Bug 538992 - SELinux prevented abrtd from using NIS (yp).
Summary: SELinux prevented abrtd from using NIS (yp).
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:207a98de269...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-19 16:21 UTC by Bernd Bartmann
Modified: 2009-12-02 04:38 UTC (History)
2 users (show)

Fixed In Version: 3.6.32-49.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-01 16:40:39 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Bernd Bartmann 2009-11-19 16:21:15 UTC
Zusammenfassung:

SELinux prevented abrtd from using NIS (yp).

Detaillierte Beschreibung:

[abrtd hat einen toleranten Typ (abrt_t). Dieser Zugriff wurde nicht
verweigert.]

SELinux prevented abrtd from using NIS (yp) for authentication. If you have
configured the system to use NIS this access is expected but is not currently
allowed by SELinux. Otherwise this access may signal an intrusion.

Zugriff erlauben:

Changing the "allow_ypbind" boolean to true will allow this access: "setsebool
-P allow_ypbind=1."

Fixer Befehl:

setsebool -P allow_ypbind=1

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:abrt_t:s0
Zielkontext                   system_u:object_r:var_yp_t:s0
Zielobjekte                   ncc1701d.2 [ file ]
Quelle                        abrtd
Quellen-Pfad                  /usr/sbin/abrtd
Port                          <Unbekannt>
Host                          (removed)
Quellen-RPM-Pakete            abrt-0.0.11-2.fc12
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.6.32-41.fc12
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Enforcing
Plugin-Name                   allow_ypbind
Hostname                      (removed)
Plattform                     Linux (removed)
                              2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7
                              21:25:57 EST 2009 i686 i686
Anzahl der Alarme             2
Zuerst gesehen                Mi 18 Nov 2009 20:16:11 CET
Zuletzt gesehen               Mi 18 Nov 2009 20:16:11 CET
Lokale ID                     3ed36108-9ee6-4e50-ad3a-928917d483e1
Zeilennummern                 

Raw-Audit-Meldungen           

node=(removed) type=AVC msg=audit(1258571771.118:26): avc:  denied  { read } for  pid=1291 comm="abrtd" name="ncc1701d.2" dev=sda5 ino=151611 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1258571771.118:26): avc:  denied  { open } for  pid=1291 comm="abrtd" name="ncc1701d.2" dev=sda5 ino=151611 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1258571771.118:26): arch=40000003 syscall=5 success=yes exit=9 a0=bf8cb810 a1=0 a2=a9bb75 a3=bf8cb810 items=0 ppid=1 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe="/usr/sbin/abrtd" subj=system_u:system_r:abrt_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-41.fc12,allow_ypbind,abrtd,abrt_t,var_yp_t,file,read
audit2allow suggests:

#============= abrt_t ==============
allow abrt_t var_yp_t:file { read open };

Comment 1 Daniel Walsh 2009-11-19 18:53:14 UTC
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.32-48.fc12.noarch

Comment 2 Fedora Update System 2009-11-23 23:37:29 UTC
selinux-policy-3.6.32-49.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-49.fc12

Comment 3 Fedora Update System 2009-11-25 15:20:27 UTC
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12131

Comment 4 Fedora Update System 2009-12-02 04:32:00 UTC
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.