FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-24-2009, 04:52 PM
Daniel J Walsh
 
Default service ypbind restart, denied access requested by genhomedircon

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Per Sjoholm wrote:
> On CentOS 5.2
> # ypcat -k auto.home
> * asen20:/export/Server/homes/&
>
> yp seems to be working for clients. BUT
>
> Feb 24 14:32:54 dox ypserv[5353]: refused connect from 192.168.1.23:661
> to procedure ypproc_match (oasen,auto_home;-4)
>
> dox and asen20 is same machine (asen20 is a service IPaddress)
> cd /var/yp; make does not
> yp]# make
> gmake[1]: Entering directory `/var/yp/oasen'
> Updating passwd.byname...
> failed to send 'clear' to local ypserv: RPC: Timed outUpdating passwd.byuid
> .....
>
> [root@dox yp]# service ypbind restart
> Shutting down NIS services: [ OK ]
> Turning off allow_ypbind SELinux boolean
> Turning on allow_ypbind SELinux boolean
> Binding to the NIS domain: [ OK ]
> Listening for an NIS domain server..
>
> var log messages
> Feb 24 14:12:49 dox setsebool: The allow_ypbind policy boolean was
> changed to 0 by root
> Feb 24 14:12:51 dox setsebool: The allow_ypbind policy boolean was
> changed to 1 by root
> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
> (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete
> SELinux messages. run sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf
> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
> (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete
> SELinux messages. run sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e
> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
> (semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete
> SELinux messages. run sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2
> Feb 24 14:12:52 dox ypbind: bound to NIS server asen20.oasen.dyndns.org
>
> # sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf
> Summary:
> SELinux is preventing genhomedircon (semanage_t) "node_bind" to <Unknown>
> (inaddr_any_node_t).
>
> Detailed Description:
> SELinux denied access requested by genhomedircon. It is not expected
> that this
> access is required by genhomedircon and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration
> of the
> application is causing it to require additional access.
>
> Allowing Access:
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
> Source Context root:system_r:semanage_t
> Target Context system_ubject_r:inaddr_any_node_t
> Target Objects None [ tcp_socket ]
> Source genhomedircon
> Source Path /usr/bin/python
> Port <Unknown>
> Host dox.oasen.dyndns.org
> Source RPM Packages python-2.4.3-21.el5
> Target RPM Packages Policy RPM
> selinux-policy-2.4.6-137.1.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name dox.oasen.dyndns.org
> Platform Linux dox.oasen.dyndns.org
> 2.6.18-92.1.22.el5 #1
> SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count 2
> First Seen Tue Feb 24 14:08:17 2009
> Last Seen Tue Feb 24 14:12:48 2009
> Local ID 70aadaea-686d-45b6-a10e-f4d5909b49bf
> Line Numbers
> Raw Audit Messages
> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.486:50364):
> avc: denied { node_bind } for pid=5378 comm="genhomedircon"
> scontext=root:system_r:semanage_t:s0
> tcontext=system_ubject_r:inaddr_any_node_t:s0 tclass=tcp_socket
>
> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.486:50364):
> arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1eb0 a2=10
> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
>
> # sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e
> Summary:
> SELinux is preventing genhomedircon (semanage_t) "name_bind" to <Unknown>
> (hi_reserved_port_t).
>
> Detailed Description:
> SELinux denied access requested by genhomedircon. It is not expected
> that this
> access is required by genhomedircon and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration
> of the
> application is causing it to require additional access.
>
> Allowing Access:
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
> Source Context root:system_r:semanage_t
> Target Context system_ubject_r:hi_reserved_port_t
> Target Objects None [ tcp_socket ]
> Source genhomedircon
> Source Path /usr/bin/python
> Port 890
> Host dox.oasen.dyndns.org
> Source RPM Packages python-2.4.3-21.el5
> Target RPM Packages Policy RPM
> selinux-policy-2.4.6-137.1.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name dox.oasen.dyndns.org
> Platform Linux dox.oasen.dyndns.org
> 2.6.18-92.1.22.el5 #1
> SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count 2
> First Seen Tue Feb 24 14:08:17 2009
> Last Seen Tue Feb 24 14:12:48 2009
> Local ID 4c554775-348e-41b7-aa4b-74216b06e26e
> Line Numbers
> Raw Audit Messages
> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.488:50365):
> avc: denied { name_bind } for pid=5378 comm="genhomedircon" src=890
> scontext=root:system_r:semanage_t:s0
> tcontext=system_ubject_r:hi_reserved_port_t:s0 tclass=tcp_socket
>
> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.488:50365):
> arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1de0 a2=10
> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
>
> # sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2
> Summary:
> SELinux is preventing genhomedircon (semanage_t) "name_connect" to
> <Unknown>
> (portmap_port_t).
>
> Detailed Description:
> SELinux denied access requested by genhomedircon. It is not expected
> that this
> access is required by genhomedircon and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration
> of the
> application is causing it to require additional access.
>
> Allowing Access:
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
> Source Context root:system_r:semanage_t
> Target Context system_ubject_rortmap_port_t
> Target Objects None [ tcp_socket ]
> Source genhomedircon
> Source Path /usr/bin/python
> Port 111
> Host dox.oasen.dyndns.org
> Source RPM Packages python-2.4.3-21.el5
> Target RPM Packages Policy RPM
> selinux-policy-2.4.6-137.1.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name dox.oasen.dyndns.org
> Platform Linux dox.oasen.dyndns.org
> 2.6.18-92.1.22.el5 #1
> SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count 2
> First Seen Tue Feb 24 14:08:17 2009
> Last Seen Tue Feb 24 14:12:48 2009
> Local ID 3ee7b441-b219-4684-8a42-1448513cd5b2
> Line Numbers
> Raw Audit Messages
> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.490:50366):
> avc: denied { name_connect } for pid=5378 comm="genhomedircon"
> dest=111 scontext=root:system_r:semanage_t:s0
> tcontext=system_ubject_rortmap_port_t:s0 tclass=tcp_socket
>
> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.490:50366):
> arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffff31e2040 a2=10
> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
There is a bug in the ypbind script that is causing this problem.

