egid=0 euid=0
exe="/usr/sbin/rpc.yppasswdd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="pwupdate" path="/usr/lib64/yp/pwupdate" pid=26306
scontext=system_u:system_r:yppasswdd_t:s0 sgid=0
subj=system_u:system_r:yppasswdd_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=0

[root@blackstar yp]#

Version-Release number of selected component (if applicable):


How reproducible:

Each time we change a password with yppasswdd.

Steps to Reproduce:
1. change passwd with yppasswd
Actual results:

passwd is changed in yp source but not pushed to ypserver.

Expected results:

passwd is changed and pushed to ypserver.

Additional info:

Comment 1 Daniel Walsh 2007-09-06 13:40:46 UTC
Please apply the U1 preview policy on 


Should be fixed by this policy.


Note You need to log in before you can comment on or make changes to this bug.