Description of problem: Today yum-updatesd has updated ypbind from version 1.35-5.fc16 to 1.36-7.fc16. Now ypbind doesn't start again! This means that all hosts that depend on ypbind cannot be used. I tried "setenforce 0" to check weather if it is an SELinux problem. The result: With SELinux set to permissive ypbind starts. I checked the log files and found the following: type=AVC msg=audit(1351855026.181:320): avc: denied { search } for pid=6085 comm="ypbind" name="systemd" dev="tmpfs" ino=8693 scontext=system_u:system_r:ypbind_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1351855026.181:320): arch=x86_64 syscall=sendmsg success=no exit=EACCES a0=8 a1=7fff08f82720 a2=4000 a3=7fff08f824b0 items=0 ppid=1 pid=6085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ypbind exe=/usr/sbin/ypbind subj=system_u:system_r:ypbind_t:s0 key=(null) "grep ypbind /var/log/audit/audit.log | audit2allow" suggests: #============= ypbind_t ============== allow ypbind_t init_var_run_t:dir search; With the previous ypbind version all worked fine. With 1.36-7 ypbind doesn't start. I don't see an update of selinux packages in the last days, so I assigned this bug report to ypbind. If you think that another package, like selinux, would be a better assignment, please change it. Version-Release number of selected component (if applicable): ypbind-1.36-7.fc16.x86_64 How reproducible: Allways. Steps to Reproduce: systemctl restart ypbind Actual results: ypbind failed to start. Expected results: ypbind should run.
I find the same issue this morning. Added a quick little semodule to "fix" this issue TEMPORARILY. module mypol 1.0; require { type init_var_run_t; type ypbind_t; class dir search; } #============= ypbind_t ============== allow ypbind_t init_var_run_t:dir search;
By the way, I just noticed that the original report is for Fedora 16; this is an issue on the ypbind-1.36-7.fc17 (Fedora 17) update also.
Thanks for reporting, what version of selinux-policy do you have, please?
(In reply to comment #3) > Thanks for reporting, what version of selinux-policy do you have, please? Sorry, I forget to append it: selinux-policy-3.10.0-91.fc16.noarch selinux-policy-targeted-3.10.0-91.fc16.noarch
Re-assigning to selinux-policy. Guys, please, add that rule. I'm not sure about details of accessing a file in /var/run but I believe this AVC denial is caused by using sd_notify message to indicate daemon is ready, which reads/writes something into systemd socket placed in /var/run.
SeLinux version on Fedora-17 is: selinux-policy-3.10.0-156.fc17.noarch selinux-policy-targeted-3.10.0-156.fc17.noarch
Also the same problem with selinux on F16: selinux-policy.noarch 3.10.0-91.fc16 @updates selinux-policy-targeted.noarch 3.10.0-91.fc16 @updates "setenforce 0" allows the service to start; once it's up, it continues to work fine once enforcing mode is reenabled. Same problem is seen on the older ypbind-1.36-6.fc16 package (which wasn't released, it's in updates-testing only.) Downgrading again to ypbind-1.35-5.fc16 fixes it.
Will this thread be updated by the SE folks? Or do we need to look else where? (In reply to comment #5) > Re-assigning to selinux-policy. Guys, please, add that rule. > > I'm not sure about details of accessing a file in /var/run but I believe > this AVC denial is caused by using sd_notify message to indicate daemon is > ready, which reads/writes something into systemd socket placed in /var/run.
*** Bug 872790 has been marked as a duplicate of this bug. ***
Bumping severity; a system with selinux enforcing and ypbind enabled cannot ever boot successfully with this issue.
Added to F16/F17.
(In reply to comment #11) > Added to F16/F17. I guess it is naturally, but just to be sure, the rule should be added to F18+ as well, if not already done.
Fixed always go in to the latest release and then are back ported.
Fedora-17 update of selinux-policy has resolved this issue: selinux-policy-3.10.0-159.fc17.noarch selinux-policy-targeted-3.10.0-159.fc17.noarch Thanks
But it's still broken in F16.
The Fedora-17 selinux-policy update (repo=updates) happened today, it may still be in process for Fedora-16. (In reply to comment #15) > But it's still broken in F16.
Should be fixed with the latest F16 build which is available from koji for now. rpms: http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.10.0/96.fc16/noarch/selinux-policy-3.10.0-96.fc16.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.10.0/96.fc16/noarch/selinux-policy-doc-3.10.0-96.fc16.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.10.0/96.fc16/noarch/selinux-policy-minimum-3.10.0-96.fc16.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.10.0/96.fc16/noarch/selinux-policy-mls-3.10.0-96.fc16.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.10.0/96.fc16/noarch/selinux-policy-targeted-3.10.0-96.fc16.noarch.rpm
selinux-policy-3.10.0-96.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-96.fc16
Just tried with selinux-policy-targeted-3.10.0-96.fc16.noarch from koji, and it seems to be working: thanks!
Package selinux-policy-3.10.0-96.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-96.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-18243/selinux-policy-3.10.0-96.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-96.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.