I believe there is a fix available in 5.3, But I am not sure.

If you edit the /etc/init.d/ypbind script there is a bug when turning on
or off the service. I believe there is a random "1" character in there.
Removing this character will cause the AVC to dissapear.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmkM+sACgkQrlYvE4MpobMx0QCeJT7vpNJweh H/RTz3hzyM3fP7
510AoI71enVc/62gfByCPKhi1E67I4e0
=Rg5H
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-24-2009, 06:55 PM
Per Sjoholm
 
Default service ypbind restart, denied access requested by genhomedircon

Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Per Sjoholm wrote:


On CentOS 5.2
# ypcat -k auto.home
* asen20:/export/Server/homes/&

yp seems to be working for clients. BUT

Feb 24 14:32:54 dox ypserv[5353]: refused connect from 192.168.1.23:661
to procedure ypproc_match (oasen,auto_home;-4)

dox and asen20 is same machine (asen20 is a service IPaddress)
cd /var/yp; make does not
yp]# make
gmake[1]: Entering directory `/var/yp/oasen'
Updating passwd.byname...
failed to send 'clear' to local ypserv: RPC: Timed outUpdating passwd.byuid
.....

[root@dox yp]# service ypbind restart
Shutting down NIS services: [ OK ]
Turning off allow_ypbind SELinux boolean
Turning on allow_ypbind SELinux boolean
Binding to the NIS domain: [ OK ]
Listening for an NIS domain server..

var log messages
Feb 24 14:12:49 dox setsebool: The allow_ypbind policy boolean was
changed to 0 by root
Feb 24 14:12:51 dox setsebool: The allow_ypbind policy boolean was
changed to 1 by root
Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
(semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete
SELinux messages. run sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf
Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
(semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete
SELinux messages. run sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e
Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
(semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete
SELinux messages. run sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2
Feb 24 14:12:52 dox ypbind: bound to NIS server asen20.oasen.dyndns.org

# sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf
Summary:
SELinux is preventing genhomedircon (semanage_t) "node_bind" to <Unknown>
(inaddr_any_node_t).

Detailed Description:
SELinux denied access requested by genhomedircon. It is not expected
that this
access is required by genhomedircon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.

Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:
Source Context root:system_r:semanage_t
Target Context system_ubject_r:inaddr_any_node_t
Target Objects None [ tcp_socket ]
Source genhomedircon
Source Path /usr/bin/python
Port <Unknown>
Host dox.oasen.dyndns.org
Source RPM Packages python-2.4.3-21.el5
Target RPM Packages Policy RPM
selinux-policy-2.4.6-137.1.el5

Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name dox.oasen.dyndns.org
Platform Linux dox.oasen.dyndns.org
2.6.18-92.1.22.el5 #1
SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
Alert Count 2
First Seen Tue Feb 24 14:08:17 2009
Last Seen Tue Feb 24 14:12:48 2009
Local ID 70aadaea-686d-45b6-a10e-f4d5909b49bf
Line Numbers
Raw Audit Messages
host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.486:50364):

avc: denied { node_bind } for pid=5378 comm="genhomedircon"
scontext=root:system_r:semanage_t:s0
tcontext=system_ubject_r:inaddr_any_node_t:s0 tclass=tcp_socket

host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.486:50364):
arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1eb0 a2=10
a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)

# sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e
Summary:
SELinux is preventing genhomedircon (semanage_t) "name_bind" to <Unknown>
(hi_reserved_port_t).

Detailed Description:
SELinux denied access requested by genhomedircon. It is not expected
that this
access is required by genhomedircon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.

Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:
Source Context root:system_r:semanage_t
Target Context system_ubject_r:hi_reserved_port_t
Target Objects None [ tcp_socket ]
Source genhomedircon
Source Path /usr/bin/python
Port 890
Host dox.oasen.dyndns.org
Source RPM Packages python-2.4.3-21.el5
Target RPM Packages Policy RPM
selinux-policy-2.4.6-137.1.el5

Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name dox.oasen.dyndns.org
Platform Linux dox.oasen.dyndns.org
2.6.18-92.1.22.el5 #1
SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
Alert Count 2
First Seen Tue Feb 24 14:08:17 2009
Last Seen Tue Feb 24 14:12:48 2009
Local ID 4c554775-348e-41b7-aa4b-74216b06e26e
Line Numbers
Raw Audit Messages
host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.488:50365):

avc: denied { name_bind } for pid=5378 comm="genhomedircon" src=890
scontext=root:system_r:semanage_t:s0
tcontext=system_ubject_r:hi_reserved_port_t:s0 tclass=tcp_socket

host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.488:50365):
arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1de0 a2=10
a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)

# sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2
Summary:
SELinux is preventing genhomedircon (semanage_t) "name_connect" to
<Unknown>
(portmap_port_t).

Detailed Description:
SELinux denied access requested by genhomedircon. It is not expected
that this
access is required by genhomedircon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.

Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:
Source Context root:system_r:semanage_t
Target Context system_ubject_rortmap_port_t
Target Objects None [ tcp_socket ]
Source genhomedircon
Source Path /usr/bin/python
Port 111
Host dox.oasen.dyndns.org
Source RPM Packages python-2.4.3-21.el5
Target RPM Packages Policy RPM
selinux-policy-2.4.6-137.1.el5

Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name dox.oasen.dyndns.org
Platform Linux dox.oasen.dyndns.org
2.6.18-92.1.22.el5 #1
SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
Alert Count 2
First Seen Tue Feb 24 14:08:17 2009
Last Seen Tue Feb 24 14:12:48 2009
Local ID 3ee7b441-b219-4684-8a42-1448513cd5b2
Line Numbers
Raw Audit Messages
host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.490:50366):

avc: denied { name_connect } for pid=5378 comm="genhomedircon"
dest=111 scontext=root:system_r:semanage_t:s0
tcontext=system_ubject_rortmap_port_t:s0 tclass=tcp_socket

host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.490:50366):
arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffff31e2040 a2=10
a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


There is a bug in the ypbind script that is causing this problem.

I believe there is a fix available in 5.3, But I am not sure.

If you edit the /etc/init.d/ypbind script there is a bug when turning on
or off the service. I believe there is a random "1" character in there.
Removing this character will cause the AVC to dissapear.


