This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 839404 - SELinux issues when enabling NIS
SELinux issues when enabling NIS
Status: NEW
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: authconfig (Show other bugs)
6.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE - Apps
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-11 17:14 EDT by John W. Lockhart
Modified: 2016-07-01 05:33 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description John W. Lockhart 2012-07-11 17:14:58 EDT
Description of problem:

When authconfig is used to enable NIS via anaconda/kickstart, the SELinux context on /etc/yp.conf is incorrect.  Although NIS winds up enabled, the SELinux policy is not updated to allow use of NIS.

Version-Release number of selected component (if applicable):
authconfig-6.1.12-10.el6

How reproducible:
(Substitute your own servers for the Example entries below)
Create a Kickstart with the following:

authconfig --enablemd5 --enableshadow --enablenis --nisdomain example.com --nisserver nis.example.com --enablekrb5 --krb5realm EXAMPLE.COM

Steps to Reproduce:
1. Install a box via kickstart with an authconfig command similar to the above.
2. Ensure that SELinux is Enforcing and that auditd is installed and enabled
3. ssh into the resulting system
4. Check /var/log/messages and ls -lZ /etc/yp.conf
  
Actual results:
yp.conf has context: system_u:object_r:etc_t:s0
Lots of AVC messages involving sshd and dbus attempting to use bind/named_sockets.


Expected results:
yp.conf has context: system_u:object_r:net_conf_t:s0
No AVC messages.

Additional info:
This can be fixed or worked around by:
  restorecon /etc/yp.conf
  setsebool -P allow_ypbind 1
Comment 4 Tomas Mraz 2012-07-11 17:52:02 EDT
The boolean is supposed to be set by the init script of ypbind.

Not sure about the context on yp.conf - running restorecon from authconfig doesn't seem to me as a the best way.
Comment 5 John W. Lockhart 2012-07-11 18:05:21 EDT
In this case, ypbind wasn't actually started; thus setsebool wasn't executed.

authconfig does manipulate yp.conf, in /usr/share/authconfig/authinfo.py.  If that manipulation is causing a change of SELinux context, there's likely a fix to be made there.  Since authconfig is being called from kickstart here, I haven't been able to check what the original context of the file was.
Comment 6 Miroslav Grepl 2012-07-12 06:04:58 EDT
This is a problem on RHEL6.3 without filename transition. Could we run the restorecon also in the init script?
Comment 7 Honza Horak 2012-07-12 09:30:13 EDT
There is another bug #681134 similar to this one. John, can you confirm that the SELinux messages are the same and are emitted by dhclient-script?

There is also a patch attached to bug #681134, if you could reproduce this failure, does the patch fixes it?
Comment 8 John W. Lockhart 2012-07-12 13:00:42 EDT
The messages I'm seeing are a result of not having started ypbind (and thus having setsebool run):

SELinux is preventing /bin/dbus-daemon from name_bind access on the tcp_socket
SELinux is preventing /bin/dbus-daemon from name_connect access on the tcp_socket
SELinux is preventing /usr/sbin/ntpdate from name_bind access on the tcp_socket
SELinux is preventing /usr/sbin/ntpdate from name_connect access on the tcp_socket
SELinux is preventing /usr/bin/procmail from name_bind access on the tcp_socket
SELinux is preventing /usr/bin/procmail from name_connect access on the tcp_socket

Not sure which fix (restorecon or setsebool) got rid of this one:
SELinux is preventing /usr/sbin/sshd from search access on the directory /var/yp

I'm not seeing any avc messages about dhclient in the logs, although /sbin/dhclient has been running just fine both before and after the restorecon/setsebool changes.

I did confirm that the ypbind rpm creates a yp.conf file with the correct context, by:
# rpm --nodeps --root /test_ypconf -ivh ypbind-1.20.4-29.el6.x86_64.rpm
and checking the ensuing /test_ypconf/etc/yp.conf file.

So something else is changing the context someplace.

From what I see in the logs, the sequence was:
  - Fresh 6.3 install
  - in %post, Configure RHN, run updates, install additional packages
  - reboot
  - observe AVC messages only after the reboot

But note that ypbind wasn't actually chkconfig'd to start on boot.  (That's on the list of things to address in the next revision of the %post for this machine.)
Comment 9 Honza Horak 2012-07-16 14:08:56 EDT
(In reply to comment #6)
> This is a problem on RHEL6.3 without filename transition. Could we run the
> restorecon also in the init script?

We probably could, but if the messages appear even before ypbind is started, it should be called from authinfo.py script as John suggests, probably together with setsebool call. Is this a problem to do in authconfig for some reason?
Comment 10 Honza Horak 2012-07-17 10:08:58 EDT
(In reply to comment #8)
> Not sure which fix (restorecon or setsebool) got rid of this one:
> SELinux is preventing /usr/sbin/sshd from search access on the directory
> /var/yp

I reproduced this with a kickstart containing authconfig command as mentioned above and then tried to use "setsebool -P allow_ypbind on" and "restorecon /etc/yp.conf" in %post section of the kickstart. Using setsebool is enough to get rid of all messages, so I'd say that wrong context is a different issue (btw. already reported separately in bug #681134, now we have even a reproducer for it).

Thinking a bit more about it, it doesn't make sense to have NIS configured using authconfig and not have allow_ypbind on. A bug proposing turning on it in authconfig already exists (bug #741646), but was closed as wontfix. Without that we can't get rid of such AVC messages before ypbind is started, so re-assigning back to authconfig, since I don't see a solution that can be made in ypbind.
Comment 11 Tomas Mraz 2012-07-19 09:31:19 EDT
I just want to verify it again, just doing setsebool -P allow_ypbind 1 fixes the avcs for you?
Comment 12 RHEL Product and Program Management 2012-09-07 01:26:01 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 14 RHEL Product and Program Management 2013-10-13 20:34:17 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 15 Miroslav Grepl 2014-11-07 05:48:45 EST
(In reply to Honza Horak from comment #9)
> (In reply to comment #6)
> > This is a problem on RHEL6.3 without filename transition. Could we run the
> > restorecon also in the init script?
> 
> We probably could, but if the messages appear even before ypbind is started,
> it should be called from authinfo.py script as John suggests, probably
> together with setsebool call. Is this a problem to do in authconfig for some
> reason?

authconfig is unconfined domain.

Note You need to log in before you can comment on or make changes to this bug.