Description of problem: We see the following messages when running the autofs regression tests: /sbin/ausearch -sv no -m AVC -m USER_AVC -m SELINUX_ERR -ts 3/26/2008 10:52:50 ---- time->Wed Mar 26 10:53:30 2008 type=SYSCALL msg=audit(1206543210.581:8): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7fff1a2c2fa0 a2=10 a3=3 items=0 ppid=5437 pid=5439 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="genhomedircon" exe="/usr/bin/python" subj=system_u:system_r:semanage_t:s0 key=(null) type=AVC msg=audit(1206543210.581:8): avc: denied { node_bind } for pid=5439 comm="genhomedircon" scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket ---- time->Wed Mar 26 10:53:30 2008 type=SYSCALL msg=audit(1206543210.581:9): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7fff1a2c2ed0 a2=10 a3=3 items=0 ppid=5437 pid=5439 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="genhomedircon" exe="/usr/bin/python" subj=system_u:system_r:semanage_t:s0 key=(null) type=AVC msg=audit(1206543210.581:9): avc: denied { name_bind } for pid=5439 comm="genhomedircon" src=951 scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket ---- time->Wed Mar 26 10:53:30 2008 type=SYSCALL msg=audit(1206543210.582:10): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fff1a2c3130 a2=10 a3=3 items=0 ppid=5437 pid=5439 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="genhomedircon" exe="/usr/bin/python" subj=system_u:system_r:semanage_t:s0 key=(null) type=AVC msg=audit(1206543210.582:10): avc: denied { name_connect } for pid=5439 comm="genhomedircon" dest=111 scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket Version-Release number of selected component (if applicable): selinux-policy 2.4.6 125.el5 noarch selinux-policy-targeted 2.4.6 125.el5 noarch kernel 2.6.18 86.el5 x86_64 How reproducible: 100% Steps to Reproduce: 1. Run the autofs regression tests.
THis is caused by you not setting the allow_ypbind boolean. setsebool -P allow_ypbind=1 Should fix.
And service ypbind start/stop will set and unset that variable. As far as I know, I shouldn't have to set it manually.
More specifically, I don't call genhomedircon, it seems to get called on my behalf when running something else (service ypbind start/stop maybe?). Dan, can you comment on this? The script in question only does a 'service ypbind start', no stop, no restart. It is also the first script in the test run to start ypbind.
Correction, we run 'service ypbind stop' first, and at that time the service was not previously running.
Yes the init script is setting the boolean but it is too late, and the AVC's actually are against the command that is setting the boolean. setsebool allow_ypbind 1 execs genhomedircon. So this is generating the AVC messages. It is better to just set the boolean permanently.