Description of problem: This is the first alert on updated Fedora 9 system, was doing rsync network transfer for a while, nfs server is on and an one client mounts an exported folder. Summary: SELinux is preventing mount (mount_t) "read write" to socket (automount_t). Detailed Description: SELinux denied access requested by mount. It is not expected that this access is required by mount and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:mount_t:s0 Target Context system_u:system_r:automount_t:s0 Target Objects socket [ tcp_socket ] Source mount Source Path /bin/mount Port <Unknown> Host viao590 Source RPM Packages util-linux-ng-2.13.1-6.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-51.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name viao590 Platform Linux viao590 2.6.25.3-18.fc9.i686 #1 SMP Tue May 13 05:38:53 EDT 2008 i686 i686 Alert Count 52 First Seen Sat 24 May 2008 12:25:17 PM EDT Last Seen Sat 24 May 2008 04:58:03 PM EDT Local ID 183b3351-3aed-41f2-b916-c75f7548bac8 Line Numbers Raw Audit Messages host=viao590 type=AVC msg=audit(1211662683.557:134): avc: denied { read write } for pid=15123 comm="mount" path="socket:[258766]" dev=sockfs ino=258766 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:automount_t:s0 tclass=tcp_socket host=viao590 type=SYSCALL msg=audit(1211662683.557:134): arch=40000003 syscall=11 success=yes exit=0 a0=b7b7f9dd a1=b7b7f940 a2=b9bb41e0 a3=1494 items=0 ppid=2000 pid=15123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)
Are you using ldap for authentication?
no, NIS, which may or may not be configured at the time the error happened.
getsebool allow_ypbind If not set turn it on setsebool -P allow_ypbind 1
I do not see this particular error anymore even though I have not used any setsebool commands. I observe some anomalies with ypbind. When I bring NIS server down sometimes ypbind service returns [OK] during system startup. This results in login trying to connect to yp and timing out after 60 seconds making console login 100% impossible. This behavior is not always reproducible. When NIS is down and system started up successfully I see messages from SELinux denying access to yp subsystem from login, sendmail.sendmail and gdm-simple-slave. Do I really have to run setsebool -P allow_ypbind 1 by hand? Isn't it a system-config-authentication responsibility?
Theoretically yes. You can open a bugzilla on that. If you run the command, you should be all set.
'setsebool -P allow_ypbind 1' was dropped from authconfig because this command should be and is called by the /etc/init.d/ypbind init script. The init script disables the boolean on shutdown so it is to be expected that there will be SELinux denials from the services doing nis lookups. Either ypbind initscript should not disable the boolean on shutdown or perhaps the policy should be modified to switch the rules to dontaudit when the boolean is off instead of disabling the rules completely.
ypbind-1.20.4-6.fc9 has been submitted as an update for Fedora 9
The problem is that libc or other parts of the system know the system is using NIS before the ypbind init script starts. So if the boolean is not set permanantly, the system will generate AVC messages before the script is executed.
So do you think that enabling the boolean (with -P) in s-c-a should be readded back to the authconfig? I have no problem with this.
Yes that is fine.
ypbind-1.20.4-6.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update ypbind'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-5190
I removed allow_ypbind SELinux boolean disabling on service shutdown in ypbind-1.20.4-6.fc9. So this will not fix this issue, as I see in comment #8. It's possible to enable the boolean (with -P) during %post in ypbind, but what if ypbind is installed before SELinux? Otherwise it should be re-enabled in authconfig.
(In reply to comment #12) > I removed allow_ypbind SELinux boolean disabling on service shutdown in > ypbind-1.20.4-6.fc9. So this will not fix this issue, as I see in comment #8. Yes, it will not fix it completely but I think it is OK that you removed it anyway. > It's possible to enable the boolean (with -P) during %post in ypbind, but what > if ypbind is installed before SELinux? I don't think that adding that to %post is appropriate, I'll fix authconfig instead.
ypbind-1.20.4-6.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.