Line 40
if [ -e /etc/selinux/${SELINUXTYPE}/modules1/active/booleans.local .....
if [ -e /etc/selinux/${SELINUXTYPE}/modules/active/booleans.local .....
did not help
Feb 24 20:52:01 dox setsebool: The allow_ypbind policy boolean was
changed to 0 by root
Feb 24 20:52:03 dox setsebool: The allow_ypbind policy boolean was
changed to 1 by root
Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon
(semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete
SELinux messages. run sealert -l 84e4cd91-8298-40e2-9171-785c940ac32f
Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon
(semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete
SELinux messages. run sealert -l 7263a1a9-5e01-4d17-a0f4-206e32486ac2
Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon
(semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete
SELinux messages. run sealert -l 65a80a67-fd9a-488c-b426-a447b5aa0d39

Feb 24 20:52:04 dox ypbind: bound to NIS server asen20.oasen.dyndns.org


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmkM+sACgkQrlYvE4MpobMx0QCeJT7vpNJweh H/RTz3hzyM3fP7
510AoI71enVc/62gfByCPKhi1E67I4e0
=Rg5H
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-25-2009, 03:10 PM
Daniel J Walsh
 
Default service ypbind restart, denied access requested by genhomedircon

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Per Sjoholm wrote:
>
>
> Daniel J Walsh wrote:
> Per Sjoholm wrote:
>
>>>> On CentOS 5.2
>>>> # ypcat -k auto.home
>>>> * asen20:/export/Server/homes/&
>>>>
>>>> yp seems to be working for clients. BUT
>>>>
>>>> Feb 24 14:32:54 dox ypserv[5353]: refused connect from 192.168.1.23:661
>>>> to procedure ypproc_match (oasen,auto_home;-4)
>>>>
>>>> dox and asen20 is same machine (asen20 is a service IPaddress)
>>>> cd /var/yp; make does not
>>>> yp]# make
>>>> gmake[1]: Entering directory `/var/yp/oasen'
>>>> Updating passwd.byname...
>>>> failed to send 'clear' to local ypserv: RPC: Timed outUpdating
>>>> passwd.byuid
>>>> .....
>>>>
>>>> [root@dox yp]# service ypbind restart
>>>> Shutting down NIS services: [ OK ]
>>>> Turning off allow_ypbind SELinux boolean
>>>> Turning on allow_ypbind SELinux boolean
>>>> Binding to the NIS domain: [ OK ]
>>>> Listening for an NIS domain server..
>>>>
>>>> var log messages
>>>> Feb 24 14:12:49 dox setsebool: The allow_ypbind policy boolean was
>>>> changed to 0 by root
>>>> Feb 24 14:12:51 dox setsebool: The allow_ypbind policy boolean was
>>>> changed to 1 by root
>>>> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
>>>> (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete
>>>> SELinux messages. run sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf
>>>> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
>>>> (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete
>>>> SELinux messages. run sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e
>>>> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
>>>> (semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete
>>>> SELinux messages. run sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2
>>>> Feb 24 14:12:52 dox ypbind: bound to NIS server asen20.oasen.dyndns.org
>>>>
>>>> # sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf
>>>> Summary:
>>>> SELinux is preventing genhomedircon (semanage_t) "node_bind" to
>>>> <Unknown>
>>>> (inaddr_any_node_t).
>>>>
>>>> Detailed Description:
>>>> SELinux denied access requested by genhomedircon. It is not expected
>>>> that this
>>>> access is required by genhomedircon and this access may signal an
>>>> intrusion
>>>> attempt. It is also possible that the specific version or configuration
>>>> of the
>>>> application is causing it to require additional access.
>>>>
>>>> Allowing Access:
>>>> You can generate a local policy module to allow this access - see FAQ
>>>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>>>> disable
>>>> SELinux protection altogether. Disabling SELinux protection is not
>>>> recommended.
>>>> Please file a bug report
>>>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>>>> against this package.
>>>>
>>>> Additional Information:
>>>> Source Context root:system_r:semanage_t
>>>> Target Context system_ubject_r:inaddr_any_node_t
