On Feb 3, 2011, at 2:20 PM, Don Krause wrote:
>
> On Feb 3, 2011, at 1:39 PM, Troy Dawson wrote:
>
>> Don Krause wrote:
>>> Ok, this is definitely a bug. Well 2 actually.
>>> But It doesn't appear in the publicly accessible bugzilla at RH.
>>> Package ypbind actually depends on policycoreutils-python.
>>
>> This is a problem for both SL and RedHat. I just checked the dependencies.
>>
>>> A fresh install of SL6 Beta1, using "Software Development Workstation", and
>>> selecting NIS under "Use Network Login", fails
>>> to install policycoreutils-python, which contains "sesetbool". "sesetbool"
>>> is called by /etc/init.d/ypbind to allow ypbind access.
>>> Installing as "Basic Server" at least includes policycoreutils-python.
>>> Unfortunately, bug number 2, is that "sesetbool allow_ypbind=1" doesn't
>>> work, since the default selinux policy doesn't have
>>> "allow_ypbind"
>>
>> I'm trying to test this on a real RHEL6 system.
>> Aside from ypbind still not working, how can we tell "sesetbool
>> allow_ypbind=1" doesn't work?
>>
>> Troy
>>
>
> On both test boxes I tried, one installed as "Software Development" and one
> installed as "Basic Server",
> I just tried to start ypbind via "service ypbind start". It would actually
> start ypbind, but it wouldn't connect to
> the ypmaster.
>
> In /var/log/audit/audit.log I'd get:
>
> type=USER_AVC msg=audit(1296764305.009:32965): user pid=2503 uid=81
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied {
> send_msg } for msgtype=method_call interface
> =org.freedesktop.NetworkManager member=state
> dest=org.freedesktop.NetworkManager spid=3718 tpid=3449
> scontext=unconfined_u:system_r:ypbind_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dbu
> s : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
>
> Then I'd run "sesetbool allow_ypbind=1" as it's found in /etc/init.d/ypbind,
> and attempt to restart ypbind. I got the same denial in audit.log
>
> I ran the denial through audit2allow, which gave me:
>
> module ypbind 1.0;
>
> require {
> type unconfined_t;
> type ypbind_t;
> class dbus send_msg;
> }
>
> #============= ypbind_t ==============
> allow ypbind_t unconfined_t:dbus send_msg;
>
> Compile that to a module and install, then ypbind runs and connects as
> expected.
>
> As Stephan recommend, I did a "getsebool -a | grep yp" which returned
> "allow_ypbind --> on", (this is AFTER I did "sesetbool allow_ypbind=1") but
> ypbind still wouldn't bind to the master.
>
> On a completely fresh installation, "getsebool -a | grep yp" returns
> "allow_ypbind --> off".
>
> Thanks for looking!Now, because things aren't weird enough.. I've setup the PXE boot environment, copied the anaconda-ks from the test VM that was installed as "Software Development Workstation". You know, the same one where ypbind refused to work until I compiled a pp file and installed it? Except, now ypbind binds as expected. Even stranger, policycoreutils-python is NOT installed, so sesetbool as expected by /etc/init.d/ypbind doesn't exist, yet there's no selinux denial when installed this way. Now I'm just confused.... Is it possible that this is d-bus issue more than an selinux issue? -- Don Krause Head Systems Geek, Waver of Deceased Chickens. Optivus Proton Therapy, Inc. P.O. Box 608 Loma Linda, California 92354 909.799.8327 Tel 909.799.8366 Fax [email protected] www.optivus.com "This message represents the official view of the voices in my head."
smime.p7s
Description: S/MIME cryptographic signature
