Red Hat Bugzilla – Bug 468356
selinux prevents slapd from accessing the yp dir
Last modified: 2008-10-31 08:42:13 EDT
please see http://rhts.redhat.com/cgi-bin/rhts/test_log.cgi?id=4813159 or http://rhts.redhat.com/cgi-bin/rhts/test_log.cgi?id=4814565
Did this machine have the allow_ypbind boolean set?
setsebool -P allow_ypbind 1
Any test on a nis machnie requires this boolean be set.
the autofs tests should be fixed (soon if not already)
adding it to RHTS setup globally does not make sense, IMHO
but if everything NIS related needs this, then it should be added as a default configuration to the affected packages
-P causes a permanent change and rebuild of policy. Rebuilding policy regenerates the file context through genhomedircon, which calls getpw which generates the avc.
setsebool allow_ypbind 1
Just changes the in kernel memory, which should not generate the avc, and prevent further avc's.
(In reply to comment #7)
> -P causes a permanent change and rebuild of policy. Rebuilding policy
> regenerates the file context through genhomedircon, which calls getpw which
> generates the avc.
> setsebool allow_ypbind 1
> Just changes the in kernel memory, which should not generate the avc, and
> prevent further avc's.
And causes stopping the client to clear allow_ypbind.
If the client is stopped before the server would that cause other
AVCs when the server is stopped? What about if the client on the
server is re-started, won't that also cause this boolean to end up
cleared and an AVC when the client is started?
I've made the recommended change to the setsebool, taking
account of my comments in #8, run the autofs tests and the
reported AVC messages are still present.
Karel if the test machines are going to be NIS then they need this boolean set. Otherwise you can get these spurious AVC messages, in the tests. Because the tests are being run on machines that are not configured correctly.