>>>> Target Objects None [ tcp_socket ]
>>>> Source genhomedircon
>>>> Source Path /usr/bin/python
>>>> Port <Unknown>
>>>> Host dox.oasen.dyndns.org
>>>> Source RPM Packages python-2.4.3-21.el5
>>>> Target RPM Packages Policy RPM
>>>> selinux-policy-2.4.6-137.1.el5
>>>> Selinux Enabled True
>>>> Policy Type targeted
>>>> MLS Enabled True
>>>> Enforcing Mode Enforcing
>>>> Plugin Name catchall
>>>> Host Name dox.oasen.dyndns.org
>>>> Platform Linux dox.oasen.dyndns.org
>>>> 2.6.18-92.1.22.el5 #1
>>>> SMP Tue Dec 16 11:57:43 EST 2008 x86_64
>>>> x86_64
>>>> Alert Count 2
>>>> First Seen Tue Feb 24 14:08:17 2009
>>>> Last Seen Tue Feb 24 14:12:48 2009
>>>> Local ID 70aadaea-686d-45b6-a10e-f4d5909b49bf
>>>> Line Numbers Raw Audit Messages
>>>> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.486:50364):
>>>> avc: denied { node_bind } for pid=5378 comm="genhomedircon"
>>>> scontext=root:system_r:semanage_t:s0
>>>> tcontext=system_ubject_r:inaddr_any_node_t:s0 tclass=tcp_socket
>>>>
>>>> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.486:50364):
>>>> arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1eb0 a2=10
>>>> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
>>>> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
>>>> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
>>>>
>>>> # sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e
>>>> Summary:
>>>> SELinux is preventing genhomedircon (semanage_t) "name_bind" to
>>>> <Unknown>
>>>> (hi_reserved_port_t).
>>>>
>>>> Detailed Description:
>>>> SELinux denied access requested by genhomedircon. It is not expected
>>>> that this
>>>> access is required by genhomedircon and this access may signal an
>>>> intrusion
>>>> attempt. It is also possible that the specific version or configuration
>>>> of the
>>>> application is causing it to require additional access.
>>>>
>>>> Allowing Access:
>>>> You can generate a local policy module to allow this access - see FAQ
>>>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>>>> disable
>>>> SELinux protection altogether. Disabling SELinux protection is not
>>>> recommended.
>>>> Please file a bug report
>>>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>>>> against this package.
>>>>
>>>> Additional Information:
>>>> Source Context root:system_r:semanage_t
>>>> Target Context system_ubject_r:hi_reserved_port_t
>>>> Target Objects None [ tcp_socket ]
>>>> Source genhomedircon
>>>> Source Path /usr/bin/python
>>>> Port 890
>>>> Host dox.oasen.dyndns.org
>>>> Source RPM Packages python-2.4.3-21.el5
>>>> Target RPM Packages Policy RPM
>>>> selinux-policy-2.4.6-137.1.el5
>>>> Selinux Enabled True
>>>> Policy Type targeted
>>>> MLS Enabled True
>>>> Enforcing Mode Enforcing
>>>> Plugin Name catchall
>>>> Host Name dox.oasen.dyndns.org
>>>> Platform Linux dox.oasen.dyndns.org
>>>> 2.6.18-92.1.22.el5 #1
>>>> SMP Tue Dec 16 11:57:43 EST 2008 x86_64
>>>> x86_64
>>>> Alert Count 2
>>>> First Seen Tue Feb 24 14:08:17 2009
>>>> Last Seen Tue Feb 24 14:12:48 2009
>>>> Local ID 4c554775-348e-41b7-aa4b-74216b06e26e
>>>> Line Numbers Raw Audit Messages
>>>> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.488:50365):
>>>> avc: denied { name_bind } for pid=5378 comm="genhomedircon" src=890
>>>> scontext=root:system_r:semanage_t:s0
>>>> tcontext=system_ubject_r:hi_reserved_port_t:s0 tclass=tcp_socket
>>>>
>>>> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.488:50365):
>>>> arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1de0 a2=10
>>>> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
>>>> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
>>>> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
>>>>
>>>> # sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2
>>>> Summary:
>>>> SELinux is preventing genhomedircon (semanage_t) "name_connect" to
>>>> <Unknown>
>>>> (portmap_port_t).
>>>>
>>>> Detailed Description:
>>>> SELinux denied access requested by genhomedircon. It is not expected
>>>> that this
>>>> access is required by genhomedircon and this access may signal an
>>>> intrusion
>>>> attempt. It is also possible that the specific version or configuration
>>>> of the
>>>> application is causing it to require additional access.
