Bug 468149 - SELinux is preventing genhomedircon from name_connect and name_bind
SELinux is preventing genhomedircon from name_connect and name_bind
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-23 05:07 EDT by Milos Malik
Modified: 2008-10-30 07:34 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-23 10:42:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2008-10-23 05:07:31 EDT
Description of problem:
----
time->Thu Oct 23 04:56:06 2008
type=SYSCALL msg=audit(1224752166.545:12735): arch=40000003 syscall=102 succes
s=no exit=-13 a0=3 a1=bfaee4b8 a2=2d2ff4 a3=5 items=0 ppid=29334 pid=29336 aui
d=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1912 
comm="genhomedircon" exe="/usr/bin/python" subj=root:system_r:semanage_t:s0-s0
:c0.c1023 key=(null)
type=AVC msg=audit(1224752166.545:12735): avc:  denied  { name_connect } for  
pid=29336 comm="genhomedircon" dest=111 scontext=root:system_r:semanage_t:s0-s
0:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
----
time->Thu Oct 23 04:56:06 2008
type=SYSCALL msg=audit(1224752166.546:12736): arch=40000003 syscall=102 succes
s=no exit=-13 a0=2 a1=bfaee44c a2=2d2ff4 a3=bfaee460 items=0 ppid=29334 pid=29
336 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 se
s=1912 comm="genhomedircon" exe="/usr/bin/python" subj=root:system_r:semanage_
t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1224752166.546:12736): avc:  denied  { name_bind } for  pid
=29336 comm="genhomedircon" src=680 scontext=root:system_r:semanage_t:s0-s0:c0
.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
----

The problem was found on 3 different machines (stable systems) which we use for errata testing. Unfortunately these machines can be misconfigured, because a lot testers use them.

Version-Release number of selected component (if applicable):

policycoreutils-1.33.12-14.1.el5.x86_64
policycoreutils-debuginfo-1.33.12-14.1.el5.x86_64
policycoreutils-gui-1.33.12-14.1.el5.x86_64
policycoreutils-newrole-1.33.12-14.1.el5.x86_64
selinux-policy-2.4.6-137.1.el5_2.noarch
selinux-policy-devel-2.4.6-137.1.el5_2.noarch
selinux-policy-mls-2.4.6-137.1.el5_2.noarch
selinux-policy-strict-2.4.6-137.1.el5_2.noarch
selinux-policy-targeted-2.4.6-137.1.el5_2.noarch
tps-polling-2.30-6.noarch

How reproducible:
always

Steps to Reproduce:
# tps-cd 2009:8005
# tps 2009:8005
# less tps-rpmtest.report
# ausearch -ts recent -m AVC
  
Actual results:
AVCs

Expected results:
no AVCs

Additional info:
Comment 1 Daniel Walsh 2008-10-23 10:42:50 EDT
setsebool -P allow_ypbind=1 

Should fix this.  

I believe these machines are running in an NIS envoriment without this being set permanantly which can cause these avc messages.
Comment 2 Ian Kent 2008-10-24 09:45:50 EDT
(In reply to comment #1)
> setsebool -P allow_ypbind=1 
> 
> Should fix this.  
> 
> I believe these machines are running in an NIS envoriment without this being
> set permanantly which can cause these avc messages.

The runtest.sh script in autofs-test/bugzillas which is used for
the autofs workflow executes "setsebool -P allow_ypbind=1" prior
to running tests?

Ian
Comment 3 Daniel Walsh 2008-10-24 10:12:39 EDT
The trouble is the act of running this command causes the problem.

So you need this set before running the test.

Can we configure the machine without nis?

Or can we have the machine configured properly with nis before we run the test
Comment 4 Daniel Walsh 2008-10-24 10:22:14 EDT
Ian if you remove the -P, I think this will work.

No need to make permanent change, since the system is going away after the test.
Comment 5 Ian Kent 2008-10-30 07:34:21 EDT
(In reply to comment #4)
> Ian if you remove the -P, I think this will work.
> 
> No need to make permanent change, since the system is going away after the
> test.

But will the setsebool still cause the AVC.
Remember that, as far as I am concerned, the machine is already
installed and ready to go before a test script is run by the
RHTS system. So, the fact that setting this causes the AVC we
want to avoid is not something I can change, whether I use the
permanent flag or not.

Ian

Note You need to log in before you can comment on or make changes to this bug.