On Feb 3, 2011, at 1:39 PM, Troy Dawson wrote: > Don Krause wrote: >> Ok, this is definitely a bug. Well 2 actually. >> But It doesn't appear in the publicly accessible bugzilla at RH. >> Package ypbind actually depends on policycoreutils-python. > > This is a problem for both SL and RedHat. I just checked the dependencies. > >> A fresh install of SL6 Beta1, using "Software Development Workstation", and >> selecting NIS under "Use Network Login", fails >> to install policycoreutils-python, which contains "sesetbool". "sesetbool" >> is called by /etc/init.d/ypbind to allow ypbind access. >> Installing as "Basic Server" at least includes policycoreutils-python. >> Unfortunately, bug number 2, is that "sesetbool allow_ypbind=1" doesn't >> work, since the default selinux policy doesn't have >> "allow_ypbind" > > I'm trying to test this on a real RHEL6 system. > Aside from ypbind still not working, how can we tell "sesetbool > allow_ypbind=1" doesn't work? > > Troy >
On both test boxes I tried, one installed as "Software Development" and one
installed as "Basic Server",
I just tried to start ypbind via "service ypbind start". It would actually
start ypbind, but it wouldn't connect to
the ypmaster.
In /var/log/audit/audit.log I'd get:
type=USER_AVC msg=audit(1296764305.009:32965): user pid=2503 uid=81
auid=4294967295 ses=4294967295
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied {
send_msg } for msgtype=method_call interface
=org.freedesktop.NetworkManager member=state
dest=org.freedesktop.NetworkManager spid=3718 tpid=3449
scontext=unconfined_u:system_r:ypbind_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dbu
s : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Then I'd run "sesetbool allow_ypbind=1" as it's found in /etc/init.d/ypbind,
and attempt to restart ypbind. I got the same denial in audit.log
I ran the denial through audit2allow, which gave me:
module ypbind 1.0;
require {
type unconfined_t;
type ypbind_t;
class dbus send_msg;
}
#============= ypbind_t ==============
allow ypbind_t unconfined_t:dbus send_msg;
Compile that to a module and install, then ypbind runs and connects as expected.
As Stephan recommend, I did a "getsebool -a | grep yp" which returned
"allow_ypbind --> on", (this is AFTER I did "sesetbool allow_ypbind=1") but
ypbind still wouldn't bind to the master.
On a completely fresh installation, "getsebool -a | grep yp" returns
"allow_ypbind --> off".
Thanks for looking!
--
Don Krause
Head Systems Geek,
Waver of Deceased Chickens.
Optivus Proton Therapy, Inc.
P.O. Box 608
Loma Linda, California 92354
909.799.8327 Tel
909.799.8366 Fax
[email protected]
www.optivus.com
"This message represents the official view of the voices in my head."
smime.p7s
Description: S/MIME cryptographic signature
