NIS trouble after update of targeted policy
alex at milivojevic.org
alex at milivojevic.org
Fri Jun 17 15:20:13 UTC 2005
In continuation to my pervious mail to this list (subject was
"selinux-policy-targeted and logrotate", but was really more about upgrading
from 1.17.30-2.88 to 1.17.30-3.6).
After I upgraded to selinux-policy-targeted-1.17.30-3.6 (Daniel's rhel4u2 RPM),
several appliactions contolled by targeted policy started complaining about
something that looks like lookups to NIS maps were denied. The testing box in
question is in permissive mode, so there might be much more of those for boxes
running in enforcing mode.
The logs are in attachment.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
-------------- next part --------------
Jun 17 10:06:58 mybox kernel: audit(1119020818.412:0): avc: denied { search } for pid=2542 comm=ntpd name=yp dev=dm-2 ino=112001 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:var_yp_t tclass=dir
Jun 17 10:06:58 mybox kernel: audit(1119020818.415:0): avc: denied { read } for pid=2542 comm=ntpd name=milivojevic.org.2 dev=dm-2 ino=112005 scontext=user_u:system_r:ntpd_t tcontext=user_u:object_r:var_yp_t tclass=file
Jun 17 10:06:58 mybox kernel: audit(1119020818.419:0): avc: denied { name_bind } for pid=2542 comm=ntpd src=1022 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:reserved_port_t tclass=udp_socket
Jun 17 10:06:58 mybox kernel: audit(1119020818.422:0): avc: denied { name_bind } for pid=2542 comm=ntpd src=1023 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
Jun 17 10:06:59 mybox kernel: audit(1119020819.077:0): avc: denied { search } for pid=2576 comm=postmaster name=nscd dev=dm-2 ino=464004 scontext=user_u:system_r:postgresql_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 17 10:07:07 mybox kernel: audit(1119020827.010:0): avc: denied { search } for pid=2642 comm=httpd name=nscd dev=dm-2 ino=464004 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 17 10:07:12 mybox kernel: audit(1119020832.905:0): avc: denied { search } for pid=2827 comm=httpd name=yp dev=dm-2 ino=112001 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_yp_t tclass=dir
Jun 17 10:07:12 mybox kernel: audit(1119020832.905:0): avc: denied { read } for pid=2827 comm=httpd name=milivojevic.org.2 dev=dm-2 ino=112005 scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:var_yp_t tclass=file
Jun 17 10:07:12 mybox kernel: audit(1119020832.906:0): avc: denied { name_bind } for pid=2827 comm=httpd src=883 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:reserved_port_t tclass=udp_socket
Jun 17 10:07:12 mybox kernel: audit(1119020832.906:0): avc: denied { name_bind } for pid=2827 comm=httpd src=884 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
Jun 17 10:07:12 mybox kernel: audit(1119020832.907:0): avc: denied { connect } for pid=2827 comm=httpd lport=884 scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket
Jun 17 10:07:13 mybox kernel: audit(1119020833.376:0): avc: denied { name_bind } for pid=2891 comm=httpd src=953 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:rndc_port_t tclass=tcp_socket
Jun 17 10:09:05 mybox kernel: audit(1119020945.663:0): avc: denied { search } for pid=2887 comm=httpd name=yp dev=dm-2 ino=112001 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_yp_t tclass=dir
More information about the fedora-selinux-list
mailing list