Bug 468149 - SELinux is preventing genhomedircon from name_connect and name_bind
Summary: SELinux is preventing genhomedircon from name_connect and name_bind
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-10-23 09:07 UTC by Milos Malik
Modified: 2008-10-30 11:34 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-10-23 14:42:50 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Milos Malik 2008-10-23 09:07:31 UTC
Description of problem:
----
time->Thu Oct 23 04:56:06 2008
type=SYSCALL msg=audit(1224752166.545:12735): arch=40000003 syscall=102 succes
s=no exit=-13 a0=3 a1=bfaee4b8 a2=2d2ff4 a3=5 items=0 ppid=29334 pid=29336 aui
d=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1912 
comm="genhomedircon" exe="/usr/bin/python" subj=root:system_r:semanage_t:s0-s0
:c0.c1023 key=(null)
type=AVC msg=audit(1224752166.545:12735): avc:  denied  { name_connect } for  
pid=29336 comm="genhomedircon" dest=111 scontext=root:system_r:semanage_t:s0-s
0:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
----
time->Thu Oct 23 04:56:06 2008
type=SYSCALL msg=audit(1224752166.546:12736): arch=40000003 syscall=102 succes
s=no exit=-13 a0=2 a1=bfaee44c a2=2d2ff4 a3=bfaee460 items=0 ppid=29334 pid=29
336 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 se
s=1912 comm="genhomedircon" exe="/usr/bin/python" subj=root:system_r:semanage_
t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1224752166.546:12736): avc:  denied  { name_bind } for  pid
=29336 comm="genhomedircon" src=680 scontext=root:system_r:semanage_t:s0-s0:c0
.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
----

The problem was found on 3 different machines (stable systems) which we use for errata testing. Unfortunately these machines can be misconfigured, because a lot testers use them.

Version-Release number of selected component (if applicable):

policycoreutils-1.33.12-14.1.el5.x86_64
policycoreutils-debuginfo-1.33.12-14.1.el5.x86_64
policycoreutils-gui-1.33.12-14.1.el5.x86_64
policycoreutils-newrole-1.33.12-14.1.el5.x86_64
selinux-policy-2.4.6-137.1.el5_2.noarch
selinux-policy-devel-2.4.6-137.1.el5_2.noarch
selinux-policy-mls-2.4.6-137.1.el5_2.noarch
selinux-policy-strict-2.4.6-137.1.el5_2.noarch
selinux-policy-targeted-2.4.6-137.1.el5_2.noarch
tps-polling-2.30-6.noarch

How reproducible:
always

Steps to Reproduce:
# tps-cd 2009:8005
# tps 2009:8005
# less tps-rpmtest.report
# ausearch -ts recent -m AVC
  
Actual results:
AVCs

Expected results:
no AVCs

Additional info:

Comment 1 Daniel Walsh 2008-10-23 14:42:50 UTC
setsebool -P allow_ypbind=1 

Should fix this.  

I believe these machines are running in an NIS envoriment without this being set permanantly which can cause these avc messages.

Comment 2 Ian Kent 2008-10-24 13:45:50 UTC
(In reply to comment #1)
> setsebool -P allow_ypbind=1 
> 
> Should fix this.  
> 
> I believe these machines are running in an NIS envoriment without this being
> set permanantly which can cause these avc messages.

The runtest.sh script in autofs-test/bugzillas which is used for
the autofs workflow executes "setsebool -P allow_ypbind=1" prior
to running tests?

Ian

Comment 3 Daniel Walsh 2008-10-24 14:12:39 UTC
The trouble is the act of running this command causes the problem.

So you need this set before running the test.

Can we configure the machine without nis?

Or can we have the machine configured properly with nis before we run the test

Comment 4 Daniel Walsh 2008-10-24 14:22:14 UTC
Ian if you remove the -P, I think this will work.

No need to make permanent change, since the system is going away after the test.

Comment 5 Ian Kent 2008-10-30 11:34:21 UTC
(In reply to comment #4)
> Ian if you remove the -P, I think this will work.
> 
> No need to make permanent change, since the system is going away after the
> test.

But will the setsebool still cause the AVC.
Remember that, as far as I am concerned, the machine is already
installed and ready to go before a test script is run by the
RHTS system. So, the fact that setting this causes the AVC we
want to avoid is not something I can change, whether I use the
permanent flag or not.

Ian


Note You need to log in before you can comment on or make changes to this bug.