Description of problem: As root I run: systemctl restart ypbind.service and it fails due to SELinux being fubar. Additional info: libreport version: 2.0.18 kernel: 3.6.3-1.fc17.x86_64 description: :SELinux is preventing /usr/sbin/ypbind from 'search' accesses on the directory systemd. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that ypbind should be allowed search access on the systemd directory by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep ypbind /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:ypbind_t:s0 :Target Context system_u:object_r:init_var_run_t:s0 :Target Objects systemd [ dir ] :Source ypbind :Source Path /usr/sbin/ypbind :Port <Unknown> :Host (removed) :Source RPM Packages ypbind-1.36-7.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-156.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.6.3-1.fc17.x86_64 #1 SMP Mon Oct : 22 15:32:35 UTC 2012 x86_64 x86_64 :Alert Count 3 :First Seen 2012-11-07 15:41:13 PST :Last Seen 2012-11-07 16:03:29 PST :Local ID de9bb680-a931-4994-8cef-f2174dacb576 : :Raw Audit Messages :type=AVC msg=audit(1352333009.931:86): avc: denied { search } for pid=1931 comm="ypbind" name="systemd" dev="tmpfs" ino=11633 scontext=system_u:system_r:ypbind_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir : : :type=SYSCALL msg=audit(1352333009.931:86): arch=x86_64 syscall=sendmsg success=no exit=EACCES a0=8 a1=7fffe4579ca0 a2=4000 a3=7fffe4579a20 items=0 ppid=1 pid=1931 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ypbind exe=/usr/sbin/ypbind subj=system_u:system_r:ypbind_t:s0 key=(null) : :Hash: ypbind,ypbind_t,init_var_run_t,dir,search : :audit2allow : :#============= ypbind_t ============== :allow ypbind_t init_var_run_t:dir search; : :audit2allow -R : :#============= ypbind_t ============== :allow ypbind_t init_var_run_t:dir search; :
Created attachment 640480 [details] File: type
Created attachment 640481 [details] File: hashmarkername
I should add that ypbind worked just fine last week. I installed updates today and it quits working like this.
It has been fixed in the latest F17 policy which is available from updates-testing repo.
1.) Boot and log into Fedora 17: $ sudo systemctl --failed UNIT LOAD ACTIVE SUB JOB DESCRIPTION systemd-...es-setup.service loaded failed failed Recreate Volatile Files and ypbind.service loaded failed failed NIS/YP (Network Information $ sudo systemctl status ypbind.service ypbind.service - NIS/YP (Network Information Service) Clients to NIS Domain Binder Loaded: loaded (/usr/lib/systemd/system/ypbind.service; enabled) Active: failed (Result: timeout) since Mon, 12 Nov 2012 08:49:01 +0100; 2min 42s ago Process: 1179 ExecStartPre=/usr/sbin/setsebool allow_ypbind=1 (code=exited, status=0/SUCCESS) Process: 1148 ExecStartPre=/usr/libexec/ypbind-pre-setdomain (code=exited, status=0/SUCCESS) Main PID: 1210 CGroup: name=systemd:/system/ypbind.service Nov 12 09:47:31 host00.example.edu ypbind[1210]: syslog: unknown facility/p... Nov 12 09:47:31 host00.example.edu ypbind[1210]: Permission denied # Hostname/domain changed 2. ) Try to restart failed services: $ sudo systemctl restart ypbind.service Job failed. See system journal and 'systemctl status' for details. 3. ) SEAlert pops up and causes this bug report Package: (null) OS Release: Fedora release 17 (Beefy Miracle)
Please execute # yum update selinux-policy-targeted --enablerepo=updates-testing
The update (comment #6) seems to be working for me - at least when setting SELinux back to enforcing and restarting: $ sudo systemctl restart ypbind.service I did not yet try a reboot, though. Thank you for the quick fix!
This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.