Description of problem: [root@blackstar yp]# sealert -l 13506dcd-791d-432a-a044-3b7a5d72b667 Summary SELinux is preventing /usr/sbin/rpc.yppasswdd (yppasswdd_t) "execute_no_trans" access to /usr/lib64/yp/pwupdate (lib_t). Detailed Description SELinux denied access requested by /usr/sbin/rpc.yppasswdd. It is not expected that this access is required by /usr/sbin/rpc.yppasswdd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /usr/lib64/yp/pwupdate, restorecon -v /usr/lib64/yp/pwupdate. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Changing the "yppasswdd_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P yppasswdd_disable_trans=1." The following command will allow this access: setsebool -P yppasswdd_disable_trans=1 Additional Information Source Context system_u:system_r:yppasswdd_t Target Context system_u:object_r:lib_t Target Objects /usr/lib64/yp/pwupdate [ file ] Affected RPM Packages ypserv-2.19-3 [application]ypserv-2.19-3 [target] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.disable_trans Host Name blackstar.sr.unh.edu Platform Linux blackstar.sr.unh.edu 2.6.18-8.1.3.el5xen #1 SMP Mon Apr 16 16:19:37 EDT 2007 x86_64 x86_64 Alert Count 15 Line Numbers Raw Audit Messages avc: denied { execute_no_trans } for comm="rpc.yppasswdd" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/rpc.yppasswdd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="pwupdate" path="/usr/lib64/yp/pwupdate" pid=26306 scontext=system_u:system_r:yppasswdd_t:s0 sgid=0 subj=system_u:system_r:yppasswdd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=0 [root@blackstar yp]# Version-Release number of selected component (if applicable): ypserv-2.19-3 selinux-policy-targeted-2.4.6-30.el5 How reproducible: Each time we change a password with yppasswdd. Steps to Reproduce: 1. change passwd with yppasswd 2. 3. Actual results: passwd is changed in yp source but not pushed to ypserver. Expected results: passwd is changed and pushed to ypserver. Additional info:
Please apply the U1 preview policy on http://people.redhat.com/dwalsh/SELinux/RHEL5 Should be fixed by this policy. selinux-policy-2.4.6-89.el5.noarch.rpm