service ypbind restart, denied access requested by genhomedircon
Daniel J Walsh
dwalsh at redhat.com
Wed Feb 25 16:10:03 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Per Sjoholm wrote:
>
>
> Daniel J Walsh wrote:
> Per Sjoholm wrote:
>
>>>> On CentOS 5.2
>>>> # ypcat -k auto.home
>>>> * asen20:/export/Server/homes/&
>>>>
>>>> yp seems to be working for clients. BUT
>>>>
>>>> Feb 24 14:32:54 dox ypserv[5353]: refused connect from 192.168.1.23:661
>>>> to procedure ypproc_match (oasen,auto_home;-4)
>>>>
>>>> dox and asen20 is same machine (asen20 is a service IPaddress)
>>>> cd /var/yp; make does not
>>>> yp]# make
>>>> gmake[1]: Entering directory `/var/yp/oasen'
>>>> Updating passwd.byname...
>>>> failed to send 'clear' to local ypserv: RPC: Timed outUpdating
>>>> passwd.byuid
>>>> .....
>>>>
>>>> [root at dox yp]# service ypbind restart
>>>> Shutting down NIS services: [ OK ]
>>>> Turning off allow_ypbind SELinux boolean
>>>> Turning on allow_ypbind SELinux boolean
>>>> Binding to the NIS domain: [ OK ]
>>>> Listening for an NIS domain server..
>>>>
>>>> var log messages
>>>> Feb 24 14:12:49 dox setsebool: The allow_ypbind policy boolean was
>>>> changed to 0 by root
>>>> Feb 24 14:12:51 dox setsebool: The allow_ypbind policy boolean was
>>>> changed to 1 by root
>>>> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
>>>> (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete
>>>> SELinux messages. run sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf
>>>> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
>>>> (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete
>>>> SELinux messages. run sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e
>>>> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
>>>> (semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete
>>>> SELinux messages. run sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2
>>>> Feb 24 14:12:52 dox ypbind: bound to NIS server asen20.oasen.dyndns.org
>>>>
>>>> # sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf
>>>> Summary:
>>>> SELinux is preventing genhomedircon (semanage_t) "node_bind" to
>>>> <Unknown>
>>>> (inaddr_any_node_t).
>>>>
>>>> Detailed Description:
>>>> SELinux denied access requested by genhomedircon. It is not expected
>>>> that this
>>>> access is required by genhomedircon and this access may signal an
>>>> intrusion
>>>> attempt. It is also possible that the specific version or configuration
>>>> of the
>>>> application is causing it to require additional access.
>>>>
>>>> Allowing Access:
>>>> You can generate a local policy module to allow this access - see FAQ
>>>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>>>> disable
>>>> SELinux protection altogether. Disabling SELinux protection is not
>>>> recommended.
>>>> Please file a bug report
>>>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>>>> against this package.
>>>>
>>>> Additional Information:
>>>> Source Context root:system_r:semanage_t
>>>> Target Context system_u:object_r:inaddr_any_node_t
>>>> Target Objects None [ tcp_socket ]
>>>> Source genhomedircon
>>>> Source Path /usr/bin/python
>>>> Port <Unknown>
>>>> Host dox.oasen.dyndns.org
>>>> Source RPM Packages python-2.4.3-21.el5
>>>> Target RPM Packages Policy RPM
>>>> selinux-policy-2.4.6-137.1.el5
>>>> Selinux Enabled True
>>>> Policy Type targeted
>>>> MLS Enabled True
>>>> Enforcing Mode Enforcing
>>>> Plugin Name catchall
>>>> Host Name dox.oasen.dyndns.org
>>>> Platform Linux dox.oasen.dyndns.org
>>>> 2.6.18-92.1.22.el5 #1
>>>> SMP Tue Dec 16 11:57:43 EST 2008 x86_64
>>>> x86_64
>>>> Alert Count 2
>>>> First Seen Tue Feb 24 14:08:17 2009
>>>> Last Seen Tue Feb 24 14:12:48 2009
>>>> Local ID 70aadaea-686d-45b6-a10e-f4d5909b49bf
>>>> Line Numbers Raw Audit Messages
>>>> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.486:50364):
>>>> avc: denied { node_bind } for pid=5378 comm="genhomedircon"
>>>> scontext=root:system_r:semanage_t:s0
>>>> tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket
>>>>
>>>> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.486:50364):
>>>> arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1eb0 a2=10
>>>> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
>>>> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
>>>> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
>>>>
>>>> # sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e
>>>> Summary:
>>>> SELinux is preventing genhomedircon (semanage_t) "name_bind" to
>>>> <Unknown>
>>>> (hi_reserved_port_t).
>>>>
>>>> Detailed Description:
>>>> SELinux denied access requested by genhomedircon. It is not expected
>>>> that this
>>>> access is required by genhomedircon and this access may signal an
>>>> intrusion
>>>> attempt. It is also possible that the specific version or configuration
>>>> of the
>>>> application is causing it to require additional access.
>>>>
>>>> Allowing Access:
>>>> You can generate a local policy module to allow this access - see FAQ
>>>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>>>> disable
>>>> SELinux protection altogether. Disabling SELinux protection is not
>>>> recommended.
>>>> Please file a bug report
>>>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>>>> against this package.
