Bug 464546 - restorecond denials
restorecond denials
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2008-09-29 11:02 EDT by Orion Poplawski
Modified: 2008-09-30 09:54 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-09-30 09:54:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2008-09-29 11:02:10 EDT
Description of problem:

Sep 29 08:55:55 xenmock1 kernel: type=1400 audit(1222700155.519:329): avc:  denied  { node
_bind } for  pid=1413 comm="restorecond" scontext=system_u:system_r:restorecond_t:s0 tcont
ext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket
Sep 29 08:55:55 xenmock1 kernel: type=1400 audit(1222700155.527:330): avc:  denied  { name
_bind } for  pid=1413 comm="restorecond" src=799 scontext=system_u:system_r:restorecond_t:
s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
Sep 29 08:55:55 xenmock1 kernel: type=1400 audit(1222700155.535:331): avc:  denied  { name
_connect } for  pid=1413 comm="restorecond" dest=111 scontext=system_u:system_r:restorecon
d_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket

Version-Release number of selected component (if applicable):

How reproducible:
Happens periodically.  Not sure what triggers it.

This is a xen guest running kernel 2.6.18-105.el5xen.
Comment 1 Daniel Walsh 2008-09-29 13:13:31 EDT
This looks like this is being caused by nis.
setsebool -P allow_ypbind 1

If this is using ypbind?
Comment 2 Orion Poplawski 2008-09-29 15:48:37 EDT
Hmm, was using ypbind, but just transitioned to LDAP.  Messages started when I ran authconfig and ypbind was stopped (and allow_ypbind set to 0).  I'll reboot.
Comment 3 Daniel Walsh 2008-09-30 09:54:04 EDT
Yes I think this will go away, now.  I think you have a race condition, where you stopped ypbind, and turned off the boolean, but the kernel still was doing NIS stuff so it generated an AVC.  

I believe you will not see this in the future.

Note You need to log in before you can comment on or make changes to this bug.