service ypbind restart, denied access requested by genhomedircon
Daniel J Walsh
dwalsh at redhat.com
Tue Feb 24 17:52:43 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Per Sjoholm wrote:
> On CentOS 5.2
> # ypcat -k auto.home
> * asen20:/export/Server/homes/&
>
> yp seems to be working for clients. BUT
>
> Feb 24 14:32:54 dox ypserv[5353]: refused connect from 192.168.1.23:661
> to procedure ypproc_match (oasen,auto_home;-4)
>
> dox and asen20 is same machine (asen20 is a service IPaddress)
> cd /var/yp; make does not
> yp]# make
> gmake[1]: Entering directory `/var/yp/oasen'
> Updating passwd.byname...
> failed to send 'clear' to local ypserv: RPC: Timed outUpdating passwd.byuid
> .....
>
> [root at dox yp]# service ypbind restart
> Shutting down NIS services: [ OK ]
> Turning off allow_ypbind SELinux boolean
> Turning on allow_ypbind SELinux boolean
> Binding to the NIS domain: [ OK ]
> Listening for an NIS domain server..
>
> var log messages
> Feb 24 14:12:49 dox setsebool: The allow_ypbind policy boolean was
> changed to 0 by root
> Feb 24 14:12:51 dox setsebool: The allow_ypbind policy boolean was
> changed to 1 by root
> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
> (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete
> SELinux messages. run sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf
> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
> (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete
> SELinux messages. run sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e
> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
> (semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete
> SELinux messages. run sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2
> Feb 24 14:12:52 dox ypbind: bound to NIS server asen20.oasen.dyndns.org
>
> # sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf
> Summary:
> SELinux is preventing genhomedircon (semanage_t) "node_bind" to <Unknown>
> (inaddr_any_node_t).
>
> Detailed Description:
> SELinux denied access requested by genhomedircon. It is not expected
> that this
> access is required by genhomedircon and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration
> of the
> application is causing it to require additional access.
>
> Allowing Access:
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
> Source Context root:system_r:semanage_t
> Target Context system_u:object_r:inaddr_any_node_t
> Target Objects None [ tcp_socket ]
> Source genhomedircon
> Source Path /usr/bin/python
> Port <Unknown>
> Host dox.oasen.dyndns.org
> Source RPM Packages python-2.4.3-21.el5
> Target RPM Packages Policy RPM
> selinux-policy-2.4.6-137.1.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name dox.oasen.dyndns.org
> Platform Linux dox.oasen.dyndns.org
> 2.6.18-92.1.22.el5 #1
> SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count 2
> First Seen Tue Feb 24 14:08:17 2009
> Last Seen Tue Feb 24 14:12:48 2009
> Local ID 70aadaea-686d-45b6-a10e-f4d5909b49bf
> Line Numbers
> Raw Audit Messages
> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.486:50364):
> avc: denied { node_bind } for pid=5378 comm="genhomedircon"
> scontext=root:system_r:semanage_t:s0
> tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket
>
> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.486:50364):
> arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1eb0 a2=10
> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
>
> # sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e
> Summary:
> SELinux is preventing genhomedircon (semanage_t) "name_bind" to <Unknown>
> (hi_reserved_port_t).
>
> Detailed Description:
> SELinux denied access requested by genhomedircon. It is not expected
> that this
> access is required by genhomedircon and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration
> of the
> application is causing it to require additional access.
>
> Allowing Access:
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
> Source Context root:system_r:semanage_t
> Target Context system_u:object_r:hi_reserved_port_t
> Target Objects None [ tcp_socket ]
> Source genhomedircon
> Source Path /usr/bin/python
> Port 890
> Host dox.oasen.dyndns.org
> Source RPM Packages python-2.4.3-21.el5
> Target RPM Packages Policy RPM
> selinux-policy-2.4.6-137.1.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name dox.oasen.dyndns.org
> Platform Linux dox.oasen.dyndns.org
> 2.6.18-92.1.22.el5 #1
> SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count 2
> First Seen Tue Feb 24 14:08:17 2009
> Last Seen Tue Feb 24 14:12:48 2009
> Local ID 4c554775-348e-41b7-aa4b-74216b06e26e
> Line Numbers
> Raw Audit Messages
> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.488:50365):
> avc: denied { name_bind } for pid=5378 comm="genhomedircon" src=890
> scontext=root:system_r:semanage_t:s0
> tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
>
> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.488:50365):
> arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1de0 a2=10
> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
>
> # sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2
> Summary:
> SELinux is preventing genhomedircon (semanage_t) "name_connect" to
> <Unknown>
> (portmap_port_t).
>
> Detailed Description:
> SELinux denied access requested by genhomedircon. It is not expected
> that this
> access is required by genhomedircon and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration
> of the
> application is causing it to require additional access.
>
> Allowing Access:
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
> Source Context root:system_r:semanage_t
> Target Context system_u:object_r:portmap_port_t
> Target Objects None [ tcp_socket ]
> Source genhomedircon
> Source Path /usr/bin/python
> Port 111
> Host dox.oasen.dyndns.org
> Source RPM Packages python-2.4.3-21.el5
> Target RPM Packages Policy RPM
> selinux-policy-2.4.6-137.1.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name dox.oasen.dyndns.org
> Platform Linux dox.oasen.dyndns.org
> 2.6.18-92.1.22.el5 #1
> SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count 2
> First Seen Tue Feb 24 14:08:17 2009
> Last Seen Tue Feb 24 14:12:48 2009
> Local ID 3ee7b441-b219-4684-8a42-1448513cd5b2
> Line Numbers
> Raw Audit Messages
> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.490:50366):
> avc: denied { name_connect } for pid=5378 comm="genhomedircon"
> dest=111 scontext=root:system_r:semanage_t:s0
> tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
>
> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.490:50366):
> arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffff31e2040 a2=10
> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
There is a bug in the ypbind script that is causing this problem.
I believe there is a fix available in 5.3, But I am not sure.
If you edit the /etc/init.d/ypbind script there is a bug when turning on
or off the service. I believe there is a random "1" character in there.
Removing this character will cause the AVC to dissapear.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmkM+sACgkQrlYvE4MpobMx0QCeJT7vpNJwehH/RTz3hzyM3fP7
510AoI71enVc/62gfByCPKhi1E67I4e0
=Rg5H
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list