>>>>
>>>> Allowing Access:
>>>> You can generate a local policy module to allow this access - see FAQ
>>>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>>>> disable
>>>> SELinux protection altogether. Disabling SELinux protection is not
>>>> recommended.
>>>> Please file a bug report
>>>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>>>> against this package.
>>>>
>>>> Additional Information:
>>>> Source Context root:system_r:semanage_t
>>>> Target Context system_ubject_rortmap_port_t
>>>> Target Objects None [ tcp_socket ]
>>>> Source genhomedircon
>>>> Source Path /usr/bin/python
>>>> Port 111
>>>> Host dox.oasen.dyndns.org
>>>> Source RPM Packages python-2.4.3-21.el5
>>>> Target RPM Packages Policy RPM
>>>> selinux-policy-2.4.6-137.1.el5
>>>> Selinux Enabled True
>>>> Policy Type targeted
>>>> MLS Enabled True
>>>> Enforcing Mode Enforcing
>>>> Plugin Name catchall
>>>> Host Name dox.oasen.dyndns.org
>>>> Platform Linux dox.oasen.dyndns.org
>>>> 2.6.18-92.1.22.el5 #1
>>>> SMP Tue Dec 16 11:57:43 EST 2008 x86_64
>>>> x86_64
>>>> Alert Count 2
>>>> First Seen Tue Feb 24 14:08:17 2009
>>>> Last Seen Tue Feb 24 14:12:48 2009
>>>> Local ID 3ee7b441-b219-4684-8a42-1448513cd5b2
>>>> Line Numbers Raw Audit Messages
>>>> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.490:50366):
>>>> avc: denied { name_connect } for pid=5378 comm="genhomedircon"
>>>> dest=111 scontext=root:system_r:semanage_t:s0
>>>> tcontext=system_ubject_rortmap_port_t:s0 tclass=tcp_socket
>>>>
>>>> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.490:50366):
>>>> arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffff31e2040 a2=10
>>>> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
>>>> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
>>>> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
>>>>
>>>>
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>
> There is a bug in the ypbind script that is causing this problem.
>
> I believe there is a fix available in 5.3, But I am not sure.
>
> If you edit the /etc/init.d/ypbind script there is a bug when turning on
> or off the service. I believe there is a random "1" character in there.
> Removing this character will cause the AVC to dissapear.
>
>> Line 40
>> if [ -e /etc/selinux/${SELINUXTYPE}/modules1/active/booleans.local .....
>> if [ -e /etc/selinux/${SELINUXTYPE}/modules/active/booleans.local .....
>> did not help
>> Feb 24 20:52:01 dox setsebool: The allow_ypbind policy boolean was
>> changed to 0 by root
>> Feb 24 20:52:03 dox setsebool: The allow_ypbind policy boolean was
>> changed to 1 by root
>> Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon
>> (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete
>> SELinux messages. run sealert -l 84e4cd91-8298-40e2-9171-785c940ac32f
>> Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon
>> (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete
>> SELinux messages. run sealert -l 7263a1a9-5e01-4d17-a0f4-206e32486ac2
>> Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon
>> (semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete
>> SELinux messages. run sealert -l 65a80a67-fd9a-488c-b426-a447b5aa0d39
>> Feb 24 20:52:04 dox ypbind: bound to NIS server asen20.oasen.dyndns.org
>
>>
- --
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

What is happening is the boolean is being turned off when the machine is
still in NIS Mode. IE The kernel is still causing all getpw* calls to
bind to random ports.

If this machine is going to run with nis, you need to execute

setsebool -P allow_ypbind=1

Then with the fix, the script will not turn off the boolean.

This will prevent the random avc messages.

The script turning the boolean on, was just trying to help in the case
the user did not set the boolean permanently.

allow_ypbind is a bad boolean to set if you are not using NIS, since it
allows lots of confined applications to setup as services on any port
they want.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmlbVsACgkQrlYvE4MpobMUeQCgm5wrIkKGDW LXyfP/YWz7bK6/
Wg0AoMeeHfnlgdoSXOzT550OrtHiNBOe
=nXR/
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 05:38 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org