Bug 741141 - Selinux bool allow_ypbind gets turned off on reboot
Summary: Selinux bool allow_ypbind gets turned off on reboot
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: ypbind
Version: 16
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Honza Horak
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-26 00:54 UTC by David Highley
Modified: 2011-10-04 21:13 UTC (History)
11 users (show)

Fixed In Version: ypbind-1.33-7.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-04 21:13:20 UTC


Attachments (Terms of Use)

Description David Highley 2011-09-26 00:54:24 UTC
Description of problem:
The selinux bool allow_ypbind is getting turned off during a reboot.

Version-Release number of selected component (if applicable):
systemd-35-1.fc16.x86_64

How reproducible:
Everytime

Steps to Reproduce:
1. setsebool -P allow_ypbind on
2. reboot or init 6
3. getsebool allow_ypbind
  
Actual results:


Expected results:


Additional info:

Comment 1 Michal Schmidt 2011-09-26 08:11:43 UTC
systemd does not do that.
ypbind.service fiddles with it. Reassigning.

Comment 2 Fedora Update System 2011-09-26 12:45:11 UTC
ypbind-1.33-7.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/ypbind-1.33-7.fc16

Comment 3 Fedora Update System 2011-09-26 16:48:22 UTC
Package ypbind-1.33-7.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ypbind-1.33-7.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/ypbind-1.33-7.fc16
then log in and leave karma (feedback).

Comment 4 Daniel Walsh 2011-09-26 17:30:04 UTC
I think we should just remove this functionality.

This never worked that well in the init script, users should just turn on the boolean or move to sssd for resolution which is the real secure way to do this.

Comment 5 Honza Horak 2011-09-27 07:04:42 UTC
(In reply to comment #4)
> I think we should just remove this functionality.
> 
> This never worked that well in the init script, users should just turn on the
> boolean or move to sssd for resolution which is the real secure way to do this.

Oh, I haven't leave a comment here, but turning off allow_ypbind is now removed at all, since it isn't used in F15 or F14. 

OTOH, turning on allow_ypbind is still used, in the same way as in F15 and F14. Do you think this should be removed too? 

Personally, I think many users would be confused if we do that, since authconfig doesn't turn the boolean on (and is probably widely used to configure NIS) and IMHO shouldn't do that.

Comment 6 Daniel Walsh 2011-09-27 13:27:04 UTC
The problem with turning this boolean on in the ypbind init script or systemctl is that it is too late.  authconfig is where it should be turned on.

Comment 7 Honza Horak 2011-09-27 14:01:52 UTC
(In reply to comment #6)
> The problem with turning this boolean on in the ypbind init script or systemctl
> is that it is too late.  authconfig is where it should be turned on.

Sounds reasonable. I've reported this RFE as a bug #741646 and will let this bug closed.

Comment 8 Fedora Update System 2011-10-04 21:13:12 UTC
ypbind-1.33-7.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.