>>>>
>>>> Additional Information:
>>>> Source Context root:system_r:semanage_t
>>>> Target Context system_u:object_r:hi_reserved_port_t
>>>> Target Objects None [ tcp_socket ]
>>>> Source genhomedircon
>>>> Source Path /usr/bin/python
>>>> Port 890
>>>> Host dox.oasen.dyndns.org
>>>> Source RPM Packages python-2.4.3-21.el5
>>>> Target RPM Packages Policy RPM
>>>> selinux-policy-2.4.6-137.1.el5
>>>> Selinux Enabled True
>>>> Policy Type targeted
>>>> MLS Enabled True
>>>> Enforcing Mode Enforcing
>>>> Plugin Name catchall
>>>> Host Name dox.oasen.dyndns.org
>>>> Platform Linux dox.oasen.dyndns.org
>>>> 2.6.18-92.1.22.el5 #1
>>>> SMP Tue Dec 16 11:57:43 EST 2008 x86_64
>>>> x86_64
>>>> Alert Count 2
>>>> First Seen Tue Feb 24 14:08:17 2009
>>>> Last Seen Tue Feb 24 14:12:48 2009
>>>> Local ID 4c554775-348e-41b7-aa4b-74216b06e26e
>>>> Line Numbers Raw Audit Messages
>>>> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.488:50365):
>>>> avc: denied { name_bind } for pid=5378 comm="genhomedircon" src=890
>>>> scontext=root:system_r:semanage_t:s0
>>>> tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
>>>>
>>>> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.488:50365):
>>>> arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1de0 a2=10
>>>> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
>>>> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
>>>> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
>>>>
>>>> # sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2
>>>> Summary:
>>>> SELinux is preventing genhomedircon (semanage_t) "name_connect" to
>>>> <Unknown>
>>>> (portmap_port_t).
>>>>
>>>> Detailed Description:
>>>> SELinux denied access requested by genhomedircon. It is not expected
>>>> that this
>>>> access is required by genhomedircon and this access may signal an
>>>> intrusion
>>>> attempt. It is also possible that the specific version or configuration
>>>> of the
>>>> application is causing it to require additional access.
>>>>
>>>> Allowing Access:
>>>> You can generate a local policy module to allow this access - see FAQ
>>>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>>>> disable
>>>> SELinux protection altogether. Disabling SELinux protection is not
>>>> recommended.
>>>> Please file a bug report
>>>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>>>> against this package.
>>>>
>>>> Additional Information:
>>>> Source Context root:system_r:semanage_t
>>>> Target Context system_u:object_r:portmap_port_t
>>>> Target Objects None [ tcp_socket ]
>>>> Source genhomedircon
>>>> Source Path /usr/bin/python
>>>> Port 111
>>>> Host dox.oasen.dyndns.org
>>>> Source RPM Packages python-2.4.3-21.el5
>>>> Target RPM Packages Policy RPM
>>>> selinux-policy-2.4.6-137.1.el5
>>>> Selinux Enabled True
>>>> Policy Type targeted
>>>> MLS Enabled True
>>>> Enforcing Mode Enforcing
>>>> Plugin Name catchall
>>>> Host Name dox.oasen.dyndns.org
>>>> Platform Linux dox.oasen.dyndns.org
>>>> 2.6.18-92.1.22.el5 #1
>>>> SMP Tue Dec 16 11:57:43 EST 2008 x86_64
>>>> x86_64
>>>> Alert Count 2
>>>> First Seen Tue Feb 24 14:08:17 2009
>>>> Last Seen Tue Feb 24 14:12:48 2009
>>>> Local ID 3ee7b441-b219-4684-8a42-1448513cd5b2
>>>> Line Numbers Raw Audit Messages
>>>> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.490:50366):
>>>> avc: denied { name_connect } for pid=5378 comm="genhomedircon"
>>>> dest=111 scontext=root:system_r:semanage_t:s0
>>>> tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
>>>>
>>>> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.490:50366):
>>>> arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffff31e2040 a2=10
>>>> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
>>>> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
>>>> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
>>>>
>>>>
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>
> There is a bug in the ypbind script that is causing this problem.
>
> I believe there is a fix available in 5.3, But I am not sure.
>
> If you edit the /etc/init.d/ypbind script there is a bug when turning on
> or off the service. I believe there is a random "1" character in there.
> Removing this character will cause the AVC to dissapear.
>
>> Line 40
>> if [ -e /etc/selinux/${SELINUXTYPE}/modules1/active/booleans.local .....
>> if [ -e /etc/selinux/${SELINUXTYPE}/modules/active/booleans.local .....
>> did not help
>> Feb 24 20:52:01 dox setsebool: The allow_ypbind policy boolean was
>> changed to 0 by root
>> Feb 24 20:52:03 dox setsebool: The allow_ypbind policy boolean was
>> changed to 1 by root
>> Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon
>> (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete
>> SELinux messages. run sealert -l 84e4cd91-8298-40e2-9171-785c940ac32f
>> Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon
>> (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete
>> SELinux messages. run sealert -l 7263a1a9-5e01-4d17-a0f4-206e32486ac2
>> Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon
>> (semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete
>> SELinux messages. run sealert -l 65a80a67-fd9a-488c-b426-a447b5aa0d39
>> Feb 24 20:52:04 dox ypbind: bound to NIS server asen20.oasen.dyndns.org
>
>>
- --
fedora-selinux-list mailing list
fedora-selinux-list at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
What is happening is the boolean is being turned off when the machine is
still in NIS Mode. IE The kernel is still causing all getpw* calls to
bind to random ports.
If this machine is going to run with nis, you need to execute
setsebool -P allow_ypbind=1
Then with the fix, the script will not turn off the boolean.
This will prevent the random avc messages.
The script turning the boolean on, was just trying to help in the case
the user did not set the boolean permanently.
allow_ypbind is a bad boolean to set if you are not using NIS, since it
allows lots of confined applications to setup as services on any port
they want.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmlbVsACgkQrlYvE4MpobMUeQCgm5wrIkKGDWLXyfP/YWz7bK6/
Wg0AoMeeHfnlgdoSXOzT550OrtHiNBOe
=nXR/
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list