Bug 468356 - selinux prevents slapd from accessing the yp dir
selinux prevents slapd from accessing the yp dir
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-24 06:20 EDT by Karel Volný
Modified: 2008-10-31 08:42 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-24 08:47:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 2 Daniel Walsh 2008-10-24 08:47:37 EDT
Did this machine have the allow_ypbind boolean set?

setsebool -P allow_ypbind 1

Any test on a nis machnie requires this boolean be set.
Comment 4 Karel Volný 2008-10-30 05:37:35 EDT
the autofs tests should be fixed (soon if not already)

adding it to RHTS setup globally does not make sense, IMHO

but if everything NIS related needs this, then it should be added as a default configuration to the affected packages
Comment 7 Daniel Walsh 2008-10-30 13:38:18 EDT

-P causes a permanent change and rebuild of policy.  Rebuilding policy regenerates the file context through genhomedircon, which calls getpw which generates the avc.

setsebool allow_ypbind 1

Just changes the in kernel memory, which should not generate the avc, and prevent further avc's.
Comment 8 Ian Kent 2008-10-30 20:24:14 EDT
(In reply to comment #7)
> 
> -P causes a permanent change and rebuild of policy.  Rebuilding policy
> regenerates the file context through genhomedircon, which calls getpw which
> generates the avc.
> 
> setsebool allow_ypbind 1
> 
> Just changes the in kernel memory, which should not generate the avc, and
> prevent further avc's.

And causes stopping the client to clear allow_ypbind.

If the client is stopped before the server would that cause other
AVCs when the server is stopped? What about if the client on the
server is re-started, won't that also cause this boolean to end up
cleared and an AVC when the client is started?
Comment 9 Ian Kent 2008-10-30 22:25:21 EDT
I've made the recommended change to the setsebool, taking
account of my comments in #8, run the autofs tests and the
reported AVC messages are still present.
Comment 10 Daniel Walsh 2008-10-31 08:42:13 EDT
Karel if the test machines are going to be NIS then they need this boolean set.  Otherwise you can get these spurious AVC messages, in the tests.  Because the tests are being run on machines that are not configured correctly.

Note You need to log in before you can comment on or make changes to this bug.