Bug 364931 – logins with NIS are denied

Bug 364931 - logins with NIS are denied

Summary:	logins with NIS are denied

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted (Show other bugs)
Sub Component:
Version:	8
Hardware:	powerpc Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2007-11-02 20:46 EDT by Chris Lumens
Modified:	2007-11-30 17:12 EST (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2007-11-10 08:10:05 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Chris Lumens 2007-11-02 20:46:53 EDT

With selinux-policy-targeted-3.0.8-42.fc8.noarch running, I am unable to login
either at the console or via gdm if I am using NIS and in enforcing mode.  The
following policy blob adapted from the similar dovecot bug fixes this:

module nis 1.0;

require {
        type system_chkpwd_t;
        type hi_reserved_port_t;
        type updpwd_t;
        class capability net_bind_service;
        class tcp_socket { name_bind name_connect };
        class udp_socket name_bind;
}

allow system_chkpwd_t hi_reserved_port_t:tcp_socket { name_bind name_connect };
allow system_chkpwd_t hi_reserved_port_t:udp_socket name_bind;
allow system_chkpwd_t self:capability net_bind_service;

allow updpwd_t hi_reserved_port_t:udp_socket name_bind;
allow updpwd_t self:capability net_bind_service;

Comment 1 Daniel Walsh 2007-11-05 10:49:33 EST

Do you have the allow_ypbind boolean turned on ?

setsebool -P allow_ypbind=1

Comment 2 Chris Lumens 2007-11-05 10:58:42 EST

chris@monolith:~$ /usr/sbin/getsebool allow_ypbind
allow_ypbind --> on

Perhaps it wasn't set before I started messing around with new policy, though. 
I would need to bring up another machine and see if it works or not to be sure.

Note You need to log in before you can comment on or make changes to this bug.