Red Hat Bugzilla – Bug 468149
SELinux is preventing genhomedircon from name_connect and name_bind
Last modified: 2008-10-30 07:34:21 EDT
Description of problem: ---- time->Thu Oct 23 04:56:06 2008 type=SYSCALL msg=audit(1224752166.545:12735): arch=40000003 syscall=102 succes s=no exit=-13 a0=3 a1=bfaee4b8 a2=2d2ff4 a3=5 items=0 ppid=29334 pid=29336 aui d=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1912 comm="genhomedircon" exe="/usr/bin/python" subj=root:system_r:semanage_t:s0-s0 :c0.c1023 key=(null) type=AVC msg=audit(1224752166.545:12735): avc: denied { name_connect } for pid=29336 comm="genhomedircon" dest=111 scontext=root:system_r:semanage_t:s0-s 0:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket ---- time->Thu Oct 23 04:56:06 2008 type=SYSCALL msg=audit(1224752166.546:12736): arch=40000003 syscall=102 succes s=no exit=-13 a0=2 a1=bfaee44c a2=2d2ff4 a3=bfaee460 items=0 ppid=29334 pid=29 336 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 se s=1912 comm="genhomedircon" exe="/usr/bin/python" subj=root:system_r:semanage_ t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1224752166.546:12736): avc: denied { name_bind } for pid =29336 comm="genhomedircon" src=680 scontext=root:system_r:semanage_t:s0-s0:c0 .c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket ---- The problem was found on 3 different machines (stable systems) which we use for errata testing. Unfortunately these machines can be misconfigured, because a lot testers use them. Version-Release number of selected component (if applicable): policycoreutils-1.33.12-14.1.el5.x86_64 policycoreutils-debuginfo-1.33.12-14.1.el5.x86_64 policycoreutils-gui-1.33.12-14.1.el5.x86_64 policycoreutils-newrole-1.33.12-14.1.el5.x86_64 selinux-policy-2.4.6-137.1.el5_2.noarch selinux-policy-devel-2.4.6-137.1.el5_2.noarch selinux-policy-mls-2.4.6-137.1.el5_2.noarch selinux-policy-strict-2.4.6-137.1.el5_2.noarch selinux-policy-targeted-2.4.6-137.1.el5_2.noarch tps-polling-2.30-6.noarch How reproducible: always Steps to Reproduce: # tps-cd 2009:8005 # tps 2009:8005 # less tps-rpmtest.report # ausearch -ts recent -m AVC Actual results: AVCs Expected results: no AVCs Additional info:
setsebool -P allow_ypbind=1 Should fix this. I believe these machines are running in an NIS envoriment without this being set permanantly which can cause these avc messages.
(In reply to comment #1) > setsebool -P allow_ypbind=1 > > Should fix this. > > I believe these machines are running in an NIS envoriment without this being > set permanantly which can cause these avc messages. The runtest.sh script in autofs-test/bugzillas which is used for the autofs workflow executes "setsebool -P allow_ypbind=1" prior to running tests? Ian
The trouble is the act of running this command causes the problem. So you need this set before running the test. Can we configure the machine without nis? Or can we have the machine configured properly with nis before we run the test
Ian if you remove the -P, I think this will work. No need to make permanent change, since the system is going away after the test.
(In reply to comment #4) > Ian if you remove the -P, I think this will work. > > No need to make permanent change, since the system is going away after the > test. But will the setsebool still cause the AVC. Remember that, as far as I am concerned, the machine is already installed and ready to go before a test script is run by the RHTS system. So, the fact that setting this causes the AVC we want to avoid is not something I can change, whether I use the permanent flag or not. Ian