On Feb 1, 2011, at 9:32 PM, Stephan Wiesand wrote: > On Feb 2, 2011, at 00:34 , Don Krause wrote: > >> Is selinux on a default install of SL6 Beta 1 supposed to prevent ypbind >> from working? > > Probably: > > # getsebool -a |grep yp > allow_ypbind --> off > > Does "setsebool -P allow_ypbind on" make it work? > > - Stephan
I'll reinstall another vm and try it. I believe it may not however, as the
startup script tries to allow it and fails for some reason.
From /etc/init.d/ypbind:
selinux_on() {
[ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled || return
#echo $"Turning on allow_ypbind SELinux boolean"
setsebool allow_ypbind=1
}
And:
start() {
...
echo -n $"Starting NIS service: "
selinux_on
And this doesn't work. But I'm also seeing other errors in init scripts,
particularly autofs that I'm currently troubleshooting.
Thanks!
>
>
>> I'm getting this error in the audit.log
>>
>> type=USER_AVC msg=audit(1296601650.114:34350): user pid=2262 uid=81
>> auid=4294967295 ses=4294967295
>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied {
>> send_msg } for msgtype=method_call interface=org.freedesktop.NetworkManager
>> member=state dest=org.freedesktop.NetworkManager spid=4805 tpid=3995
>> scontext=unconfined_u:system_r:ypbind_t:s0
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dbus :
>> exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
>>
>> When run through audit2allow, umm... damn, not found.. Hmm... Yeah,
>> policycoreutils is installed.. wtf?
>>
>> <begin rant>
>> audit2allow was moved from policycoreutils to policycoreutils-python. Has it
>> become a game at TUV to see how many separate packages can be built from one
>> src.rpm?
>> <end rant>
>>
>> Sorry, distracted for a moment..
>>
>> Anyway, after installing pcu-python for audit2allow, I get:
>>
>> module ypbind 1.0;
>>
>> require {
>> type unconfined_t;
>> type ypbind_t;
>> class dbus send_msg;
>> }
>>
>> #============= ypbind_t ==============
>> allow ypbind_t unconfined_t:dbus send_msg;
>>
>>
>> which looks reasonable, but I'm not an selinux guru.
--
Don Krause
Head Systems Geek,
Waver of Deceased Chickens.
Optivus Proton Therapy, Inc.
P.O. Box 608
Loma Linda, California 92354
909.799.8327 Tel
909.799.8366 Fax
[email protected]
www.optivus.com
"This message represents the official view of the voices in my head."
smime.p7s
Description: S/MIME cryptographic signature
